Some messages aren't signed correctly

[VictorSvetogor]

Hi,

I 've found out that some messages aren't signed correctly. I use 2.1.8 version with Exchange 2010. Sometimes i see on gmail and other mail providers that the mail from my domain has incorrect DKIM. see here: Authentication-Results: mx.google.com; spf=pass (google.com: domain of victor@beloil.by designates 82.209.214.26 as permitted sender) smtp.mailfrom=victor@beloil.by; dkim=neutral (body hash did not verify) header.i=@beloil.by; dmarc=pass (p=REJECT dis=NONE) header.from=beloil.by DKIM-Signature: v=1; a=rsa-sha256; s=corpmail; d=beloil.by; c=simple/simple; q=dns/txt; h=Date : From : Message-ID : Subject : To; bh=EHdx8zaZspFi6uIOK2ZIs8/v4TZnditLkDdpcHL1QII=; b=kpjLFR1jk8UAodbdYVk56o5+iB+mauEv4N+EvUvfGo8qfPYkWWYup58r3iDtoU2J6hN0Prr3VLUmOP517b94n4pC3VWTKw1KeGI5JxMNizvzSElZvSVT/Ww/47D7O9ybqPHxNCylR7YNH//k3ENinnr/aOmleybJKdswAQMpKAM=;

if i remove the attached file (for example) - this message is passes the DKIM test. could you help?

Victor

[stevemayster]

Hello Viktor. Did you install dkim-exchange on edge server or you have a relay server wich faced to internet?

[VictorSvetogor]

Hi, stevemayster

it's installed on edge server.

[stevemayster]

@VictorSvetogor so message going from edge straight to internet? I'm asking because i have same issue but i thought it's because i have anti-spam system wich relay mail.

[VictorSvetogor]

stevemayster,

yes, messages are going to Internet straight from the edge server. i have installed Forefront Protection for Exchange on the edge server (it's doing antivirus protection also), but the DKIM signer is installed with lower priority (15). I guess it works with messages AFTER all other exchange transport agents.

[PS] C:\Windows\system32>Get-TransportAgent

Identity	Enabled	Priority
Vamsoft ORF SMTP Receive Agent	True	1
Vamsoft ORF Routing Agent	True	2
Connection Filtering Agent	True	3
Address Rewriting Inbound Agent	True	4
Edge Rule Agent	True	5
Content Filter Agent	False	6
Sender Id Agent	True	7
Sender Filter Agent	True	8
Recipient Filter Agent	True	9
Protocol Analysis Agent	True	10
Attachment Filtering Agent	True	11
Address Rewriting Outbound Agent	True	12
FSE Routing Agent	True	13
FSE Connection Filtering Agent	True	14
Exchange DkimSigner	True	15

[stevemayster]

@VictorSvetogor Interesting. I would try to disable FSE on short time and try to send a message. But, it's your deсision.

[VictorSvetogor]

Hi stevemayster ,

I found that the "Attachment Filtering Agent" prevents the correct DKIM signing a message. Once i disabled it - all is ok. But this is not the right solution....

[Pro]

@VictorSvetogor does this happen to any e-mail with an attachment or is it dependent on the file type or e.g. file size?

[VictorSvetogor]

@Pro

I found that this happens if I send a message with an attachment that has non- latin name of the file.

[Pro]

I'll try to reproduce this problem on my test server so I can find the part of the code which is causing the problem. This will take some days until I have time. If someone else has time to narrow the problem down I'm happy for any help :+1:

[stevemayster]

@Pro I have same problem too,but my file doesn't have non-latin name of the file. I think it's happen because my anti-spam filter system wich act as relay server broke signature,but i don't sure because it's happen not with all messages with attachment. How can i help you?

[MikeLabatt]

I have a similar "body hash did not verify" issue (tested with Gmail inbox) when sending messages with subject only, no message body. Resending the same message with body, the signature works fine. This is DKIM Signer 2.1.8 on edge Exchange 2007 server going straight to the internet.

