Amavisd-new disclaimer and DKIM signing

Discussion in 'Installation/Configuration' started by n10rd, Oct 29, 2013.

  1. n10rd

    n10rd New Member

    Hi,

    I am having an issue with getting Disclaimer and DKIM signing with my amavis config. I am adding the html signature ok and the message is being signed but it is failing verification when it gets to the recipient. I can run amavisd-new testkeys and it passes locally, the DNS records are the same on my local and external DNS server. It fails the SM and LL Sig tests on unlocktheinbox, with bad signature.

    Any help on this is greatly appreciated, and any further info just ask and I will post relevant configs etc.

    TIA
    Trevor.
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Can you post some informations why the verifications fails?

    I`ve just tested my setup with adding a disclaimer to txt and html-mails with http://www.appmaildev.com/de/dkim and http://www.brandonchecketts.com/emailtest.php and unlocktheinbox.

    I got result = pass in all cases.

    I use this in the 50-user:
    Code:
    $altermime = '/usr/bin/altermime';
    @altermime_args_disclaimer = qw( --verbose
                                     --disclaimer=/etc/mail/disclaimer.txt
                                     --disclaimer-html=/etc/mail/disclaimer.html );
    $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
    
    and

    Code:
    allow_disclaimers => 1,
    within the policy_bank.
     
  3. n10rd

    n10rd New Member

    Hi,

    here is my 50-user file, i have changed my actual domain name to 'domain.tld' just in this reply..

    Code:
    $allow_disclaimers = 1;
    $terminate_dsn_on_notify_success = 1;
    
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    
    
    $inet_socket_port = [10024,10026];
    $interface_policy{'10026'} = 'ORIGINATING';
    $policy_bank{'ORIGINATING'} = {
            originating => 1,
            smtpd_discard_ehlo_keywords => ['8BITMIME'],
    };
    
    
    # ------------ Disclaimer Setting ---------------
    # Uncomment this line to enable singing disclaimer in outgoing mails.
    @local_domains_maps = ['domain.tld',];
    $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
    
    # Program used to signing disclaimer in outgoing mails.
    $altermime = '/usr/bin/altermime';
    
    # Disclaimer in plain text formart.
    @altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.html --force-for-bad-html);
    
    @disclaimer_options_bysender_maps = ({
        # Per-domain disclaimer setting: /etc/postfix/disclaimer/host1.iredmail.org.txt
        'mail.domain.tld' => 'mail.domain.tld',
    
        # Per-user disclaimer setting: /etc/postfix/disclaimer/boss.iredmail.org.txt
    
        # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt
        '.' => 'mail.domain.tld',
    },);
    # ------------ End Disclaimer Setting ---------------
    
    #dkim_key('domain.tld', 'mail', '/etc/postfix/dkim/domain.tld/domain.tld.pem');
    
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'simple/simple' } } );
    @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.7.11.0/24);  # list your internal networks
    
    and I can see the DKIM signature in the emails, the diclaimer is also in the emails but here is the response I get from unlocktheinbox

    Code:
    Publication: RFC 6376
    
    DKIM Signature Additional Information
    Tag	Value
    Version:	v=1
    Key Algorithm:	a=rsa-sha256
    Domain Name:	d=domain.tld
    Signed Headers:	h=content-type :content-type:subject:subject:mime-version:from:from:date:date :message-id:received
    Selector:	s=mail
    Timestamp:	t=1382614122
    Signature Expiration:	x=1384428522
    Body Hash:	bh=H0I 6hPiju90xhn9iyzevPLHq3Qec6CjvxQw4FIT0AU8=
    Signature Data:	b=RU8iacOVlj/myTeFG3U 1q+BU0nX1KUkH+MaAx2muEQvfYInSK0ZNNnBtUzUTp3XsM46M/QfvPQKax0EdK5Q GcgYLBK7EBOh1VlhSpX9HDZrTiY4ZEQsR7IHwK3IBK24UfvaKhBgpObD0QTpcEEx n66bfqZ5YmXXaSixTdmooOLIu5KQvmDl4IkhUAwhsMohLm0Ii3rIHfQbugdI5wUX miTYqbuUYdxbYUfXsjMDb4hA/sOqSHY06E1FWlJuzcPvjDHRZf4ZJzCG3HOu+qhH 8/l5uprTMDqs2nlKccM1CFbVZOFJtFtZ9LDVVt78aK5SqVYeA6k6z9zyek8kQz2z z4A==
    
    Publication: RFC 6376
    
    DKIM Check
    Signature Found:	Yes
    SM Sig Verification:	Failed - Bad Signature
    LL Sig Verification:	Failed - Bad Signature
    From Signed:	Yes
    Restricted Headers Signed:	Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.
    
    thanks for looknig, if you need any further info just let me know.

    Trevor
     
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Code:
    Signature Data:	b=RU8iacOVlj/myTeFG3U 1q+BU0nX1KUkH+MaAx2muEQvfYInSK0ZNNnBtUzUTp3XsM46M/QfvPQKax0EdK5Q GcgYLBK7EBOh1VlhSpX9HDZrTiY4ZEQsR7IHwK3IBK24UfvaKhBgpObD0QTpcEEx n66bfqZ5YmXXaSixTdmooOLIu5KQvmDl4IkhUAwhsMohLm0Ii3rIHfQbugdI5wUX miTYqbuUYdxbYUfXsjMDb4hA/sOqSHY06E1FWlJuzcPvjDHRZf4ZJzCG3HOu+qhH 8/l5uprTMDqs2nlKccM1CFbVZOFJtFtZ9LDVVt78aK5SqVYeA6k6z9zyek8kQz2z z4A==
    
    Your signature is incorrect. Remove the spaces.
     
  5. n10rd

    n10rd New Member

    Hi,

    I dont generate the signature data or the body hash, I assume these are generated by amavis or altermime

    /Trevor
     
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You must define the dkim_key-settings in amavis for each domain that should be signed. Otherwise amavis won´t sign any email.

    In your config

    #dkim_key('domain.tld', 'mail', '/etc/postfix/dkim/domain.tld/domain.tld.pem');

    is commented out. You can use "amavisd-new showkeys" the see which keys are defined and where they are stored.

    Maybe you have the dkim_key in an other configfile.
     
  7. n10rd

    n10rd New Member

    Hi,

    Sorry thats not commented out, mistake when cutting and pasting.

    I have tracked this down further and found out what the exact issue is and its not related to the DKIM signing.

    If i changed the disclaimer to txt only the messages get signed, the problem seems to be with amavis changing the html when its inserting into the email. I have noticed that all spaces in the original html are replaced by '20' in the sent mail so this seems to be causing the body has failure.

    How do i set the content-type and or content-transfer-encoding for amavis/altermime to stop it changing my html?

    Thanks again for all your help
    Trevor.
     

Share This Page