[pfx] Re: double dkim signature (sendmail)

t will not just be rspamd that stay at dkim, or visa verse stupid designs of untrusted dkim :=) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: double dkim signature (sendmail)

Sean McBride via Postfix-users wrote in : |On 24 Mar 2025, at 4:06, A. Schulze via Postfix-users wrote: | |> Sean McBride via Postfix-users: |> |>> It can. It's probably a better idea than using OpenDKIM, because \ |>> that project seems dead as best as I can tell, it has had no commits \

[pfx] Re: double dkim signature (sendmail)

On 24 Mar 2025, at 4:06, A. Schulze via Postfix-users wrote: > Sean McBride via Postfix-users: > >> It can. It's probably a better idea than using OpenDKIM, because that >> project seems dead as best as I can tell, it has had no commits for 7 years: >> >> https://github.com/trusteddomainproject/

[pfx] Re: double dkim signature (sendmail)

Sean McBride via Postfix-users: It can. It's probably a better idea than using OpenDKIM, because that project seems dead as best as I can tell, it has had no commits for 7 years: https://github.com/trusteddomainproject/OpenDKIM/commits/master/ there is a develop branch. It's usable and

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Benny Pedersen via Postfix-users wrote in : |Petko Manolov via Postfix-users skrev den 2025-03-09 08:23: |> If a message falsely claim it originates from certain domain and then |> DKIM fail, |> i very much don't want to receive, let alone read, this message. |> Right?

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Dnia 10.03.2025 o godz. 10:02:50 Petko Manolov via Postfix-users pisze: > For example, if all checks fail at the same time - spf, dkim and dmarc (in an > AND logic relation), there's a good chance that this is spam. You are still mistaken with regard to what these checks do. Most a

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Hellow Petko, Petko Manolov via Postfix-users writes: > (...) > For example, if all checks fail at the same time - spf, dkim and dmarc (in an > AND logic relation), there's a good chance that this is spam. > How about this? It is very weird screenshot: https://gitlab.com/so

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

> On 10. 3. 2025., at 09:02, Petko Manolov wrote: > > I was thinking about something similar. However, this filtering rule would > reject all mail that comes from postfix.org mailing > lists, which isn't an > option. Maybe this one combined with another rule, but i need

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

s fail at the same time - spf, dkim and dmarc (in an AND logic relation), there's a good chance that this is spam. > milter_header_checks (default: empty) > Optional lookup tables for content inspection of message headers that are > produced by Milter applications. See the header_chec

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

mtp:sanitizer.example.com:25 The milter_header_checks mechanism could also be used for allowlisting. For example it could be used to skip heavy content inspection for DKIM-signed mail from known friendly domains. This feature is available in Postfix 2.7, and as an optional patch for Postfix 2.6.

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-09 09:42:46, Jaroslaw Rafa via Postfix-users wrote: > Dnia 9.03.2025 o godz. 09:23:48 Petko Manolov via Postfix-users pisze: > > Well, one very important property of authenticity is trust. > > > > If a message falsely claim it originates from certain domain and

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Dnia 9.03.2025 o godz. 09:23:48 Petko Manolov via Postfix-users pisze: > Well, one very important property of authenticity is trust. > > If a message falsely claim it originates from certain domain and then DKIM > fail, > i very much don't want to receive, let alone read,

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-09 10:42:04, Benny Pedersen via Postfix-users wrote: > Petko Manolov via Postfix-users skrev den 2025-03-09 08:23: > > > If a message falsely claim it originates from certain domain and then DKIM > > fail, i very much don't want to receive, let alone read,

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Petko Manolov via Postfix-users skrev den 2025-03-09 08:23: If a message falsely claim it originates from certain domain and then DKIM fail, i very much don't want to receive, let alone read, this message. Right? this is still not a job for dkim to reject, if you want to reject its b

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

Dnia 9.03.2025 o godz. 08:50:17 Petko Manolov via Postfix-users pisze: > Well, i maybe seeing only in black and white, but if somebody is careless > enough > to not set SPF and DKIM, they pretty much asked for it. These mechanisms are > in > place to help fighting spam, afte

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

is careless enough to not set SPF > > and DKIM, they pretty much asked for it. These mechanisms are in place to > > help fighting spam, after all. So yeah, i hear what you say and it looks > > that i'll have to adapt my anti-spam strategy based on the feedback i get > >

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On Sun, Mar 09, 2025 at 08:50:17AM +0200, Petko Manolov via Postfix-users wrote: > On 25-03-08 13:05:42, Peter via Postfix-users wrote: > Well, i maybe seeing only in black and white, but if somebody is careless > enough > to not set SPF and DKIM, they pretty much asked for it. Thes

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-08 13:05:42, Peter via Postfix-users wrote: > > I would not recommend dropping messages that are missing SPF or DKIM, you will > end up dropping a lot fo legitimate mail if you do this. If you want a better > idea might be to have it affect the SPAM score in a system such

[pfx] Re: What does dkim=pass (2048-bit key; unprotected) mean?