Agents are:

Identity Enabled Priority

---

Connection Filtering Agent True 1 Address Rewriting Inbound Agent True 2 Edge Rule Agent True 3 Content Filter Agent True 4 Sender Id Agent True 5 Sender Filter Agent True 6 Recipient Filter Agent True 7 Protocol Analysis Agent True 8 Attachment Filtering Agent True 9 Address Rewriting Outbound Agent True 10 Exchange DkimSigner True 11

Tried different priorities, like 3 vs. 11, with same result: with body it signs OK, without body it fails.

dkim-signature: v=1; a=rsa-sha256; s=mail; d=example.com; c=relaxed/relaxed; q=dns/txt; h=Date:From:Message-ID:Subject:To; bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=FDo7CfwA4jj1mQtEb7bR9K+kAvnnD4BTnff5iiIFxEg5ox9ofRNINoO25yAqdFsNu6euUKC5RqyPjAqJhfQcFNGAxG7qDG7TQvvtbabTDv7ayTVOxpjM4eqYEraODKvlre+Cn06aBEL3JcN2ZhEhl9rgczo+PN84WpY6jQA51dA=;

Also, what looks like a minor bugglet: when the configuration tool opens, it does not re-select the radio button associated to RsaSha256.

[AlexLaroche]

What canonicalization to do you use? What are the value of field in your message? content-Type and content-transfer-encoding

[MikeLabatt]

Canonicalization of header/body: relaxed/relaxed Key size: 1024 Hash: SHA-256 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable If the body is empty, Gmail headers indicate "body hash did not verify". If the body contains text, GMail indicates dkim=pass. Content-Type and Content-Transfer-Encoding are the same.

The above two variations were also retried with an empty subject, with the same result (empty message failed body hash, empty subject with body passed).

Yahoo mail gives the same results: email without body gives "dkim=permerror (bad sig)", while email with body results in "dkim=pass (ok)".

[Pro]

@MikeLabatt the small bug with the radio button is now fixed, see: https://github.com/Pro/dkim-exchange/commit/6cd52a755d3f2190f7ef44f16679448841852dd3 (thanks @AlexLaroche)

Regarding the other problem of invalid signature: I'll try to find some time in the weekend to debug the problem.

[VictorSvetogor]

@Pro ,

i've sent the email to you.

[MikeLabatt]

@Pro: sent you two emails around 20:03 UTC (one with body, one without body, as per issue)

[MikeLabatt]

@Pro: Just sent you another mail, concerning a similar body hash failure, but this time with emails that have an attachment (and a message body).

[Pro]

@MikeLabatt, @VictorSvetogor I looked at your emails and also tried to reproduce the error, but with no success. Can you please send first a mail where the DKIM signature should be OK to the E-Mail address indicated below. And then each mail which failed signing separately to this e-mail address: check-auth-git=s.profanter.me@verifier.port25.com

Using this E-mail address I get the full content of the mail and all the required info (see https://www.port25.com/support/authentication-center/email-verification/ for more info).

[MikeLabatt]

@Pro: done (all three emails resent in the same order).

[avoidik]

Same problem with Exchange 2010 UR11 no matter of canonicalization algorithms. Body contains cyrillic symbols without attachments. If i remove my email signature dkim passed. Is this encoding problem?

Test email

test

-- 
С уважением, Вася Пупкин
Старший помощник главного дворника
8(495)555-05-05

Result from port25 with specified signature

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         fail (wrong body hash: expected jyd/c+ILEe9+8WW6blVnTI3WYj4=)
ID(s) verified: 
Canonicalized Headers:
    Date:'20'Fri,'20'11'20'Dec'20'2015'20'11:23:28'20'+0300'0D''0A'
    From:'20'removed@private.data'0D''0A'
    '09'<removed@private.data>'0D''0A'
    Message-ID:'20'<removed@private.data>'0D''0A'
    Subject:'20'test'0D''0A'
    To:'20'<check-auth2@verifier.port25.com>'0D''0A'
    DKIM-Signature:'20'v=1;'20'a=rsa-sha1;'20's=selector_removed;'20'd=domain_removed;'20'c=simple/simple;'20'q=dns/txt;'20'h=Date'20':'20'From'20':'20'Message-ID'20':'20'Subject'20':'20'To;'20'bh=88/Es1HWcf3uWK1WWaakly0DiB0=;'20'b=;

Canonicalized Body:
    test'0D''0A'
    '0D''0A'
    --'20''0D''0A'
    'D0''A1''20''D1''83''D0''B2''D0''B0''D0''B6''D0''B5''D0''BD''D0''B8''D0''B5''D0''BC','20''D0''92''D0''B0''D1''81''D1''8F''20''D0''9F''D1''83''D0''BF''D0''BA''D0''B8''D0''BD''0D''0A'
    'D0''A1''D1''82''D0''B0''D1''80''D1''88''D0''B8''D0''B9''20''D0''BF''D0''BE''D0''BC''D0''BE''D1''89''D0''BD''D0''B8''D0''BA''20''D0''B3''D0''BB''D0''B0''D0''B2''D0''BD''D0''BE''D0''B3''D0''BE''20''D0''B4''D0''B2''D0''BE''D1''80''D0''BD''D0''B8''D0''BA''D0''B0''0D''0A'
    8(495)555-05-05'0D''0A'

