Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
opendkim and opendmarc failure for yahoo.com
443 views
Skip to first unread message
Inteq Solution - Dep. tehnic
Oct 5, 2014, 11:05:46 AM10/5/14
to
Hello,
Having some issues with messages from yahoo.com
They seem to fail dkim and dmarc verification.
Dmarc from gmail.com (for example) works just fine.
Any clue if Yahoo is having some problems?
Can’t seem to find any on my side.
Oct 5 17:55:35 ns4 postfix/smtpd[5789]: connect from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Oct 5 17:55:38 ns4 postfix/policy-spf[5792]: Policy action=PREPEND Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: 98.138.91.242 is authorized to use 'X...@yahoo.com' in 'mfrom' identity (mechanism 'ptr:yahoo.com' matched)) rece
iver=ns4.inteq.ro; identity=mailfrom; envelope-from="X...@yahoo.com"; helo=nm20-vm5.bullet.mail.ne1.yahoo.com; client-ip=98.138.91.242
Oct 5 17:55:40 ns4 postfix/policy-spf[5792]: Policy action=DUNNO
Oct 5 17:55:43 ns4 postfix/smtpd[5789]: A2CCA44674: client=nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Oct 5 17:55:44 ns4 postfix/cleanup[5793]: A2CCA44674: message-id=<XXXXXXXX.233331.141252...@jws100103.mail.ne1.yahoo.com>
Oct 5 17:55:44 ns4 postfix/cleanup[5793]: A2CCA44674: warning: header Subject: Test from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]; from=<X...@yahoo.com> to=<X...@inteq.ro> proto=ESMTP helo=<nm20-vm5.bullet.mail.ne1.yahoo.com>
Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: s=s2048 d=yahoo.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: bad signature data
Oct 5 17:55:44 ns4 opendmarc[4041]: A2CCA44674: yahoo.com fail
Oct 5 17:55:44 ns4 postfix/cleanup[5793]: A2CCA44674: milter-reject: END-OF-MESSAGE from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]: 5.7.1 rejected by DMARC policy for yahoo.com; from=<X...@yahoo.com> to=<X...@inteq.ro> proto=ES
MTP helo=<nm20-vm5.bullet.mail.ne1.yahoo.com>
Oct 5 17:55:45 ns4 postfix/smtpd[5789]: disconnect from nm20-vm5.bullet.mail.ne1.yahoo.com[98.138.91.242]
Thank you
Robert Schetterer
Oct 5, 2014, 11:44:09 AM10/5/14
to
Am 05.10.2014 um 17:05 schrieb Inteq Solution - Dep. tehnic:
> Hello,
>
>
>
> Having some issues with messages from yahoo.com
>
> They seem to fail dkim and dmarc verification.
>
> Dmarc from gmail.com (for example) works just fine.
>
> Any clue if Yahoo is having some problems?
>
> Can�t seem to find any on my side.
> Hello,
>
>
>
> Having some issues with messages from yahoo.com
>
> They seem to fail dkim and dmarc verification.
>
> Dmarc from gmail.com (for example) works just fine.
>
> Any clue if Yahoo is having some problems?
>
but using opendmarc with postfix is tricky
look at the english links in
https://sys4.de/de/blog/2014/09/20/fallstricke-mit-opendmarc-und-postfix/
please see differ in dmarc policy yahoo vs google
_dmarc.gmail.com. 600 IN TXT "v=DMARC1\; p=none\;
rua=mailto:mailauth...@google.com"
_dmarc.yahoo.com. 1800 IN TXT "v=DMARC1\; p=reject\;
sp=none\; pct=100\; rua=mailto:dmarc-y...@yahoo-inc.com,
mailto:dmarc...@yahoo.com\;"
specially p=reject vs p=none
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra�e 15, 81669 M�nchen
Sitz der Gesellschaft: M�nchen, Amtsgericht M�nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Wietse Venema
Oct 5, 2014, 11:52:50 AM10/5/14
to
Inteq Solution - Dep. tehnic:
> Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: s=s2048 d=yahoo.com SSL
> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
If this were a common problem then there would be many reports, so
> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
I presume that you are receiving corrupted email.
