[AMaViS-user] Dkim signing and altermime / disclaimer failure
Michael Scheidell
bank and forward-method, the 'disclaimer' added to message does not pass
the body test. since it seems to sign the message before the disclaimer
is added.
Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?)
or wait till Mark gets back?
(as least assume this is why I get this error on reflector:
testing.dkim.org; header.DKIM-Signature=@secnap.net; dkim=fail (
Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no;
secnap.net/s102
4 fail; );
header.From=sche...@secnap.net; dkim=neutral
[DKIM-Bodyhash: Warning]
body hashes do not match for "Michael Scheidell"
sig=k9XtizUNBPIHQDW1po4NYI6foNM= calc=QsnK/S4Ee01odgjQhyN9o4FaZjk=
[DKIM-Vfy: Warning]
RSA-128 err: sche...@secnap.net hdrdiffs=none; bodyvfy=no;
openssl=error:00000000:lib(0):func(0):reason(0); 'v=1; a=rsa-sha1;
c=relaxed; d=secnap.net;
h=mime-version:content-type:content-transfer-encoding:subject:
date:message-id:from:to; q=dns/txt; s=s1024; bh=k9XtizUNBPIHQDW1
po4NYI6foNM=; b='
Using FREEBSD, postfix, amavisd-new 2.5.2, Mail:DKIM .26, dkimproxy.
Used this to do forwarding, disclaimers:
(using dkim proxy from ports, in rc.conf:
amavisd-new forward sends to 127.0.0.1:10027.
Dkimproxy listens on 127.0.0.0:10027, signs message and send back out
10028.
Postfix listens on 10028 and sends email back out.
dkimproxy_out_enable="YES"
dkimproxy_out_flags="--keyfile=/usr/local/etc/dkimproxy/private.key \
--selector=s1024 --domain=secnap.com,secnap.net --method=relaxed
\
127.0.0.1:10027 127.0.0.1:10028"
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_chec
ks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
amavisd.conf
@altermime_args_disclaimer =
qw(--verbose --disclaimer=/var/amavis/etc/disclaimer.txt
--disclaimer-html=/var/amavis/etc/disclaimer.html);
$defang_maps_by_ccat{+CC_CLEAN} = [ 'disclaimer' ];
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1,
forward_method => 'smtp:[127.0.0.1]:10027',
allow_disclaimers => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
....
--
Michael Scheidell, CTO
Join SECNAP at SecureWorld Philadelphia May 16-17
http://www.secnap.com/events for free and discounted seminar tickets
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Bill Landry
> Seems if you use dkim to sign outgoing email through amavisd-new policy
> bank and forward-method, the 'disclaimer' added to message does not pass
> the body test. since it seems to sign the message before the disclaimer
> is added.
>
> Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?)
> or wait till Mark gets back?
>
> (as least assume this is why I get this error on reflector:
> testing.dkim.org; header.DKIM-Signature=@secnap.net; dkim=fail (
> Err: body altered; RSA-128 err: hdrdiffs=none; bodyvfy=no;
> secnap.net/s102
> 4 fail; );
> header.From=sche...@secnap.net; dkim=neutral
>
> [DKIM-Bodyhash: Warning]
> body hashes do not match for "Michael Scheidell"
> sig=k9XtizUNBPIHQDW1po4NYI6foNM= calc=QsnK/S4Ee01odgjQhyN9o4FaZjk=
> [DKIM-Vfy: Warning]
> RSA-128 err: sche...@secnap.net hdrdiffs=none; bodyvfy=no;
> openssl=error:00000000:lib(0):func(0):reason(0); 'v=1; a=rsa-sha1;
> c=relaxed; d=secnap.net;
> h=mime-version:content-type:content-transfer-encoding:subject:
> date:message-id:from:to; q=dns/txt; s=s1024; bh=k9XtizUNBPIHQDW1
> po4NYI6foNM=; b='
>
>
> Using FREEBSD, postfix, amavisd-new 2.5.2, Mail:DKIM .26, dkimproxy.
>
I don't use dkim proxy, but do sign with both dk and dkim. Just out of
curiosity, since you are using postfix (that is, if you are using a
relatively new version of postfix that supports milters), why not use
the dkim-milter and do your signing as the last thing postfix does
before delivering the message to the recipient MTA? That should resolve
any issues you may be experiencing with something changing the body or
headers after signing.
Bill
Michael Scheidell
> -----Original Message-----
> From: amavis-us...@lists.sourceforge.net
> [mailto:amavis-us...@lists.sourceforge.net] On Behalf
> Of Bill Landry
> Sent: Saturday, July 07, 2007 11:05 AM
> To: amavi...@lists.sourceforge.net
> Subject: Re: [AMaViS-user] Dkim signing and altermime /
> disclaimer failure
>
>
> Michael Scheidell wrote the following on 7/7/2007 7:48 AM -0800:
> > Seems if you use dkim to sign outgoing email through amavisd-new
> Just out of curiosity, since you are using postfix (that is,
I might do that next, thanks.
(reason was, first faq I saw used dkimproxy)
Also, see my own followup, and, other interesting things.
Two reflectors said my body was mangled (I did verify that altermine
acts BEFORE signing)
One reflector said 'all is fine', so this could be a reflector or
dkimproxy issue.
(ie: not an amavisd-new issue as I originally thought)
So, ps, as I am ccing this to you, did my DKIM signature match or not?
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
-------------------------------------------------------------------------
Noel Jones
>Seems if you use dkim to sign outgoing email through amavisd-new policy
>bank and forward-method, the 'disclaimer' added to message does not pass
>the body test. since it seems to sign the message before the disclaimer
>is added.
>
>Q) how do I get it to sign AFTER mangling (do I do it in amavisd.conf?)
>or wait till Mark gets back?
(I'm CCing you so you can verify my signature - feel free to reply in kind)
In the setup you describe, amavisd-new cannot modify the message
after it's sent to dkimproxy and postfix. Postfix could mangling the
message if it's doing any address rewriting, you might want to add
no_address_mappings to your receive_override_options (but make sure
address mapping is enabled somewhere else).
What test addresses have you tried? I've had trouble with most of
them being broken at one time or another. I don't think any of them
have been universally reliable.
sa-...@sendmail.net seems to be working right now.
Which version of dkim-milter is in ports? Current version is 1.2.0.
Finally, here's a little perl snippit from Mark that can be used to
verify a mail
# from Mark Martinic
perl -MMail::DKIM::Verifier -ne '
BEGIN{$dkim=Mail::DKIM::Verifier->new_object};
s/\r?\n\z/\015\012/; $dkim->PRINT($_);
END{$dkim->CLOSE;print $dkim->result_detail,"\n"}' $1
--
Noel Jones