how to debug dkim_signing ?

[peter lees]

hello all

I'm trying to use dkim_signing, with rspamd 1.7.1 in milter mode with sendmail,  but recipients are flagging the messages as having invalid DKIM

i had previously been successful using mimedefang with the same private and public keys, so i am confident that my dkim infrastructure (DSN, keys, etc) are working correctly.  just tested it again with mimedefang & confirmed it's ok, testing with http://dkimvalidator.com/ .

there are 2 differences I've noticed between success & failure:

  1)  mimedefang has a shorter h: list (h=from:content-type:mime-version:subject:message-id:date:to;) compared to rspamd (h=from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature;)

- i know i can set this in /etc/rspamd/local.d/dkim.conf ... but should that matter ? is the presence of dkim-signature a problem there ? is there a knock-on effect for arc ?

2) mimedefang sets the data (b=...) all on one line , whereas rspamd appears to be returning a string with \n\t (newline and tab) at certain points. or at least .. that is what sendmail reports is being set. could this be causing the problem ?

what else can I do to debug this ? is there any way to easily trap a copy of the message before it's signed & then run a signing process manually ?

here's my  dkim_signing.conf

enabled = true;

auth_only = true;

allow_username_mismatch = true ; 

allow_hdrfrom_mismatch = false;

allow_hdrfrom_multiple = false;

sign_local = true;

use_domain = "header";

use_domain_sign_local = "header";

#

selector = "mail";

path = "/var/lib/opendkim/keys/$domain/$selector.private" ;

#

and dkim.conf

sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";

there's no obvious errors in the log from  dkim and dkim_signing .  sendmail reports the milter adding the new header & then sends the message.

i'm running rspamd 1.7.1-1.1  built from openSUSE from the OBS <https://build.opensuse.org/package/show/server:mail/rspamd>  and sendmail 8.15.2-249.1 , also from the OBS. 

I also want to use ARC  (and have it configured)  since I redirect mail for some people:

here's my arc.conf

allow_envfrom_empty = false;

allow_hdrfrom_mismatch = true;

allow_hdrfrom_multiple = true;

allow_username_mismatch = true;

auth_only = false;

path = "/var/lib/opendkim/keys/$domain/$selector.private"

selector = "mail";

sign_local = false;

sign_inbound = true;

symbol = "ARC_SIGNED";

try_fallback = true;

use_domain = "recipient";

use_esld = false;

use_redis = false;

key_prefix = "DKIM_PRIV_KEYS";

selector_prefix = "DKIM_SELECTORS";

any suggestions very much appreciated

[Vsevolod Stakhov]

On 26.03.2018 10:37, peter lees wrote:
> hello all
>
> I'm trying to use dkim_signing, with rspamd 1.7.1 in milter mode with
> sendmail,  but recipients are flagging the messages as having invalid DKIM
>
> i had previously been successful using mimedefang with the same private
> and public keys, so i am confident that my dkim infrastructure (DSN,
> keys, etc) are working correctly.  just tested it again with mimedefang
> & confirmed it's ok, testing with http://dkimvalidator.com/ .
>
> there are 2 differences I've noticed between success & failure:
>
>   1)  mimedefang has a shorter h: list
> (h=from:content-type:mime-version:subject:message-id:date:to;) compared
> to rspamd
> (h=from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature;)
>
> - i know i can set this in /etc/rspamd/local.d/dkim.conf ... but should
> that matter ? is the presence of dkim-signature a problem there ? is
> there a knock-on effect for arc ?

That shouldn't matter.

> 2) mimedefang sets the data (b=...) all on one line , whereas rspamd
> appears to be returning a string with \n\t (newline and tab) at certain
> points. or at least .. that is what sendmail reports is being set. could
> this be causing the problem ?

Mime version of Base64 allows that as well.

> what else can I do to debug this ? is there any way to easily trap a
> copy of the message before it's signed & then run a signing process
> manually ?
> here's my  dkim_signing.conf

I'm pretty sure that the issue is in your MTA. I got some complaints
from Sendmail users and all them has finished with a conclusion that it
was MTA who broke DKIM signatures. I'm not a sendmail expert so I cannot
assist you with this issue.