Do you have a so-called security appliance in the path? Many have
a history of tampering with email.
http://en.wikipedia.org/wiki/Security_appliance
Do you have other anti-spam software in the path that modifies
mail headers such as X-Spam:?
You (or someone familiar with DKIM) can verify that a message is
damaged by capturing the TCP/IP stream with a network sniffer.
Wietse
Inteq Solution - Dep. tehnic
Oct 5, 2014, 12:30:20 PM10/5/14
to
No security appliance in front of Postifix.
I use SpamAssassin that tags with X-Spam.
I have disabled AV scanning. No luck
I have disabled dkim-milter. No luck
Weird thing is that from other dmarc enabled domains, the result is pass and
email delivery is OK.
Only from yahoo.com I have this problem.
I use SpamAssassin that tags with X-Spam.
I have disabled AV scanning. No luck
I have disabled dkim-milter. No luck
Weird thing is that from other dmarc enabled domains, the result is pass and
email delivery is OK.
Only from yahoo.com I have this problem.
Viktor Dukhovni
Oct 5, 2014, 12:37:57 PM10/5/14
to
On Sun, Oct 05, 2014 at 07:30:20PM +0300, Inteq Solution - Dep. tehnic wrote:
> No security appliance in front of Postifix.
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is pass and
> email delivery is OK.
> Only from yahoo.com I have this problem.
You need to capture an unmodified complete message that fails
> No security appliance in front of Postifix.
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is pass and
> email delivery is OK.
> Only from yahoo.com I have this problem.
validation, with full headers. Do that at the receiving gateway
if possible by putting such a message on "HOLD". Then post at
least the headers. Perhaps the DKIM signature specifies headers
that were modified in transit.
A command-line DKIM verifier that gives more verbose output may be
useful.
--
Viktor.
Wietse Venema
Oct 5, 2014, 12:47:50 PM10/5/14
to
Inteq Solution - Dep. tehnic:
headers or content.
Instead of posting message headers, I prefer tcpdump content, off-list.
Wietse
> No security appliance in front of Postifix.
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is pass and
> email delivery is OK.
opendkim *must* be used before any software that modifies
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is pass and
> email delivery is OK.
headers or content.
Instead of posting message headers, I prefer tcpdump content, off-list.
Wietse
Robert Schetterer
Oct 5, 2014, 1:00:20 PM10/5/14
to
Am 05.10.2014 um 17:52 schrieb Wietse Venema:
> Inteq Solution - Dep. tehnic:
> Inteq Solution - Dep. tehnic:
>> Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: s=s2048 d=yahoo.com SSL
>> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
yes that ssl stuff looks broken somekind, perhaps thats the reason
>> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
>
> If this were a common problem then there would be many reports, so
> I presume that you are receiving corrupted email.
>
> Do you have a so-called security appliance in the path? Many have
> a history of tampering with email.
>
> http://en.wikipedia.org/wiki/Security_appliance
>
> Do you have other anti-spam software in the path that modifies
> mail headers such as X-Spam:?
>
> You (or someone familiar with DKIM) can verify that a message is
> damaged by capturing the TCP/IP stream with a network sniffer.
>
> Wietse
>
info, the opendmarc milter must have SPF/DKIM results from other
milters/services
https://bugzilla.redhat.com/show_bug.cgi?id=905304
perhaps you need opendmarc build with
--with-spf
SPFIgnoreResults and SPFSelfValidate yes
with dmarc policy reject either SPF and/or DKIM has to be validated
positive to pass.