UmDZ2ohvaM/PaQQgHCcYS+/86Mb3ZaiqJiMgFKPqD2skyLdepdoeoBTLYZqBgCF0LWhHGHeTQIDAQAB" hs1._domainkey.transactional.hubspotemail.net. 1800 IN RRSIG TXT 13 5 1800 20250309211154 20250307191154 34505 hubspotemail.net. 5WQcmQ1wGZiUfqG/HdIOs7mQlaF0EU2XwTECJJYXJ4eIhNKGmkNA/hxQ rZtYbERU0lh4wDBPGaceBYj8qBruUw== So that is then why I get secu

[pfx] Re: What does dkim=pass (2048-bit key; unprotected) mean?

Le 08/03/2025 à 20:37, Waldo Nell via Postfix-users a écrit : I received an email sent via HubSpot.  It has two DKIM signatures.  Postfix shows this: Authentication-Results: DOMAIN1; dkim=pass (2048-bit key; secure) header.d=DOMAIN2 header.i=@DOMAIN2 header.a=rsa-sha256 header.s=hs1 header.b

[pfx] What does dkim=pass (2048-bit key; unprotected) mean?

I received an email sent via HubSpot. It has two DKIM signatures. Postfix shows this: Authentication-Results: DOMAIN1; dkim=pass (2048-bit key; secure) header.d=DOMAIN2 header.i=@DOMAIN2 header.a=rsa-sha256 header.s=hs1 header.b=IrJ0eBW4; dkim=pass (2048-bit key; unprotected

[pfx] Re: double dkim signature (sendmail)

stfix-users pisze: By content_filter you mean amavis / spamassassin? Can the rspamd milter do the dkim signing and replace amavis / spamassassin? Content filter, in Postfix terms, is everything that runs after queue and re-injects mail into Postfix after processing it, as described here:

[pfx] Re: double dkim signature (sendmail)

Dnia 7.03.2025 o godz. 22:27:45 Andreas Kuhlen via Postfix-users pisze: > By content_filter you mean amavis / spamassassin? Can the rspamd > milter do the dkim signing and replace amavis / spamassassin? Content filter, in Postfix terms, is everything that runs after queue and re-inject

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

original message because it was rejected. This explains why the SPF result mentions the HELO domain but not the envelope sender domain (because the latter was the null sender and thus did not have a domain). I was hoping that i've configured the milters in a way that failing spf or dkim

[pfx] Re: double dkim signature (sendmail)

/pypi.org/project/dkimpy-milter/ the project home is @ Launchpad,   https://launchpad.net/dkimpy-milter works as intended here with Postfix, signing both rsa-sha256 & ed25519-sha256 DKIM signatures on a per-domain basis. ___ Postfix-users

[pfx] Re: double dkim signature (sendmail)

Thanks for the hint, Sean! Am 07.03.2025 um 23:04 schrieb Sean McBride via Postfix-users: On 7 Mar 2025, at 16:27, Andreas Kuhlen via Postfix-users wrote: Can the rspamd milter do the dkim signing It can. It's probably a better idea than using OpenDKIM, because that project seems de

[pfx] Re: double dkim signature (sendmail)

That's how I implemented it. It also works for mails that are sent to external recipients. However, my mails sent internally were still double-signed. As DKIM signing makes no sense in this case in my eyes, I quickly set it up so that mails to certain addresses are not signed. To do th

[pfx] Re: double dkim signature (sendmail)

On 7 Mar 2025, at 16:27, Andreas Kuhlen via Postfix-users wrote: > Can the rspamd milter do the dkim signing It can. It's probably a better idea than using OpenDKIM, because that project seems dead as best as I can tell, it has had no commits for 7 years: https://gi

[pfx] Re: double dkim signature (sendmail)

