search

ScottPeterJohnson / purelymail-issues

Issues repository for the Purelymail email service.
30 stars 0 forks source link

invalid DKIM signature error when sending mail from placeq.com domain to nine.testrun.org chatmail server #198

Closed sysfu closed 5 months ago

sysfu commented 5 months ago

Messages originating from placeq.com domain are being rejected by nine.testrun.org chatmail server on account of invalid DKIM signature.

Can you please investigate?

Sent: 2024.01.22 16:13:36 by Me (userredacted@placeq.com)
State: Failed, Encrypted
Error: We could not deliver the attached mail for the following recipients.
userredacted@nine.testrun.org at remote mailserver nine.testrun.org. (116.202.233.236): SMTPSendFailedException: 554 5.7.1 Rejected due to invalid DKIM signature
(554)
Message-ID: Mr.y0IshhXaVRk.8nD3WERfMUH@placeq.com
</DeltaChat/;UID=10262>

No Hop Info

sent    Monday, January 22, 2024 4:13 PM (1705968816000)
messageId   42033
ScottPeterJohnson commented 5 months ago

While "Invalid DKIM" is what the remote server said, I manually checked the email as it was sent against both our own DKIM verification and an external party service, and both agreed it was correct. "nine.testrun.org" changed their DKIM settings yesterday apparently: https://support.delta.chat/t/dkim-mandatory-at-nine-testrun-org/2894 I suggest you raise the issue with them.

link2xt commented 5 months ago

Both nine.testrun.org (running rspamd) and c20.testrun.org (running OpenDKIM) are unhappy. But testrun.org running mailcow shows dkim=pass in Authentication results.

One weird thing is that DKIM-Signature produced by the purelymail server is a single line almost 500 characters long, but otherwise looks fine. Maybe Postfix hard-wraps it or otherwise breaks it before passing to rspamd/opendkim milter and we need to tweak its configuration.

link2xt commented 5 months ago

I think I found the problem, we probably remove Received: headers before verifying DKIM signature and your server signs Received headers.

It is generally not recommended to sign Received, but I don't see the problem actually: https://www.rfc-editor.org/rfc/rfc6376.html#section-5.4.1

Will try to fix the filter to not remove Received on incoming mails and tell you if it helped.

link2xt commented 5 months ago

I made a fix for our server: https://github.com/deltachat/chatmail/pull/197

link2xt commented 5 months ago

@ScottPeterJohnson This is now resolved and you can close the issue, but maybe reconsider signing Received headers as this is not a common thing to do. But it is not really a problem as well.

link2xt commented 5 months ago

One problem with signed Received header is that mailing lists which remail messages as-is and keep From: headers will break the signature if they add Received header.

ScottPeterJohnson commented 5 months ago

Mailing lists shouldn't break DKIM if they add a Received header; the DKIM signs the Received header below it in the header list. So adding a new Received to the top should be fine.