please also read
http://mail-archives.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0457.html&month=2014-04
for postfix specials
only compare domains with mail domains that have dmarc policy reject too
li...@rhsoft.net
Oct 5, 2014, 1:01:43 PM10/5/14
to
Am 05.10.2014 um 18:47 schrieb Wietse Venema:
> Inteq Solution - Dep. tehnic:
[root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_VALID |
grep YahooMail | wc -l
25
[root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_INVALID |
grep YahooMail | wc -l
7
Oct 5 01:46:43 mail-gw spamd[13513]: spamd: result: . -4 -
BAYES_40,CUST_DNSWL_5,CUST_DNSWL_8,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,SPF_PASS,T_DKIM_INVALID,USER_IN_MORE_SPAM_TO
scantime=0.2,size=5728,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=51768,mid=<1246727940.420635.14124...@jws10686.mail.bf1.yahoo.com>,bayes=0.291809,autolearn=disabled
Oct 5 12:41:09 mail-gw spamd[29494]: spamd: result: . 0 -
BAYES_40,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,RCVD_IN_MSPIKE_H2
scantime=0.3,size=33028,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=53682,mid=<1412505655.977...@web173006.mail.ir2.yahoo.com>,bayes=0.269157,autolearn=disabled
Viktor Dukhovni
Oct 5, 2014, 1:16:54 PM10/5/14
to
On Sun, Oct 05, 2014 at 07:00:20PM +0200, Robert Schetterer wrote:
> Am 05.10.2014 um 17:52 schrieb Wietse Venema:
> > Inteq Solution - Dep. tehnic:
internal error in the library.
crypto/rsa/rsa_sign.c:
...
else if (((unsigned int)sig->digest->length != m_len) ||
(memcmp(m,sig->digest->data,m_len) != 0))
{
RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
}
--
Viktor.
> Am 05.10.2014 um 17:52 schrieb Wietse Venema:
> > Inteq Solution - Dep. tehnic:
> >> Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: s=s2048 d=yahoo.com SSL
> >> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
>
> yes that ssl stuff looks broken somekind, perhaps thats the reason
All this means is that the signature does not match, it is not an
> >> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
>
> yes that ssl stuff looks broken somekind, perhaps thats the reason
internal error in the library.
crypto/rsa/rsa_sign.c:
...
else if (((unsigned int)sig->digest->length != m_len) ||
(memcmp(m,sig->digest->data,m_len) != 0))
{
RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
}
--
Viktor.
Robert Schetterer
Oct 5, 2014, 1:23:20 PM10/5/14
to
Am 05.10.2014 um 19:01 schrieb li...@rhsoft.net:
if dkim fails with dmarc policy reject ( like yahoo ) and SPF isnt
recognized ( which is a know problem with some SPF software ) in
opendmarc isnt working , opendmarc will reject
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>
> Am 05.10.2014 um 18:47 schrieb Wietse Venema:
>> Inteq Solution - Dep. tehnic:
> Am 05.10.2014 um 18:47 schrieb Wietse Venema:
>> Inteq Solution - Dep. tehnic:
recognized ( which is a know problem with some SPF software ) in
opendmarc isnt working , opendmarc will reject
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Robert Schetterer
Oct 5, 2014, 1:23:57 PM10/5/14
to
Am 05.10.2014 um 19:16 schrieb Viktor Dukhovni:
> On Sun, Oct 05, 2014 at 07:00:20PM +0200, Robert Schetterer wrote:
>
> On Sun, Oct 05, 2014 at 07:00:20PM +0200, Robert Schetterer wrote:
>
>> Am 05.10.2014 um 17:52 schrieb Wietse Venema:
>>> Inteq Solution - Dep. tehnic:
>>> Inteq Solution - Dep. tehnic:
>>>> Oct 5 17:55:44 ns4 opendkim[3861]: A2CCA44674: s=s2048 d=yahoo.com SSL
>>>> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
>>
>> yes that ssl stuff looks broken somekind, perhaps thats the reason
>
> All this means is that the signature does not match, it is not an
> internal error in the library.
>
>
> crypto/rsa/rsa_sign.c:
> ...
