simple-login / app

The SimpleLogin back-end and web app
https://simplelogin.io
GNU Affero General Public License v3.0
5.14k stars 435 forks source link

Recipients seeing: dkim=fail (body hash mismatch #1536

Open gtmadev opened 1 year ago

gtmadev commented 1 year ago

Prerequisites

Bug report

Describe the bug When sending with self-hosted simplelogin, the dkim will fail, but only if I include a portonmail signature, or include some signature lines, or an image/logo in the signature. If I only send a single paragraph, it will likely work. If I send in plain text, it will always work.

Expected behavior dkim at receipient server should pass as postfix is signing the outgoing email.

SimpleLogin Version 4.6.5-beta

Environment (If applicable): Server:

Client:

Additional context In the recipient's mail header, it looks something like this (parts redacted):

Return-Path: <sl.lmysyxxxxxxxxx3dimzzlu.mj6om76jvnetm@gtxxxx.xxx> X-Original-To: mxxxxxr@protonmail.com Delivered-To: mxxxxxxr@protonmail.com Authentication-Results: mailin030.protonmail.ch; dkim=fail (body hash mismatch (got b'lv36HUkejUBveDwBjX9VZJ4wBIqER2P6IqfJEfK8f8c=', expected b'lXTZ+49YHFc64RtD7eN13XIR2hcaSJUphWZg2Tx4RB0=')) header.d=gtxxxx.xxx header.i=@gtxxxxx.xxx header.a=rsa-sha256 Authentication-Results: mailin030.protonmail.ch; arc=none smtp.remote-ip=xxx.xx.xxx.xx Authentication-Results: mailin030.protonmail.ch; dkim=fail reason="signature verification failed" (1024-bit key) header.d=gtxxxx.xxx header.i=@gtxxxx.xxx header.b="DLpo8ckl" Authentication-Results: mailin030.protonmail.ch; spf=pass smtp.mailfrom=gtxxxx.xxx Authentication-Results: mailin030.protonmail.ch; dmarc=pass (p=quarantine dis=none) header.from=gtxxxx.xxx

I thought initially my DKIM keys were wrong or I missed one on the sending domains. But I checked those again and all good. And I do see other articles and bugs with other apps describing this same issue. Most of the time, it seems to be an encoding problem (I think at the postfix layer). Some had the problem due to an MTA modifying the body after it left SL. But I am not doing that in this case.

So it seems that postfix is most likely the culprit with this. But I can't figure out why it only happens when I include a signature or a signature that includes a company logo, etc.

I was thinking to scrap trying to use Centos (AlmaLinux) and just reinstall the whole thing using Ubuntu. I am kind of out of options. Everything else working perfectly, but just this weird issue with DKIM invalid signature.

gtmadev commented 1 year ago

Update:

I tried routing all emails through my postal server by specifying this in the .env file (POSTFIX_SERVER). I did a test with a sending domain which already has DKIM/SPF setup on the postal server - so it's a server that is authorized to send for that domain.

That worked. It works no matter what I put in the email content or signature. The signature is good.

So, I think I can at least say that it IS Postfix on the AlmaLinux distro that appears to be the issue. I did not test or prove this yet by installing on Ubuntu, but that will likely be my next step.

I could just leave things as-is and route all emails through the postal server. There's really not anything wrong with doing that. But I was kind of hoping that this SL server would be fairly stand-alone in nature without other dependencies.

But at least I have a workaround now.

DNCD commented 3 months ago

I'm also having the same issue with DKIM invalid signature. What did you change to fix it?