Il 07/03/2025 22:13, Wietse Venema via Postfix-users ha scritto: By far the easiest is to stop using content_filter and to use an rspamd milter or the like do the signing. Thanks, but I don't want to "overturn" everything; yes I'm running spamassassin. ATM I just found out about: -o receive

[pfx] Re: double dkim signature (sendmail)

= milter_protocol = 6 milter_default_action = accept DKIM is correct for email sent by my clients, but if I send a message from the server's shell, with /usr/sbin/sendmail, I get no signing at all (dkim none) So if I change: non_smtpd_milters = with: non_smtpd_milters = $smtpd_milters I get dki

[pfx] Re: double dkim signature (sendmail)

roughnecks via Postfix-users: > Hello, > > I would like to ask about opendkim and signing emails with postfix. > With the following configuration: > > ## OPENDKIM ## > smtpd_milters = inet:127.0.0.1:8891 > non_smtpd_milters = > milter_protocol = 6 > milter_defaul

[pfx] double dkim signature (sendmail)

Hello, I would like to ask about opendkim and signing emails with postfix. With the following configuration: ## OPENDKIM ## smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = milter_protocol = 6 milter_default_action = accept DKIM is correct for email sent by my clients, but if I send a

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 7/3/25 04:28, Petko Manolov via Postfix-users wrote: Thanks for the detailed explanation, Bill. I ended up registering with spamhaus.org and followed their guide here: https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html However, i'm considering postscree

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 2025-03-06 at 04:56:03 UTC-0500 (Thu, 6 Mar 2025 10:56:03 +0100) Petko Manolov via Postfix-users is rumored to have said: On 25-03-06 10:38:54, Danjel Jungersen via Postfix-users wrote: On 06-03-2025 09:28, Petko Manolov via Postfix-users wrote: Hmm, zen.spamhaus.org doesn't resolve anymore

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

te: > > > On 2025-03-05 at 11:43:07 UTC-0500 (Wed, 5 Mar 2025 18:43:07 +0200) > > > Petko Manolov via Postfix-users > > > is rumored to have said: > > > > > > > I thought spf, dkim and dmarc checks (at least one of them, if > > > > no

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-06 18:02:13, Matus UHLAR - fantomas via Postfix-users wrote: > On 06.03.25 09:28, Petko Manolov via Postfix-users wrote: > > The goal was to have my dmarc config as tight as possible. Namely: > > > > SPFSelfValidate true > > SPFIgnoreResults true > > RejectFailures true > > > > Quoting

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

to have said: I thought spf, dkim and dmarc checks (at least one of them, if not all) will stop the message, but this didn't happen. That's a matter of how you configure your system, specifically OpenDMARC. Postfix asks OpenDMARC to decide what to do. I'm unsure if OpenDMAR

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-06 10:38:54, Danjel Jungersen via Postfix-users wrote: > On 06-03-2025 09:28, Petko Manolov via Postfix-users wrote: > > Hmm, zen.spamhaus.org doesn't resolve anymore. I wonder what would be the > > correct/contemporary version of: > > > > reject_rbl_client zen.spamhaus.org=127.0.0.[

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 06-03-2025 09:28, Petko Manolov via Postfix-users wrote: Hmm, zen.spamhaus.org doesn't resolve anymore. I wonder what would be the correct/contemporary version of: reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] Mine also stopped working some time ago, resolved by setting up my ow

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 06-03-2025 09:29, Petko Manolov via Postfix-users wrote: On 25-03-06 07:45:35, Danjel Jungersen via Postfix-users wrote: On 05-03-2025 21:23, Bill Cole via Postfix-users wrote: You can use the Spamhaus DNSBLs for free if your query volume is low and your DNS resolver isn't public. DROP is al

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 25-03-06 07:45:35, Danjel Jungersen via Postfix-users wrote: > On 05-03-2025 21:23, Bill Cole via Postfix-users wrote: > > You can use the Spamhaus DNSBLs for free if your query volume is low and > > your DNS resolver isn't public. DROP is also available free as a JSON file > > which gets change

[pfx] Re: dmarc, dkim & spf failed but that message was delivered anyway

On 05-03-2025 21:23, Bill Cole via Postfix-users wrote: You can use the Spamhaus DNSBLs for free if your query volume is low and your DNS resolver isn't public. DROP is also available free as a JSON file which gets changes every few days. As of this morning it had just 1359 entries, so your sp