> else if (((unsigned int)sig->digest->length != m_len) ||
> (memcmp(m,sig->digest->data,m_len) != 0))
> {
> RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
> }
>
Ok thx making this clear
>>>> error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
>>
>> yes that ssl stuff looks broken somekind, perhaps thats the reason
>
> All this means is that the signature does not match, it is not an
> internal error in the library.
>
>
> crypto/rsa/rsa_sign.c:
> ...
> else if (((unsigned int)sig->digest->length != m_len) ||
> (memcmp(m,sig->digest->data,m_len) != 0))
> {
> RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
> }
>
A. Schulze
Oct 5, 2014, 2:47:17 PM10/5/14
to
wietse:
> Do you have a so-called security appliance in the path? Many have
> a history of tampering with email.
> Do you have other anti-spam software in the path that modifies
> mail headers such as X-Spam:?
To be complete: there is an easy way to invalidate DKIM-Signatures:
> mail headers such as X-Spam:?
don't announce SMTP extension 8BITMIME ...
That way the sender must recode this destroy the signature. Most MTA
do that recode just before transmission. So it's likely to occur /after/
signing the message.
I tried to enhance postfix with a function like "smtp_tls_note_starttls_offer"
But I fail :-/
Idea:
smtp_note_content_recode (default: no)
Log the hostname of a remote SMTP server that does not offer 8BITMIME,
and the content must be recoded.
That way an administrator could at least notice if the well formated
and signed messages
must be recoded to be sent to a remote host.
Andreas
Inteq Solution - Dep. tehnic
Oct 5, 2014, 3:10:25 PM10/5/14
to
It seems I stumbled upon a bug in opendkim.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695145
I am using Ubuntu 12.04.
Using Backport also and the latest opendkim version is 2.6.8
In opendkim.conf I have added "LogWhy Yes"
Now, in mail.log I can see:
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893:
nm23-vm6.bullet.mail.ne1.yahoo.com [98.138.91.116] not internal
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: not authenticated
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing domain match for
'yahoo.com'
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing subdomain match
for 'yahoo.com'
Oct 5 22:08:18 ns4 opendkim[25822]: 3927844893: s=s2048 d=yahoo.com SSL
Will try to make a tcpdump
-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Wietse Venema
Sent: Sunday, October 05, 2014 7:48 PM
To: Postfix users
Subject: Re: opendkim and opendmarc failure for yahoo.com
Wietse
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695145
I am using Ubuntu 12.04.
Using Backport also and the latest opendkim version is 2.6.8
In opendkim.conf I have added "LogWhy Yes"
Now, in mail.log I can see:
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893:
nm23-vm6.bullet.mail.ne1.yahoo.com [98.138.91.116] not internal
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: not authenticated
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing domain match for
'yahoo.com'
Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing subdomain match
for 'yahoo.com'
Oct 5 22:08:18 ns4 opendkim[25822]: 3927844893: s=s2048 d=yahoo.com SSL
error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Oct 5 22:08:18 ns4 opendkim[25822]: 3927844893: bad signature data
Will try to make a tcpdump
-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Wietse Venema
Sent: Sunday, October 05, 2014 7:48 PM
To: Postfix users
Subject: Re: opendkim and opendmarc failure for yahoo.com
Inteq Solution - Dep. tehnic:
> No security appliance in front of Postifix.
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is
> pass and email delivery is OK.
opendkim *must* be used before any software that modifies headers or
content.
Instead of posting message headers, I prefer tcpdump content, off-list.
> I use SpamAssassin that tags with X-Spam.
>
> I have disabled AV scanning. No luck
> I have disabled dkim-milter. No luck
>
> Weird thing is that from other dmarc enabled domains, the result is
> pass and email delivery is OK.
opendkim *must* be used before any software that modifies headers or
content.
Wietse
martijn.list
Oct 5, 2014, 3:24:14 PM10/5/14
to
On 10/05/2014 08:47 PM, A. Schulze wrote:
>> Do you have a so-called security appliance in the path? Many have
>> a history of tampering with email.
>
>> Do you have other anti-spam software in the path that modifies
>> mail headers such as X-Spam:?
