[pfx] Re: Incoming OpenDKIM signature verification failing

Marvin Renich via Postfix-users: > * Matus UHLAR - fantomas via Postfix-users > [250513 10:08]: > > > Matus UHLAR - fantomas via Postfix-users: > > > > These should not be used globally but only at submission level. > > > > > > > > This can be achieved by using separate postfix instance for subm

[pfx] Re: Incoming OpenDKIM signature verification failing

* Matus UHLAR - fantomas via Postfix-users [250513 10:08]: > > Matus UHLAR - fantomas via Postfix-users: > > > These should not be used globally but only at submission level. > > > > > > This can be achieved by using separate postfix instance for submitted mail > > > - I don't see possibility of

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: > So continuing the saga ... digging into /etc/postfix/header_checks I found > a revision I made back in January to try to keep our outgoing email from > having headers with the IP address of the email client that sent the email > to the serve

[pfx] Re: Incoming OpenDKIM signature verification failing

On 11/05/2025 07:45, Dmitriy Alekseev via Postfix-users wrote: You can drop received header without dedicated postfix, just do it with milter instead. Rspamd can do it for you with very small Lua script, and do SPF/DKIM/DMARC & ARC all together. This discussion has reminded me of an option tha

[pfx] Re: Incoming OpenDKIM signature verification failing

You can drop received header without dedicated postfix, just do it with milter instead. Rspamd can do it for you with very small Lua script, and do SPF/DKIM/DMARC & ARC all together. -- *Best Regards,* Dmitriy Alekseev DevOps Engineer On Sat, 10 May 2025, 21:37 Ken Biggs via Postfix-users, < pos

[pfx] Re: Incoming OpenDKIM signature verification failing

Thank you all so much for all your help! I don't think I'm up for setting up a separate postfix instance for outgoing email. It's pretty obvious I'm a novice working with Postfix. Actually not really sure if removing the Received headers was accomplishing anything anyway. Google doesn't give

[pfx] Re: Incoming OpenDKIM signature verification failing

Matus UHLAR - fantomas via Postfix-users: > On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: > > So continuing the saga ... digging into /etc/postfix/header_checks I found > > a revision I made back in January to try to keep our outgoing email from > > having headers with the IP address of

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: So continuing the saga ... digging into /etc/postfix/header_checks I found a revision I made back in January to try to keep our outgoing email from having headers with the IP address of the email client that sent the email to the server and

[pfx] Re: Incoming OpenDKIM signature verification failing

On 2025-05-10 at 14:51:36 UTC-0400 (Sat, 10 May 2025 20:51:36 +0200) Dmitriy Alekseev via Postfix-users is rumored to have said: Can you say why do you drop Mime-Version header? This should never be done! Indeed. It is also worth noting that missing that header in a MIME message correlates w

[pfx] Re: Incoming OpenDKIM signature verification failing

Can you say why do you drop Mime-Version header? This should never be done! You can without issues drop some received header, but your regex is bad. On Sat, 10 May 2025, 20:33 Ken Biggs via Postfix-users, < postfix-users@postfix.org> wrote: > So continuing the saga ... digging into /etc/postfix/h

[pfx] Re: Incoming OpenDKIM signature verification failing

So continuing the saga ... digging into /etc/postfix/header_checks I found a revision I made back in January to try to keep our outgoing email from having headers with the IP address of the email client that sent the email to the server and maybe keep Gmail from marking our outgoing email as SPA

[pfx] Re: Incoming OpenDKIM signature verification failing

On May 10, 2025 5:57:34 PM UTC, Dan Mahoney via Postfix-users wrote: >Mime-version was listed as a signed header but was absent. > >I suspect his header checks cleaned that out. > >Note that having a header listed in the H equals list, but having that header >be absent is legal, but I don’t kn

[pfx] Re: Incoming OpenDKIM signature verification failing

Mime-version was listed as a signed header but was absent. I suspect his header checks cleaned that out. Note that having a header listed in the H equals list, but having that header be absent is legal, but I don’t know why the signing software would say it’s signing that header when it’s not t

[pfx] Re: Incoming OpenDKIM signature verification failing

Dnia 9.05.2025 o godz. 16:18:35 Matus UHLAR - fantomas via Postfix-users pisze: I use pyspf-milter which is from the same package I believe (python, there's also perl version policyd-spf) and it only accepts/rejects e-mail and adds Authentication-Results: header. On 09.05.25 16:41, Jaroslaw Ra

[pfx] Re: Incoming OpenDKIM signature verification failing

Woo hoo! I think I found the issue! I'm guessing this is probably an obvious thing, but I went line by line through my main.cf and found: mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks Not sure when I added those (it's been quite a whil

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 08:23, Ken Biggs via Postfix-users wrote: Return-Path: X-Original-To:x...@xxx.com Delivered-To:y...@yyy.jkbiggs.com Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X255