[pfx] Re: how to remove DKIM header

Bitfox via Postfix-users: > Hello > > I saw that when messages sent to duck.com for forwarding, duck.com will > remove the original DKIM info from headers, to protect the sender > privacy. > > I am just curious how to remove that DKIM in postfix? With the header_checks I

[pfx] Re: how to remove DKIM header

On Tue, Dec 17, 2024 at 09:55:32AM +0800, Bitfox via Postfix-users wrote: > I saw that when messages sent to duck.com for forwarding, duck.com will > remove the original DKIM info from headers, to protect the sender privacy. > > I am just curious how to remove that DKIM in postfix

[pfx] Re: how to remove DKIM header

I saw that when messages sent to duck.com for forwarding, duck.com will remove the original DKIM info from headers, to protect the sender privacy. I am just curious how to remove that DKIM in postfix? That is something that can be done in milters. Most likely a custom solution they built. I

[pfx] how to remove DKIM header

Hello I saw that when messages sent to duck.com for forwarding, duck.com will remove the original DKIM info from headers, to protect the sender privacy. I am just curious how to remove that DKIM in postfix? Thank you. ___ Postfix-users mailing

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails. - SOLVED

Hi, After I added my laptop's IP address to TrustedHosts file, the emails were sent with DKIM signature. Why don't you send mails authenticated? I would also assume a laptop isn't always in the same net as the mailserver.

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails. - SOLVED

With  help of users in this list, particularly ( and  big, big thanks to ) Bluejay Adametz I was able to solved the problem --- emails were sent without DKIM signature. My mailserver is running on a different server ( different IP) and I use it from my laptop . The laptop address was not

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

On 03.12.24 16:36, export--- via Postfix-users wrote: When I used only ## smtpd_milters = inet:localhost:12301 ## the mail to auth-resu...@verifier.port25.com was delivered - but the problem remains - no DKIM signature When I used only

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

When I used only ## smtpd_milters = inet:localhost:12301 ## the mail to auth-resu...@verifier.port25.com was delivered - but the problem remains - no DKIM signature When I used only ## non_smtpd_milters = inet:localhost:12301

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

> Can you see any problem there? You're telling postfix to contact the milter on an IP connection: smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 Looking back, you have two Socket directives in your opendkim configuration; I'm not sure which one it's going to pick,

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

imit = 52428800 ## Can you see any problem there? Thanks On 03/12/2024 15:21, Bluejay Adametz wrote: > Only these references to opendkim  I found out in syslog: > > Dec  3 14:35:09 debian systemd[1]: Stopping OpenDKIM DomainKeys >Identified Mail (DKIM) Milter... ... You probably need to

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

> Only these references to opendkim I found out in syslog: > > Dec 3 14:35:09 debian systemd[1]: Stopping OpenDKIM DomainKeys >Identified Mail (DKIM) Milter... ... You probably need to look in your mail llog. If there's nothing there, then consider that postfix might not be

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

Only these references to opendkim  I found out in syslog: Dec  3 14:35:09 debian systemd[1]: Stopping OpenDKIM DomainKeys Identified Mail (DKIM) Milter... Dec  3 14:35:13 debian opendkim[420]: OpenDKIM Filter: mi_stop=1 Dec  3 14:35:13 debian opendkim[420]: OpenDKIM Filter v2.11.0

[pfx] Re: Problem with DKIM - Postfix does not sign sending emails.

d yourself an Email and examine the headers to see if there actually IS a DKIM signature. Check your mail logs to see if you're signing at all (you're looking for "DKIM-Signature field added"), and if not, why. These options in your opendkim.conf should help: Syslog yes Sysl

[pfx] Problem with DKIM - Postfix does not sign sending emails.

To find out  a reason, why DKIM signature is not added to emails, I  sent an email to auth-resu...@verifier.port25.com and the reply suggests the reason. Here it is: -- DKIM check details

[pfx] Re: dkim is OK for any domain

It appears that Florian Piekert via Postfix-users said: >AFAIK you can't use the "doma.in" DKIM Key for signing "sub.doma.in" eMails. >You need to add a separate key in the DNS file >- which in this case you can't. Sorry, that's just wrong. You can pu

[pfx] Re: dkim for domain

Hello, AFAIK you can't use the "doma.in" DKIM Key for signing "sub.doma.in" eMails. You need to add a separate key in the DNS file - which in this case you can't. my current domain (bitfox.ddns.net) can set neither txt records nor cname records. So I can't