>
> To be complete: there is an easy way to invalidate DKIM-Signatures:
> don't announce SMTP extension 8BITMIME ...
> That way the sender must recode this destroy the signature. Most MTA
> do that recode just before transmission. So it's likely to occur /after/
> signing the message.
That's why email should be downgraded to 7 bit before creating the
>> Do you have a so-called security appliance in the path? Many have
>> a history of tampering with email.
>
>> Do you have other anti-spam software in the path that modifies
>> mail headers such as X-Spam:?
>
> To be complete: there is an easy way to invalidate DKIM-Signatures:
> don't announce SMTP extension 8BITMIME ...
> That way the sender must recode this destroy the signature. Most MTA
> do that recode just before transmission. So it's likely to occur /after/
> signing the message.
DKIM-Signature. From http://www.ietf.org/rfc/rfc4871.txt:
5.3. Normalize the Message to Prevent Transport Conversions
Some messages, particularly those using 8-bit characters, are subject
to modification during transit, notably conversion to 7-bit form.
Such conversions will break DKIM signatures. In order to minimize
the chances of such breakage, signers SHOULD convert the message to a
suitable MIME content transfer encoding such as quoted-printable or
base64 as described in MIME Part One [RFC2045] before signing.
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.
http://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Wietse Venema
Oct 5, 2014, 3:39:20 PM10/5/14
to
A. Schulze:
too late.
Here is something that I expect a German would never do:
disable_mime_output_conversion = no (Postfix 2.0 and later)
Wietse
> smtp_note_content_recode (default: no)
> Log the hostname of a remote SMTP server that does not offer 8BITMIME,
> and the content must be recoded.
>
> That way an administrator could at least notice if the well formated
> and signed messages
> must be recoded to be sent to a remote host.
Wait, if the receiver gets broken signatures then it is already
> Log the hostname of a remote SMTP server that does not offer 8BITMIME,
> and the content must be recoded.
>
> That way an administrator could at least notice if the well formated
> and signed messages
> must be recoded to be sent to a remote host.
too late.
Here is something that I expect a German would never do:
disable_mime_output_conversion = no (Postfix 2.0 and later)
Wietse
Robert Schetterer
Oct 5, 2014, 4:42:44 PM10/5/14
to
Am 05.10.2014 um 19:23 schrieb Robert Schetterer:
> Am 05.10.2014 um 19:01 schrieb li...@rhsoft.net:
>>
>> Am 05.10.2014 um 18:47 schrieb Wietse Venema:
> Am 05.10.2014 um 19:01 schrieb li...@rhsoft.net:
>>
>> Am 05.10.2014 um 18:47 schrieb Wietse Venema:
>>> Inteq Solution - Dep. tehnic:
>>>> No security appliance in front of Postifix.
>>>> I use SpamAssassin that tags with X-Spam.
>>>>
>>>> I have disabled AV scanning. No luck
>>>> I have disabled dkim-milter. No luck
>>>>
>>>> Weird thing is that from other dmarc enabled domains, the result is
>>>> pass and
>>>> email delivery is OK.
>>>
>>> opendkim *must* be used before any software that modifies
>>> headers or content.
>>>
>>>> No security appliance in front of Postifix.
>>>> I use SpamAssassin that tags with X-Spam.
>>>>
>>>> I have disabled AV scanning. No luck
>>>> I have disabled dkim-milter. No luck
>>>>
>>>> Weird thing is that from other dmarc enabled domains, the result is
>>>> pass and
>>>> email delivery is OK.
>>>
>>> opendkim *must* be used before any software that modifies
>>> headers or content.
