Michael Scheidell wrote:
> SA 3.2.1 INSTALL seems to indicate that if I use Mail-DKIM .20 or
> better, I don't need Mail-DomainKeys.
>
> Because of this, I removed the Mail-DomainKeys dependency from the
> FreeBsd SA port (I am the official maintainer)
>
> I have seen a couple of issues that indicate that maybe, Mail-DKIM
> isn't doing everything that Mail-DomainKeys should be:
>
> Issue #1:
>
> With a valid DomainKeys signature, I would have triggered these rules:
>
> DomainKey-Signature: s=smtpout; d=dell.com; c=nofws; q=dns;
> b=F8HNbhd0584EduhfgHEXuE+EIUiaTS7NgLfQTpwRK6QGlULcYJ9tVOzZtMKQdlHks+PaJLwqa2wj14lfLyTcXPXAHPZKvq4vqxEZa3FvS1Flf8hjev2wPWAhUIP7Pgas;
>
>
> X-IronPort-AV: E=Sophos;i="4.16,558,1175490000";
> X-Spam-Status: No, score=-3.381 tagged_above=-999 required=5
> tests=[AWL=2.216,
>
> BAYES_00=-2.599, DK_POLICY_SIGNSOME=0, DK_SIGNED=0.001,
> DK_VERIFIED= -0.001
> HTML_MESSAGE=0.001, NO_REAL_NAME=1, RCVD_IN_DNSWL_MED=-4,
> SPF_PASS=-0.001]
>
>
> but, with DKIM and no DomainKeys plugins, I get this: (note the
> missing DKIM_VERIFIED).
> I would almost expect that a test for DKIM_SIGNED && !DKIM_VERIFIED
> might be used to doublecheck for forged domainkeys.
Interesting, have you tried running that message through spamassassin -D
and checked the debug output generated by the DKIM plugin?
In particular, the output of these debugs by dkim might be able to point
us in the right direction:
dbg("dkim: signature identity: ".$scan->{dkim_identity});
dbg("dkim: signature verification result: $detail");
dbg("dkim: invalid DKIM-Signature: $detail");
