search

Pro / dkim-exchange

DKIM Signing Agent for Microsoft Exchange Server
Other
409 stars 143 forks source link

DkimSigner doesn't sign messages (Gmail, etc) #366

Open YevgeniyN opened 2 years ago

YevgeniyN commented 2 years ago

Versions

Description

DkimSigner installed on Edge Transport server. Algorithm: RsaSha256. Header and Body canonicalzation: Simple or Relaxed (I've tested both)

Configuration: image image

Steps to Reproduce

  1. Send test message to Gmail
  2. There's no "dkim=pass" or fail in message source

Expected behavior:

dkim=pass in message source

Actual behavior:

no signs of dkim header in message source

ssaeth commented 2 years ago

Can you try and move number 13 Exchange DkimSigner to the top and see if this works

Capture

YevgeniyN commented 2 years ago

It helped: https://www.mail-tester.com/test-utj411xxs

Is it OK to leave it like this?

image

ssaeth commented 2 years ago

I read this in a manual when i setup my Dkim https://opentechtips.com/how-to-configure-dkim-on-exchange-2019-the-simple-way/

cgbrooking commented 2 years ago

In general, that article is wrong. The dialog even says that the signing agent should be at the bottom. I suggest [YevgeniyN] tries moving the agent down one step at a time, testing one by one. The reasoning for the agent being at the bottom is that other agents in the list may modify the header, which would then invalidate the signature generated by the signing agent.

stryqx commented 2 years ago

Howdy,

The problem with this configuration is that DKIM signing is done before any of the other Transport Agents get to look at the message and potentially modify it, which will result in DKIM validation errors at the recipient's end. I suspect that "Vamsoft ORF Routing Agent" is the Agent responsible for preventing DKIM signing taking place. I'd suggest making both Vamsoft entries Priority 12 (the SMTP one) and 13 (the Routing one) and make Exchange DkimSigner Priority 11. This should then result in DKIM signing taking place after all other Agents have looked at the message and made their changes if needed, but before the Vamsoft agents take action on the messages. I'm not familiar with these Vamsoft agents, so I'd strongly recommend you check Vamsoft documentation to see what impact changing the priority of these agents has on the functionality of the Vamsoft components.

On Thu, 26 May 2022 at 20:11, YevgeniyN @.***> wrote:

It helped: https://www.mail-tester.com/test-utj411xxs

Is it OK to leave it like this?

[image: image] https://user-images.githubusercontent.com/2317470/170467218-cceacf75-0362-46af-918f-4f5ee41f8c80.png

— Reply to this email directly, view it on GitHub https://github.com/Pro/dkim-exchange/issues/366#issuecomment-1138374669, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEEHYXJT5Y7TXTLPM2IQ4ZTVL5E3JANCNFSM5XACU4HA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Regards, Chris Knight

YevgeniyN commented 2 years ago

It works fine as soon as I place DkimSigner before the Attachment Filtering Agent

image

stryqx commented 2 years ago

Good to hear. I'd suggest comparing your Transport Agent priority with a clean install of Exchange Server 2016 CU13 without any third party software installed to see what the order and agents are. I'd then review the Transport Agents to see what message modifications they perform, if any. I'd then choose appropriate priorities for my third party agents so they all worked reliably. I'd then choose my DKIM signing headers so that any agents that run after my DKIM signing won't affect DKIM validation if they modify the message headers. If they affect the message body, then I'd need to review my third party software to see if the third party software was capable of performing the features I selected it for as well as DKIM signing, as DKIM signing only works once all message headers and the message body have been modified to meet all the other requirements of valid mail delivery.

On Fri, 27 May 2022 at 21:57, YevgeniyN @.***> wrote:

It works fine as soon as I place DkimSigner before the Attachment Filtering Agent

[image: image] https://user-images.githubusercontent.com/2317470/170694724-53c8f02e-df23-446b-ac76-13a1114f188f.png

— Reply to this email directly, view it on GitHub https://github.com/Pro/dkim-exchange/issues/366#issuecomment-1139550623, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEEHYXJMNK27IKGTOPBR23TVMC2EDANCNFSM5XACU4HA . You are receiving this because you commented.Message ID: @.***>

-- Regards, Chris Knight

shumaid commented 8 months ago

Hi,

Related to the same subject. Do I need to add a TXT record into my local windows DNS server or it is enough to publish it on the ISP DNS side

Regards

shumaid commented 8 months ago

I tried to move the DKIM Signer down one at a time and test .... it is still not working !