[pfx] Re: Incoming OpenDKIM signature verification failing

HI Nick, I had cut and pasted from the "Raw Source" view in mac Mail, but double checked in the spool file and those are the headers received in that order. Thanks, Ken > On May 9, 2025, at 7:27 PM, Nick Tait via Postfix-users > wrote: > > On 10/05/2025 08:23, Ken Biggs via Postfix-users wro

[pfx] Re: Incoming OpenDKIM signature verification failing

If any of those mailing lists are open, regular lists that I could be subscribed to, for testing, I’d be happy to try to do so to validate this for you. -Dan > On May 9, 2025, at 21:07, Nick Tait via Postfix-users > wrote: > > On 10/05/2025 15:29, Nick Tait via Postfix-users wrote: >> But of

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 15:29, Nick Tait via Postfix-users wrote: But of course if the first scenario still exhibits the issue, then that probably disproves my theory immediately? Just thinking a bit more about this... If the first test fails, then you can compare the headers and body in the received em

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 14:09, Ken Biggs via Postfix-users wrote: HI Nick, I had cut and pasted from the "Raw Source" view in mac Mail, but double checked in the spool file and those are the headers received in that order. Thanks, Ken Thanks for confirming. My set-up is very similar to yours, and (li

[pfx] Re: Incoming OpenDKIM signature verification failing

On 5/9/25 16:23, Ken Biggs via Postfix-users wrote: Hi Matus, I commented out policyd-spf and still am getting DKIM failure from google.com . Here are maillog entries from a gmail test: May 9 15:11:36 xxx postfix/smtpd[815073]: connect from mail-qk1-f169.google.com[2

[pfx] Re: Incoming OpenDKIM signature verification failing

Hi Matus, I commented out policyd-spf and still am getting DKIM failure from google.com . Here are maillog entries from a gmail test: May 9 15:11:36 xxx postfix/smtpd[815073]: connect from mail-qk1-f169.google.com[209.85.222.169] May 9 15:11:36 xxx postfix/smtpd[8

[pfx] Re: Incoming OpenDKIM signature verification failing

Hi Benny, Yes, our outgoing emails are signed and validate properly. The incoming email DKIM signature validation is our current issue. Thanks, Ken > On May 9, 2025, at 10:17 AM, Benny Pedersen via Postfix-users > wrote: > > Matus UHLAR - fantomas via Postfix-users skrev den 2025-05-09 16:1

[pfx] Re: Incoming OpenDKIM signature verification failing

Matus UHLAR - fantomas via Postfix-users skrev den 2025-05-09 16:18: On 09.05.25 08:14, Ken Biggs via Postfix-users wrote: Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? it should not. I use pyspf-milter whic

[pfx] Re: Incoming OpenDKIM signature verification failing

On 09.05.25 08:14, Ken Biggs via Postfix-users wrote: Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? it should not. I use pyspf-milter which is from the same package I believe (python, there's also perl vers

[pfx] Re: Incoming OpenDKIM signature verification failing

Dnia 9.05.2025 o godz. 16:18:35 Matus UHLAR - fantomas via Postfix-users pisze: > I use pyspf-milter which is from the same package I believe (python, > there's also perl version policyd-spf) and it only accepts/rejects > e-mail and adds Authentication-Results: header. That may be the key. Check

[pfx] Re: Incoming OpenDKIM signature verification failing

I'm running spamass-milter. /etc/mail/spamassassin/v312.pre already has loadplugin Mail::SpamAssassin::Plugin::DKIM. Not seeing AuthRes anywhere in /etc/mail/spamassassin. So, I'm assuming the X-Spam-Status: tests=DKIM_INVALID,DKIM_SIGNED are SpamAssassin's agreement with OpenDKIM's Authenticatio

[pfx] Re: Incoming OpenDKIM signature verification failing

Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? > On May 9, 2025, at 8:04 AM, Ken Biggs via Postfix-users > wrote: > > I'm running spamass-milter. > /etc/mail/spamassassin/v312.pre already has loadplugin > Mai

[pfx] Re: Incoming OpenDKIM signature verification failing

On 09.05.25 12:58, Dmitriy Alekseev via Postfix-users wrote: Did maybe you considering spin up rspamd proxy + normal instead of sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at least get what issue relates to. It useless to honestly trying to analyze eml with modificati

[pfx] Re: Incoming OpenDKIM signature verification failing

Did maybe you considering spin up rspamd proxy + normal instead of sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at least get what issue relates to. It useless to honestly trying to analyze eml with modifications due to anonymization in scope of understanding why dkim bro

[pfx] Re: Incoming OpenDKIM signature verification failing

On 08.05.25 15:06, Ken Biggs via Postfix-users wrote: OpenDKIM is failing signature verification on most incoming emails. Out of 1,146 incoming emails, 173 have been successfully verified and 973 have "bad signature data". The failing emails include email from google, amazon, sailthru, and m

[pfx] Re: Incoming OpenDKIM signature verification failing

Nothing’s jumping out to me in your test message, other than that the mime-version header field is missing, but that’s legal. I might suggest trying the “Develop” branch of OpenDKIM from git, as there are some changes in that which *may* fix things, or at least…give something to compare. The e