[pfx] dkim for domain

Hello my current domain (bitfox.ddns.net) can set neither txt records nor cname records. So I can't setup dkim/spf for this domain. So, by default I can't send email to gmail etc which requires either spf or dkim. but when I send email with this domain through fastmail's se

[pfx] Re: Question on DKIM process ordering

and passed further, which is why new scanned message is logger > before OK that's what I was hoping. > > BTW, amavis can DKIM-sign the message itself. > Yes, it's just that we already have OpenDKIM signing for 200+ domains so I thought I'd leave that alone. > >

[pfx] Re: Question on DKIM process ordering

On 05.07.24 08:42, Gilgongo via Postfix-users wrote: I'm setting up a server to handle outbound mail for sasl auth accounts and would like to scan that mail for spam and malware before DKIM signing because I assume scanning might potentially add headers that could break the sig. Right

[pfx] Re: Question on DKIM process ordering

On Fri, Jul 05, 2024 at 08:42:31AM +0100, Gilgongo via Postfix-users wrote: > # For OpenDKIM signing > 127.0.0.1:10027inetn-n--smtpd > ... configs... > -o smtpd_milters=inet:127.0.0.1:8891 > > So I assume DKIM should come last. But the l

[pfx] Question on DKIM process ordering

I'm setting up a server to handle outbound mail for sasl auth accounts and would like to scan that mail for spam and malware before DKIM signing because I assume scanning might potentially add headers that could break the sig. Right now I have the following (extract) in my Amavis

[pfx] Re: DKIM policy question

nice to know the info. thanks Viktor. Per the specification, a DKIM signature that fails to match the message content MUST be treated the same as absence of DKIM signatures. Also, absent a DKIM-Signature header, you can't even find the DKIM DNS record, because the selector is unknown.

[pfx] Re: DKIM policy question

On Tue, Jun 11, 2024 at 10:18:17AM +0800, Jeff Peng via Postfix-users wrote: > spf, dmarc have the policy to reject a message. > My question is, why dkim has no choice for rejecting messages? > for example, if dkim signature failed, where to instruct this message can be > reject

[pfx] DKIM policy question

Hello spf, dmarc have the policy to reject a message. My question is, why dkim has no choice for rejecting messages? for example, if dkim signature failed, where to instruct this message can be rejected? Thank you. ___ Postfix-users mailing list

[pfx] Re: Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

enbsd-ports@ While on the subject : https://16years.secvuln.info/ The old Debian OpenSSL bug from 2006 still haunts DKIM signatures today Unfortunately Google and Microsoft (and IETF etc etc) do not move on to RFC 8463. If they will not have done until fall i will try to get the slim two digest

[pfx] Re: Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

This discussion seems of-topic for the postfix-users mailing list. If you feel strongly about how email is authenticated, I suggest that you join the relevant working group discussions while the details are still mutable. Complaining about the final result is too late, and publishing non-interopera

[pfx] Re: Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

rdingly.) |> |> Ie, the ed25519 keys etc can remain the same and everything, but ... |This is not a productive direction. Please implement only algorithms |that are specified in a published standards track RFC. Nobody benefits |from ad-hoc non-interperable DKIM signature schemes th

[pfx] Re: Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

ngly.) > > Ie, the ed25519 keys etc can remain the same and everything, but > in order to generate ed25519 keys as of RFC 8463, use > "key big_ed-sha256" instead of "key ed25519-sha256". > This gives DKIM success for you. This is not a productive direction. Please

[pfx] Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

I promise this is the last one. s-postgray by the end of the *next* week. Good night! --- Forwarded from Steffen Nurpmeso --- Subject: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1 Hello people. Well here i am indeed back again, to announce v0.6.1, 2024-05-12: - Adds the algorithm

[pfx] Re: Fwd: [S-announce] s-dkim-sign: addendum: ed25519 keys not usable with v0.6.0

Yet another "forward", very unfortunate, sorry! In short: s-dkim-sign generates *correct* Ed25519 signatures, despite what your DKIM verifier *may* say. No new release will happen (now, and due to this, at least). Steffen Nurpmeso wrote in <20240509012805.7jdxCPXC@steffen%sdaoden

[pfx] Fwd: [S-announce] s-dkim-sign: addendum: ed25519 keys not usable with v0.6.0

last usage time cannot be represented are kept, and only (as many as needed of) those will be garbage collected (unless that is not enough). I thought that is a good addition.) Sorry for the inconvience, shall you have downloaded and used (a ed25519- key with) s-dkim-sign (already). --- Forwarded fr

