I have a small mail server based on Fedora with postfix, OpenDKIM, spamassassin and mailman.
- OpenDKIM signature for outgoing emails works
- OpenDKIM verification for incoming emails works
When a DKIM message is sent to a mailing list I see the following in the headers:
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li DB09BDFEE4
Authentication-Results: corti.li;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=id.ethz.ch [email protected] header.a=rsa-sha256 header.s=key1-q3-2021 header.b=FOCb7EwF
[...]
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li A2C29DFED2
Received: from mailg210.ethz.ch (mailg210.ethz.ch [129.132.198.194])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by corti.li (Postfix) with ESMTPS id 98D21DF4AC
for <[email protected]>; Thu, 2 Dec 2021 14:19:55 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li 98D21DF4AC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=id.ethz.ch;
s=key1-q3-2021; t=1638451169; h=From:Subject:Date:Message-ID:To
:MIME-Version:Content-Type; bh=qzmynR6bBoUQ7r53VOIB9APaTNZN6JNW86G7ge/XIj
U=; b=FOCb7EwFI/pVyk/KvT2kEAFLcKguQN9b+UzfLobMxPe1YwAm1wHrRSs3ZXo8l1DUJTM
J5/lO3rJAMu8+ZidXMHLSFWl7JwZ2ciqB93RiQMYNONBLZ+HOYpkUxzof3L9MAzdCmGeaJisF
bk8FF/E8G+rGrBP7xXMpv+MgvofWU9RVCTQZqLOnWqPYyBsEsptByHDgsrUsmPGZSxQ1OUasd
j6cEkRfXk3EVqVNVZXWfGLWDD4CWd0VKSNMGk/SMPgx9L63SUe1qSv4PUIJn9Lepn6gnvZaE9
D7+v3uk69Kfglr4gK7OpFB1X/YQrEhQYzcstB6+sUUVTFhA3ROKyuHXA==;
In this example
- corti.li is my server
- @id.ethz.ch is the from domain
OpenDKIM configuration in /etc/postfix/main.cf
:
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
Mailman is configured via
./postfix/main.cf:alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
and entries like
testlist: "|/usr/lib/mailman/mail/mailman post testlist"
in /etc/mailman/aliases
Spamassassin is /etc/postfix/master.cf
configured as:
[root@corti etc]# grep spamass /etc/postfix/master.cf
smtp inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
smtps inet n - n - - smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
Log entries about A2C29DFED2
Dec 02 14:19:57 corti.li postfix/pickup[190218]: A2C29DFED2: uid=513 from=<[email protected]>
Dec 02 14:19:57 corti.li postfix/cleanup[194198]: A2C29DFED2: message-id=<[email protected]>
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: no signing table match for '*****@id.ethz.ch'
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: DKIM verification successful
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: from=<[email protected]>, size=12955, nrcpt=1 (queue active)
Dec 02 14:19:57 corti.li postfix/local[194206]: A2C29DFED2: to=<[email protected]>, relay=local, delay=0.1, delays=0.01/0/0/0.09, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post rpg)
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: removed
and
Dec 02 14:20:03 corti.li postfix/pickup[190218]: DB09BDFEE4: uid=513 from=<[email protected]>
Dec 02 14:20:03 corti.li postfix/cleanup[194198]: DB09BDFEE4: message-id=<[email protected]>
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: no signing table match for '*****@id.ethz.ch'
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: bad signature data
Dec 02 14:20:03 corti.li postfix/qmgr[1080]: DB09BDFEE4: from=<[email protected]>, size=14580, nrcpt=1 (queue active)
Dec 02 14:20:03 corti.li postfix/local[194206]: DB09BDFEE4: passing <[email protected]> to transport=procmail
Dec 02 14:20:04 corti.li postfix/pipe[194207]: DB09BDFEE4: to=<[email protected]>, relay=procmail, delay=0.15, delays=0.07/0/0/0.08, dsn=2.0.0, status=sent (delivered via procmail service)
Dec 02 14:20:04 corti.li postfix/qmgr[1080]: DB09BDFEE4: removed
Why is the DKIM signature of the outgoing message checked? mailman modifies the message and the original signature should not be relevant anymore.