>>>
>>> Instead of posting message headers, I prefer tcpdump content, off-list
>>
>> DKIM verification for Yahoo fails *randomly* at the moment
>>
>> [root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_VALID |
>> grep YahooMail | wc -l
>> 25
>>
>> [root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_INVALID |
>> grep YahooMail | wc -l
>> 7
>>
>> Oct 5 01:46:43 mail-gw spamd[13513]: spamd: result: . -4 -
>> BAYES_40,CUST_DNSWL_5,CUST_DNSWL_8,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,SPF_PASS,T_DKIM_INVALID,USER_IN_MORE_SPAM_TO
>> scantime=0.2,size=5728,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=51768,mid=<1246727940.420635.14124...@jws10686.mail.bf1.yahoo.com>,bayes=0.291809,autolearn=disabled
>>
>>
>> Oct 5 12:41:09 mail-gw spamd[29494]: spamd: result: . 0 -
>> BAYES_40,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,RCVD_IN_MSPIKE_H2
>> scantime=0.3,size=33028,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=53682,mid=<1412505655.977...@web173006.mail.ir2.yahoo.com>,bayes=0.269157,autolearn=disabled
>>
>
> if dkim fails with dmarc policy reject ( like yahoo ) and SPF isnt
> recognized ( which is a know problem with some SPF software ) in
> opendmarc isnt working , opendmarc will reject
by the way i found yahoo dkim failing i.e at
>>
>> DKIM verification for Yahoo fails *randomly* at the moment
>>
>> [root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_VALID |
>> grep YahooMail | wc -l
>> 25
>>
>> [root@mail-gw:~]$ cat maillog | grep "yahoo\.com" | grep DKIM_INVALID |
>> grep YahooMail | wc -l
>> 7
>>
>> Oct 5 01:46:43 mail-gw spamd[13513]: spamd: result: . -4 -
>> BAYES_40,CUST_DNSWL_5,CUST_DNSWL_8,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,SPF_PASS,T_DKIM_INVALID,USER_IN_MORE_SPAM_TO
>> scantime=0.2,size=5728,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=51768,mid=<1246727940.420635.14124...@jws10686.mail.bf1.yahoo.com>,bayes=0.291809,autolearn=disabled
>>
>>
>> Oct 5 12:41:09 mail-gw spamd[29494]: spamd: result: . 0 -
>> BAYES_40,CUST_DNSWL_2,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,RCVD_IN_MSPIKE_H2
>> scantime=0.3,size=33028,user=sa-milt,uid=189,required_score=4.5,rhost=localhost,raddr=127.0.0.1,rport=53682,mid=<1412505655.977...@web173006.mail.ir2.yahoo.com>,bayes=0.269157,autolearn=disabled
>>
>
> if dkim fails with dmarc policy reject ( like yahoo ) and SPF isnt
> recognized ( which is a know problem with some SPF software ) in
> opendmarc isnt working , opendmarc will reject
20140920:Sep 19 17:01:54 mail02 spamd[21732]: spamd: result: . 3 -
BASE64_LENGTH_79_INF,DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,SPF_PASS,T_DKIM_INVALID,T_FREEMAIL_DOC_PDF,T_RP_MATCHES_RCVD
scantime=5.8,size=145364,user=...@...,uid=1001,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=43406,mid=<1851977278.13739.14111...@jws100123.mail.ne1.yahoo.com>,autolearn=no,shortcircuit=no
however , involved in some opendmarc debug stuff in the german postfix
list, i think it might be a good idea to use it only selective on
typical dyn ips, that should work i.e with milter manager, but i didnt
tested it yet
Benny Pedersen
Oct 5, 2014, 6:13:53 PM10/5/14
to
On October 5, 2014 8:47:17 PM "A. Schulze" <s...@andreasschulze.de> wrote:
> To be complete: there is an easy way to invalidate DKIM-Signatures:
> don't announce SMTP extension 8BITMIME ...
Bingo, make postfix disable this before msg is sent to opendkim signer, so
> To be complete: there is an easy way to invalidate DKIM-Signatures:
> don't announce SMTP extension 8BITMIME ...
it not signed 8bitmime, then downstream mailserver would hopefully not try
to use 8bitmime convertion and invalidate dkim
Just dont know if this is possible with milter, but with postfix + amavisd
dkim signer its like a charm
0 new messages