[pfx] Re: long header folding and DKIM fails

Further investigation showed that the issue is in Python 2.7’s `email` module. Although this is out of support, I’d expect some to be lying around and thought it worth mentioning to this group. Specifically, `email.Message.__str__()`. It seems ok in python3 > On 2 May 2024, at 12:53, Tim Coo

[pfx] Re: long header folding and DKIM fails

On 2024-05-02 at 07:53:15 UTC-0400 (Thu, 2 May 2024 12:53:15 +0100) Tim Coote via Postfix-users is rumored to have said: What would have helped - and I’ve no idea how feasible this is - would be some tooling to pull out different versions of the message as they flow through the queues. This

[pfx] Re: long header folding and DKIM fails

the amount of spam, but I suspect that it hadn’t done anything useful for some time. This looks like someone is signing headers they should not sign. Can you look at that? Is fo, you can also check DKIM signature before you sign or before you check for spam. What would have helped - and I’ve

[pfx] Re: long header folding and DKIM fails

I think that I’ve now fixed this in my domain, so I thought I’d just note the route to finding it, more as a comment on the complexity of working out what’s going on. After making a simple robot to send emails with long headers and demonstrating how they broke in my production environment, I re

[pfx] Fwd: [S-announce] [ANN]ounce of S-dkim-sign v0.6.0

release of this small and simple postfix-only DKIM sign-only milter. Please see its' README file for more information, and its' manual for documentation. The hyperlinked manual is online at https://www.sdaoden.eu/code-dkim-sign.html It is signing my messages for i think two months, but th

[pfx] Re: long header folding and DKIM fails

Wietse Venema via Postfix-users wrote in <4vtb9v00wbzj...@spike.porcupine.org>: |Steffen Nurpmeso via Postfix-users: |> But one thing is plain, if lines get folded "artificially" to |> satisfy line length limits, then this is a whitespace that DKIM |> will see,

[pfx] Re: long header folding and DKIM fails

Steffen Nurpmeso via Postfix-users: > But one thing is plain, if lines get folded "artificially" to > satisfy line length limits, then this is a whitespace that DKIM > will see, and if it was not in the original message, the signature > will break. After the DKIM signa

[pfx] Re: long header folding and DKIM fails

h and , because |too many app developers were messing up. | |As of January 2024, Postfix replaces any and that are not |part of a line ending with space. This prevents outbound SMTP |smuggling, and makes DKIM signatures more likely to verify. The |default setting "cleanup_replace_s

[pfx] Re: long header folding and DKIM fails

st with that strip() above compared to plain usage of [ascii_]isspace() (rspamd, opendkim) or \s regex (perl thing used by amavisd: last step only on minimal subrange, too). But it is not the "hardcore literal RFC 6376" that the dkim library exim uses implements, or what my thing does. M

[pfx] Re: long header folding and DKIM fails

. The Postfix sendmail command allows both and , because too many app developers were messing up. As of January 2024, Postfix replaces any and that are not part of a line ending with space. This prevents outbound SMTP smuggling, and makes DKIM signatures more likely to verify. The default

[pfx] Re: long header folding and DKIM fails

It appears that Steffen Nurpmeso via Postfix-users said: W> |I did not want to insult you! > |In mind i had these canon..py snippets > | > | def strip_trailing_whitespace(content): > |return re.sub(b"[\t ]+\r\n", b"\r\n", content) > | > | > | def compress_whitespace(content): > |return r

[pfx] Re: long header folding and DKIM fails

gt;|(998) | ... ||>Note that in practice only exim and the DKIM library it uses (from ||>2009) produce really standard-conforming results, all other ||>implementations i have tested have some edge cases. For example, ||>opendkim and rspamd (as of git) use (at least in pars, or alway

[pfx] Re: long header folding and DKIM fails

Wietse Venema via Postfix-users wrote in <4vstkr2gkhzj...@spike.porcupine.org>: |Steffen Nurpmeso via Postfix-users: |> Wietse Venema via Postfix-users wrote in |> <4vsq5f6q3nzj...@spike.porcupine.org>: |>|Tim Coote via Postfix-users: |> .. |>|> SMTP headers are often 'folded' as they flow

