Open gene-git opened 4 years ago
I do see Auth results header from google, but there is also another one lower down; I wonder if the second one causing a problem for opendkim? The second one looks like it should be ignored - but perhaps it isn't and that triggered the reject - not sure why opendkim is even reading that auth results at all - I'd expecting it to create one not read an un-trusted one. But perhaps someone can share how to fix this ...
thanks ;)
Authentication-Results: mx.google.com; dkim=pass header.i=@aa.com header.s=selector2 header.b=ksOGfQcS; arc=pass (i=1); spf=pass (google.com: domain of aacustomerrelations@aa.com designates 40.107.77.81 as permitted sender) smtp.mailfrom=AACustomerRelations@aa.com; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=aa.com
... Authentication-Results: spf=softfail (sender IP is 144.9.232.1) smtp.mailfrom=aa.com; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=oreject header.from=aa.com;
Is there a way I can debug the milter if i save the headers I have from google - see why the milter is failing? I see a miltertest.c program but its not too clear at quick glance how I can throw a file with mail and headers and step thru debugger to see where the failure stems from?
Look closely. That second Authentication-Results
header is not valid. (No authserv-id.)
Probably OpenDKIM's behaviour in response is incorrect. But bug title is wrong. ;-)
Thanks for following up on this - and awesome to see things moving forward nicely - appreciate your looking at this.
Honestly I haven't seen things moving forward. I'm just a fellow user looking at old bugs to assess how dead this project is.
ok gotcha - opendmarc is very much alive which is nice - hopefully dkim and arc will likewise get more attention :)
Seeing this issue too in relation to protection.outlook.com.
I see the following in my logs:
opendkim[15609]: 0A5D11EEF20: failed to parse authentication-results: header field
opendkim[15609]: 0A5D11EEF20: bad signature data
from a particular sender that our mail server receives from NAM04-MW2-obe.outbound.protection.outlook.com
If I save that email to a file, from mutt, and run the python script dkimverify
on it, I consistently get:
$ cat message.txt | python3 dkimverify.py
signature ok
$
I'm at a loss to figure out what exactly opendkim thinks is "bad" about the signature data.
Anyone know how I can debug this further?
this is a zombie project - i gave up on opendkim a couple years ago.
I've switched to dkimpy which not only works well and is properly maintained but also supports elliptic curves (I sign with both RSA and EC).
good luck,
I've been reading about it just now: https://pypi.org/project/dkimpy-milter/
Looks like I can integrate it with my Postfix setup similarly to the way I have OpenDKIM. This might be the replacement I've been looking for. Honestly, I haven't been so happy with OpenDKIM and was wondering what alternatives were out there. Thanks for the tip!
Yes - i use postfix and once config set up changing milters is straightforward.
Some emails show above error and when accompanied by a DMARC reject policy the email is subsequently rejected.
The email in this case was from american airlines customer relations - they use exchange servers. After changing the email to be used to gmail, and re-sending, the reply went through to gmail just fine.
I examined the email sent to google and the DKIM-signature looks fine to me and google is fine with it as well - showing dkim and dmarc both pass:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh...
So seems to be a bug with OpenDKIM.
Is there any chance that a fix is in the works for opendkim?