Hi, I am having an issue with getting Disclaimer and DKIM signing with my amavis config. I am adding the html signature ok and the message is being signed but it is failing verification when it gets to the recipient. I can run amavisd-new testkeys and it passes locally, the DNS records are the same on my local and external DNS server. It fails the SM and LL Sig tests on unlocktheinbox, with bad signature. Any help on this is greatly appreciated, and any further info just ask and I will post relevant configs etc. TIA Trevor.
Can you post some informations why the verifications fails? I`ve just tested my setup with adding a disclaimer to txt and html-mails with http://www.appmaildev.com/de/dkim and http://www.brandonchecketts.com/emailtest.php and unlocktheinbox. I got result = pass in all cases. I use this in the 50-user: Code: $altermime = '/usr/bin/altermime'; @altermime_args_disclaimer = qw( --verbose --disclaimer=/etc/mail/disclaimer.txt --disclaimer-html=/etc/mail/disclaimer.html ); $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ]; and Code: allow_disclaimers => 1, within the policy_bank.
Hi, here is my 50-user file, i have changed my actual domain name to 'domain.tld' just in this reply.. Code: $allow_disclaimers = 1; $terminate_dsn_on_notify_success = 1; $enable_dkim_verification = 1; $enable_dkim_signing = 1; $inet_socket_port = [10024,10026]; $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { originating => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'], }; # ------------ Disclaimer Setting --------------- # Uncomment this line to enable singing disclaimer in outgoing mails. @local_domains_maps = ['domain.tld',]; $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ]; # Program used to signing disclaimer in outgoing mails. $altermime = '/usr/bin/altermime'; # Disclaimer in plain text formart. @altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.html --force-for-bad-html); @disclaimer_options_bysender_maps = ({ # Per-domain disclaimer setting: /etc/postfix/disclaimer/host1.iredmail.org.txt 'mail.domain.tld' => 'mail.domain.tld', # Per-user disclaimer setting: /etc/postfix/disclaimer/boss.iredmail.org.txt # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt '.' => 'mail.domain.tld', },); # ------------ End Disclaimer Setting --------------- #dkim_key('domain.tld', 'mail', '/etc/postfix/dkim/domain.tld/domain.tld.pem'); @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'simple/simple' } } ); @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.7.11.0/24); # list your internal networks and I can see the DKIM signature in the emails, the diclaimer is also in the emails but here is the response I get from unlocktheinbox Code: Publication: RFC 6376 DKIM Signature Additional Information Tag Value Version: v=1 Key Algorithm: a=rsa-sha256 Domain Name: d=domain.tld Signed Headers: h=content-type :content-type:subject:subject:mime-version:from:from:date:date :message-id:received Selector: s=mail Timestamp: t=1382614122 Signature Expiration: x=1384428522 Body Hash: bh=H0I 6hPiju90xhn9iyzevPLHq3Qec6CjvxQw4FIT0AU8= Signature Data: b=RU8iacOVlj/myTeFG3U 1q+BU0nX1KUkH+MaAx2muEQvfYInSK0ZNNnBtUzUTp3XsM46M/QfvPQKax0EdK5Q GcgYLBK7EBOh1VlhSpX9HDZrTiY4ZEQsR7IHwK3IBK24UfvaKhBgpObD0QTpcEEx n66bfqZ5YmXXaSixTdmooOLIu5KQvmDl4IkhUAwhsMohLm0Ii3rIHfQbugdI5wUX miTYqbuUYdxbYUfXsjMDb4hA/sOqSHY06E1FWlJuzcPvjDHRZf4ZJzCG3HOu+qhH 8/l5uprTMDqs2nlKccM1CFbVZOFJtFtZ9LDVVt78aK5SqVYeA6k6z9zyek8kQz2z z4A== Publication: RFC 6376 DKIM Check Signature Found: Yes SM Sig Verification: Failed - Bad Signature LL Sig Verification: Failed - Bad Signature From Signed: Yes Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed. thanks for looknig, if you need any further info just let me know. Trevor
Code: Signature Data: b=RU8iacOVlj/myTeFG3U 1q+BU0nX1KUkH+MaAx2muEQvfYInSK0ZNNnBtUzUTp3XsM46M/QfvPQKax0EdK5Q GcgYLBK7EBOh1VlhSpX9HDZrTiY4ZEQsR7IHwK3IBK24UfvaKhBgpObD0QTpcEEx n66bfqZ5YmXXaSixTdmooOLIu5KQvmDl4IkhUAwhsMohLm0Ii3rIHfQbugdI5wUX miTYqbuUYdxbYUfXsjMDb4hA/sOqSHY06E1FWlJuzcPvjDHRZf4ZJzCG3HOu+qhH 8/l5uprTMDqs2nlKccM1CFbVZOFJtFtZ9LDVVt78aK5SqVYeA6k6z9zyek8kQz2z z4A== Your signature is incorrect. Remove the spaces.
Hi, I dont generate the signature data or the body hash, I assume these are generated by amavis or altermime /Trevor
You must define the dkim_key-settings in amavis for each domain that should be signed. Otherwise amavis won´t sign any email. In your config #dkim_key('domain.tld', 'mail', '/etc/postfix/dkim/domain.tld/domain.tld.pem'); is commented out. You can use "amavisd-new showkeys" the see which keys are defined and where they are stored. Maybe you have the dkim_key in an other configfile.
Hi, Sorry thats not commented out, mistake when cutting and pasting. I have tracked this down further and found out what the exact issue is and its not related to the DKIM signing. If i changed the disclaimer to txt only the messages get signed, the problem seems to be with amavis changing the html when its inserting into the email. I have noticed that all spaces in the original html are replaced by '20' in the sent mail so this seems to be causing the body has failure. How do i set the content-type and or content-transfer-encoding for amavis/altermime to stop it changing my html? Thanks again for all your help Trevor.