Result from port25 without specified signature

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: removed@private.data)
ID(s) verified: header.d=domain_removed
Canonicalized Headers:
    Date:'20'Fri,'20'11'20'Dec'20'2015'20'11:27:31'20'+0300'0D''0A'
    From:'20'removed@private.data'0D''0A'
    '09'<removed@private.data>'0D''0A'
    Message-ID:'20'<removed@private.data>'0D''0A'
    Subject:'20'test'0D''0A'
    To:'20'<check-auth2@verifier.port25.com>'0D''0A'
    DKIM-Signature:'20'v=1;'20'a=rsa-sha1;'20's=selector_removed;'20'd=domain_removed;'20'c=simple/simple;'20'q=dns/txt;'20'h=Date'20':'20'From'20':'20'Message-ID'20':'20'Subject'20':'20'To;'20'bh=/edzoYuyn17WXm8KeqcX/R+khdQ=;'20'b=;

Canonicalized Body:
    test'0D''0A'

If we check email inside google email, the difference in one line. Content-Transfer-Encoding: 7bit <- passed Content-Transfer-Encoding: 8bit <- not passed

[avoidik]

And the answer is this: http://stbuehler.de/blog/article/2011/05/19/dkim_fails_at_content-transfer-encoding.html

It turns out the DKIM rfc says you SHOULD always convert your messages to 7bit / quoted-printable encodings…

[Pro]

@avoidik Thanks for your further analysis. It seems that the problem is related to #86 I'll try to debug the problem next sunday and hopefully come up with a solution

[Pro]

I've found MimeKit (https://github.com/jstedfast/MimeKit) which also provides a better implementation for DKIM signing. We will integrate it into this agent and release it as version 3.0.0 (see https://github.com/Pro/dkim-exchange/tree/mime_kit). This will probably reduce the number of problems regarding wrongly signed mails. It will take some days, hopefully it is ready in January.

[Pro]

v3.0.0 beta is now released. This should fix the 8bit issue: https://github.com/Pro/dkim-exchange/releases/tag/v3.0.0-beta

[VictorSvetogor]

i've installed 3.0.1, but it didn't help

[Pro]

Ok, then maybe this is fixed in the new Mime Kit version 1.2.21 (https://github.com/jstedfast/MimeKit/blob/master/ReleaseNotes.md) It mentiones 'Fixed MimeMessage.DkimSign() to not enforce 7bit encoding of the body. (issue #224)'

This version will be included in the next dkim signer release.

[Pro]

Please check the new version: https://github.com/Pro/dkim-exchange/releases/tag/v3.0.2. If there's still an issue with 8-bit signing, please open an issue on the MimeKit repo: https://github.com/jstedfast/MimeKit/issues and link it here.

[wish01]

Hello, I installed version 3.0.8 and mimekit 1.2.21. Error signed letters with the name in Russian investments, dkim Error signature continues. Message gmail: DKIM: NEUTRAL, domain null

[avoidik]

Did you configured SPF/TXT records for your MX-domain?

17 февр. 2017 г. 5:55 пользователь "wish01" notifications@github.com написал:

Hello, I installed version 3.0.8 and mimekit 1.2.21. Error signed letters with the name in Russian investments, dkim Error signature continues. Message gmail: DKIM: NEUTRAL, domain null

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Pro/dkim-exchange/issues/113#issuecomment-280543803, or mute the thread https://github.com/notifications/unsubscribe-auth/AGI0XEC3YpRz64ppBmeOrFv4H7-ntqQuks5rdRoogaJpZM4GknAO .

[wish01]

If the name of the attachment in a letter in English, the DKIM record is correct. One and the same attachment with different names in Russian not being tested on English test passes.

Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; name= "Сервера добавленные в МОМ за последние 2 месяца Qwe.xlsx" Content-Description: "Сервера добавленные в МОМ за последние 2 меся""ца Qwe.xlsx" Content-Disposition: attachment; filename= "Сервера добавленные в МОМ за последние 2 месяца Qwe.xlsx"; size=9302; creation-date="Fri, 17 Feb 2017 09:11:32 GMT"; modification-date="Tue, 17 Jul 2012 06:32:13 GMT" Content-Transfer-Encoding: base64