[pfx] Re: long header folding and DKIM fails

fix had changed this \ |>|long header - as you note this is < 998 stmp limit. I presume it’s \ |>|not directly involved now, as smtp_line_length_limit is the default (998) ... |>Note that in practice only exim and the DKIM library it uses (from |>2009) produce really standard

[pfx] Re: long header folding and DKIM fails

On April 29, 2024 9:27:20 PM UTC, Steffen Nurpmeso via Postfix-users wrote: >Tim Coote via Postfix-users wrote in > : > |Thanks very much for the detailed response. My original issue was why \ > |dkim signatures were failing on some emails from email lists when arriving \ >

[pfx] Re: long header folding and DKIM fails

Tim Coote via Postfix-users wrote in : |Thanks very much for the detailed response. My original issue was why \ |dkim signatures were failing on some emails from email lists when arriving \ |at my Postfix based domain (postfix-3.4.10-1.fc30.x86_64 - I know it \ |needs updating: and that may

[pfx] Re: long header folding and DKIM fails

Thanks very much for the detailed response. My original issue was why dkim signatures were failing on some emails from email lists when arriving at my Postfix based domain (postfix-3.4.10-1.fc30.x86_64 - I know it needs updating: and that may be the only reasonable answer). I have only seen

[pfx] Re: long header folding and DKIM fails

Steffen Nurpmeso via Postfix-users: > Wietse Venema via Postfix-users wrote in > <4vsq5f6q3nzj...@spike.porcupine.org>: > |Tim Coote via Postfix-users: > .. > |> SMTP headers are often 'folded' as they flow through MTAs. The > |> standard approach to folding and unfolding is covered in rfcs 53

[pfx] Re: long header folding and DKIM fails

Wietse Venema via Postfix-users wrote in <4vsq5f6q3nzj...@spike.porcupine.org>: |Tim Coote via Postfix-users: .. |> SMTP headers are often 'folded' as they flow through MTAs. The |> standard approach to folding and unfolding is covered in rfcs 5322 ... |3) Lines that exceed 998 bytes (not in

[pfx] Re: long header folding and DKIM fails

g is covered in rfcs 5322 > and is relied on in 6377 (DKIM). Message signing (DKIM) is > increasingly used to avoid spam/phishing and relies on consistent > header formats when the signature is generated and validated. > > It is known that of the two folding mechanisms, one, ca

[pfx] Re: long header folding and DKIM fails

I mostly agree - I’ve been using Postfix for a long while now. But something is folding headers in my domain and failing DKIM that don’t get folded by gmail and which, if I manually unfold and remove the extra space do get signature agreement. Here’s an example: List-Unsubscribe: <https:/

[pfx] Re: long header folding and DKIM fails

Remember that Postfix has supported DKIM via various milters for 15+ years without issues. So no, practically there is no problem with DKIM and header folding in Postfix. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an

[pfx] long header folding and DKIM fails

Hullo I’ve recently stumbled across this issue and wondered if it’s a/ common, b/ how it can be addressed. SMTP headers are often ‘folded’ as they flow through MTAs. The standard approach to folding and unfolding is covered in rfcs 5322 and is relied on in 6377 (DKIM). Message signing (DKIM

[pfx] Re: Which DKIM application for postfix 3.9.0

Peter via Postfix-users skrev den 2024-04-25 09:22: You make a confusing, factually incomplete post with claims that are incorrect and then complain about a lack of clear response on a different list? If you're going to run down the postfix list for your own failure at least have the decency

[pfx] Re: Which DKIM application for postfix 3.9.0

On 25/04/24 14:34, Benny Pedersen via dovecot wrote: +1, thanks for dovecot maillist do it right, postfix maillist fails on spf You make a confusing, factually incomplete post with claims that are incorrect and then complain about a lack of clear response on a different list? If you're going

[pfx] Re: Which DKIM application for postfix 3.9.0

t; > it's maintainers. > > well, long story. yes, it //seem// to be abandoned, but you may use > it on production level. > > > I run Solaris and therefore need to compile my applications, > > postfix and dkim. > > then you could give opendkim a change

[pfx] Re: Which DKIM application for postfix 3.9.0

On Thu, Mar 07, 2024 at 03:06:45PM -0700, postfix--- via Postfix-users wrote: > I am upgrading to postfix 3.9.0. > > I have not used DKIM in previous postfix installs, but I would like to start > now with the new google rules. > > I have done some research and opendkim is th

  1   2   3   4   5   6   7   8   9   10   >