[peter lees]

On Monday, 26 March 2018 20:11:00 UTC+10:30, vsevolod wrote:

I'm pretty sure that the issue is in your MTA. I got some complaints
from Sendmail users and all them has finished with a conclusion that it
was MTA who broke DKIM signatures. I'm not a sendmail expert so I cannot
assist you with this issue.

Thanks for the quick reply.   There is an issue with opendkim where it can't be used with post-process stuff like  genericdomains or masquerading, since the from: headers change after the milter is applied.  That's probably the same for rspamd, but I've *turned off* those features, since they interfere with mimedefang, too.

the only difference in my  sendmail config is to change the milter from mimedefang to rspamd.

is it rspamd that is returning the DKIM signature with  newline+tab breaks ?   if so, is there a way to prevent that ?

[spam...@googlemail.com]

Hi all,

dkim signing is also not working for me, but im using postfix with milter and get no signing at all.

dkim.conf

-------------

sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";

dkim_signing.conf

------------------------

enabled = true;

auth_only = true;

allow_username_mismatch = true ;

allow_hdrfrom_mismatch = false;

allow_hdrfrom_multiple = false;

sign_local = true;

use_domain = "header";

use_domain_sign_local = "header";

try_fallback = false;

selector_map = "/etc/rspamd/dkim_selectors.map";

path_map = "/etc/rspamd/dkim_paths.map";

symbol = "DKIM_SIGNED";

dkim_selectors.map

--------------------------

example.net dkim

mydom1.de mail

mydom2.de mail

mydom3.de mail

dkim_paths.map

----------------------

mydom1.de /etc/CERT/dkim/mydom1.de.key.pem

mydom2.de /etc/CERT/dkim/mydom2.de.key.pem

mydom3.de /etc/CERT/dkim/mydom3.de.key.pem

Hans

[spam...@googlemail.com]

setting debug_modules = ["dkim_signing"] in  /etc/rspamd/local.d/logging.inc

showed wrong permissions on my key file..

fixed.

Am Montag, 26. März 2018 11:37:27 UTC+2 schrieb peter lees:

[spam...@googlemail.com]

ok, now rspamd is signing my mails but the reciever got:

dkim=fail (1024-bit key) reason="fail (message has been altered)"

I switchted back to amavisd with the same key and it passed.

any ideas ?

[bjoe2k4]

1. Do not hijack other threads.
2. Without samples of valid and invalid mails there is not much to tell.
3. Are the signed headers fields in DKIM "h=" field identical for both mail?

[Vsevolod Stakhov]

I'm pretty sure that the culprit is in newlines. Using of sendmail is
usually a good sign of this problem.

> --
> You received this message because you are subscribed to the Google
> Groups "rspamd" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to rspamd+un...@googlegroups.com
> <mailto:rspamd+un...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/rspamd.

[spam...@googlemail.com]

1) ok

3) good hint

dkim.conf

sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post:dkim-signature";

breaks it

sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-owner:list-unsubscribe:list-subscribe:list-post";

works

-> solved

[peter lees]

I also had success once I removed the dkim-signature from the list of sign_headers list

The next question is - will this have an impact on ARC ?

[spam...@googlemail.com]

Hi..

my arc.conf is a symlink:

arc.conf -> /etc/rspamd/local.d/dkim_signing.conf

and ARC headers are added to mail so I think it is working, but I currently have no other mailserver that checks ARC signatures to verify ;)

[bjoe2k4]

There has been a recent change with the sign_headers option, which does allow you to add dkim-signature to that list. See https://rspamd.com/doc/modules/dkim_signing.html#default-sign_headers-after-173

When it comes to arc, then any dkim-signature should be added to arc-message signature (at least that is recommended by the current arc draft 13). This currently works well with rspamd except for the case when rspamd adds both dkim and arc signatures. Then the dkim signature is not yet visible to the arc module and therefore not added to the arc-message-signature.