Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DKIM broken by "Sign Clean Messages" optiion #544

Open
alexskynet opened this issue May 31, 2021 · 11 comments
Open

DKIM broken by "Sign Clean Messages" optiion #544

alexskynet opened this issue May 31, 2021 · 11 comments
Labels
question

Comments

@alexskynet
Copy link

This should be mentionend in docs
If you are using DKIM then you have to set the "Sign Clean Messages" option to off.
If not DKIN will be broken and the message is marked by clients as "altered"
@rubeldonarman
Copy link

That issues can be solved easily by doing
Multiple Headers = add But DKIM Authenticated option will be broken . You can verify with https://mxtoolbox.com/EmailHeaders.aspx . and

**Sign Clean Messages = yes **
that will add footer message for IN/OUT as below:

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

So Sign Clean Messages = yes | no is different thing .

I faced the new issues describing as below :
I have received an email through my mailscanner that was okay . When i replied with that OR forwarded to any one using roundcube/any webmail/outlook from desktop , The DKIM was invalid , i mean not verified . Also found a clue from https://dkimvalidator.com/results

result = fail
Details: body has been altered

If any suggestions , Please share .

@alexskynet
Copy link
Author

alexskynet commented Aug 16, 2021
edited
Loading

@rubeldonarman your issue seems different.
My post was intendend in addiction to the Add Headers option as stated in docs.
If you're using opendkim very likely keys are not synced with the main server or you have to restart OpenDkim to have the keys read.
I have RC running on a server different than mail server and I keep keys synched with no DKIM problems at all.
Alternatively you may setup RC to use the same mailserver where MS is OK with DKIM
Hope this may help

@rubeldonarman
Copy link

@alexskynet would you please assist for the following issues

Body Hash Did Not Verify [DKIM Signature Body Hash]

@alexskynet
Copy link
Author

@rubeldonarman does it work ok if sendig a new email using any client (p.e. Thunderbird)?
If no does it work if disabling MS?
Does it work if forwrding a message?
I suspect the problem is in setup of DKIm itself not in MS : my setup works ok and DKIM gets verified

@rubeldonarman
Copy link

without MS , DKIM is working perfectly , with MS Body Hash Did Not Verify
you can check with https://mxtoolbox.com/EmailHeaders.aspx

With MS :
DMARC Compliant : Ok Icon
SPF Alignment: Ok Icon
SPF Authenticated: Ok Icon
DKIM Alignment : Ok Icon
DKIM Authenticated : Problem Icon

Without MS :
DMARC Compliant : Ok Icon
SPF Alignment: Ok Icon
SPF Authenticated: Ok Icon
DKIM Alignment : Ok Icon
DKIM Authenticated : Ok Icon

@alexskynet
Copy link
Author

@rubeldonarman may I suggest you to use this test result instead of headers only test?
https://www.mailgenius.com/spf-and-dkim-key-email-checker/
Let me know

@shawniverson
Copy link
Member

Signing of a message will always alter the body and cause the downstream system DKIM to fail. This is the point of DKIM, to see if a message has been altered in transit. The downstream systems should rely on the upstream system to do the DKIM verification prior to the addition of the signature and not do their own DKIM verification from this system.

@ediazrod
Copy link
Contributor

ediazrod commented Oct 11, 2021
edited
Loading

I like to add I have Mailscanner v5 with DKMI enabled and a signature on inline.sig.html and don't have any issues with DKMI.. must be a problem on the config.. (I like to clarify that, now I having problems with my email, because the version of exim4 on Debian 10 is more strict on the size.)

@Skywalker-11
Copy link
Contributor

I like to add I have Mailscanner v5 with DKMI enabled and a signature on inline.sig.html and don't have any issues with DKMI.. must be a problem on the config..

Having a valid DKIM signature from the original sender and then adding additional mail content like MailScanners signature are mutually exclusive by design. The MailScanner signature modifies the content of the mail (which is exactly what DKIM should prevent) and as such the original DKIM signature will no longer be valid.

The only way to add the MailScanner signature to a mail and for the endclient to still be able to validate the DKIM signature of the original sender would be to add the original mail as an attachment (which doesn't contain the MailScanner signature) to the mail that where the MS signature was added. But the receiver then has to open the original mail in the attachment manually if he wants to validate that DKIM signature.

Same is also valid if MailScanner is configured to disarm links etc.

@ediazrod
Copy link
Contributor

I am agree, another way is don't put a signature, (I use a Mailscanner without signature) and put the signature using altermime for example.

@ediazrod
Copy link
Contributor

I like to add for the final solution is avoid signatures on mailscanner and put the LOPD or some avisory on the mail using exim.. I can share some details.. and leave mailscanner to avoid modify the mail..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ediazrod @shawniverson @Skywalker-11 @rubeldonarman @alexskynet