Le 09/08/2017 à 18:53, David Jones a écrit : > On 08/09/2017 10:19 AM, Felix Defrance wrote: >> Do you have any idea why the body has been altered sometimes ? I >> don't have any log about amavis alterate body message. >> > > This happens when any server in the path modify some of the headers or > the body of the email after it was signed by the originator. Older > Exchange servers are known to mess with DKIM signing. I think > Exchange 2016 and Office 365 now properly handle mail so that DKIM > doesn't break. > > It could be any of the Received: mail servers that broke DKIM. I > don't think it was your Amavis that caused it. You could install > OpenDKIM and OpenDMARC as a milter on the MTA to get some extra > information before the message was passed to Amavis. In the first lines on log, you could see opendkim results are success.
Aug 9 10:25:42 vmail opendkim[21923]: 0D81A778B1D: DKIM verification successful Aug 9 10:25:43 vmail opendmarc[7879]: 0D81A778B1D: groupeastek.fr none That why I think Amavis or Spamassassin is in cause. > >> You don't think the problem came from this line ? >> >> SA dbg: dkim: FAILED DKIM, i=@groupeastek365.onmicrosoft.com, >> d=groupeastek365.onmicrosoft.com, s=selector1-groupeastek-fr, >> a=rsa-sha256, c=relaxed/relaxed, fail, does not match author domain >> > > No. This didn't cause the problem. It's just showing that the > envelope-from domain didn't match the DKIM d= domain. > > groupeastek.fr <> groupeastek365.onmicrosoft.com > > Microsoft is trying to be helpful here and automatically DKIM signing > with their own domain. Ok - i don't read the rfc - but, could I suppose Mail::SpamAssassin::Plugin::DKIM or Microsoft don't respect the standard ? Maybe I need to update Mail::SpamAssassin::Plugin::DKIM. I use libmail-dkim-perl 0.40-1 from Debian Jessie. Do you think the version is too old ? Or Microsoft is helpful, but they should be not.. > > > >> Thx, >> >> Le 09/08/2017 à 16:37, David Jones a écrit : >>> On 08/09/2017 09:33 AM, Felix Defrance wrote: >>>> Hi all, >>>> >>>> I don't understand why Mail::SpamAssassin::Plugin::DKIM fail on >>>> signature verification instead of opendkim success.. >>>> >>>> I see thats issues on domain which use onmicrosoft.com or >>>> gappssmtp.com >>>> >>>> Here is the mail trace on my MTA, if anybody could help me. >>>> >>>> Thx, >>>> >>>> Aug 9 10:25:43 vmail amavis[1524]: (01524-06) SA dbg: dkim: >>>> signature verification result: FAIL (BODY HAS BEEN ALTERED) >>>> >>>> -- >>>> Félix >>>> PGP: 0x0F04DC57 >>>> >>> >>> This is in the logs above: >>> >>> dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED) >>> >> >> -- >> Félix Defrance >> PGP: 0x0F04DC57 >> > -- Félix Defrance PGP: 0x0F04DC57
