OpenDKIM and MailScanner

Gao gao at pztop.com
Tue May 31 18:36:49 UTC 2016 

Thank you Jerry for the quick reply.

The issue happens for outgoing emails.

Postfix has these lines:
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

OpenDKIM daemon listens on port 8891:
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
AutoRestart             Yes
AutoRestartRate         10/1h
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891 at localhost
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  opendkim:opendkim

So I don't know where to control the OpenDKIM.

Here is the maillog with the default "Sign Clean Messages = yes":

May 31 09:26:35 cac postfix/submission/smtpd[24230]: connect from 24-209-64-181.eastlink.ca[24.207.64.181]
May 31 09:26:36 cac postfix/submission/smtpd[24230]: 99FCB206E02D: client=24-209-64-181.eastlink.ca[24.207.64.181], sasl_method=PLAIN, sasl_username=gao at mydomain.com
May 31 09:26:36 cac postfix/cleanup[24244]: 99FCB206E02D: hold: header Received: from [192.168.123.60] (24-209-64-181.eastlink.ca [24.207.64.181])??by cac.mydomain.com (Postfix) with ESMTPSA id 99FCB206E02D??for <check-auth at verifier.port25.com>; Tue, 31 May 2016 09:26:36 - from 24-209-64-181.eastlink.ca[24.207.64.181]; from=<gao at mydomain.com> to=<check-auth at verifier.port25.com> proto=ESMTP helo=<[192.168.123.60]>
May 31 09:26:36 cac postfix/cleanup[24244]: 99FCB206E02D: message-id=<574DBB48.8020106 at mydomain.com>
May 31 09:26:36 cac opendkim[16815]: 99FCB206E02D: DKIM-Signature field added (s=cac, d=mydomain.com)
May 31 09:26:36 cac MailScanner[23917]: New Batch: Scanning 1 messages, 2762 bytes
May 31 09:26:36 cac postfix/submission/smtpd[24230]: disconnect from 24-209-64-181.eastlink.ca[24.207.64.181]
May 31 09:26:36 cac MailScanner[23917]: Virus and Content Scanning: Starting
May 31 09:26:37 cac MailScanner[23917]: Spam Checks: Starting
May 31 09:26:37 cac MailScanner[23917]: Expired 1 records from the SpamAssassin cache
May 31 09:26:37 cac MailScanner[23917]: Whitelist refresh time reached
May 31 09:26:37 cac MailScanner[23917]: Starting up SQL Whitelist
May 31 09:26:37 cac MailScanner[23917]: Read 0 whitelist entries
May 31 09:26:37 cac MailScanner[23917]: Blacklist refresh time reached
May 31 09:26:37 cac MailScanner[23917]: Starting up SQL Blacklist
May 31 09:26:37 cac MailScanner[23917]: Read 0 blacklist entries
May 31 09:26:43 cac MailScanner[23917]: Requeue: 99FCB206E02D.A9985 to 9AE0A207BE14
May 31 09:26:43 cac MailScanner[23917]: Uninfected: Delivered 1 messages
May 31 09:26:43 cac postfix/qmgr[21592]: 9AE0A207BE14: from=<gao at mydomain.com>, size=1536, nrcpt=1 (queue active)
May 31 09:26:43 cac MailScanner[23917]: Deleted 1 messages from processing-database
May 31 09:26:43 cac MailScanner[23917]: Logging message 99FCB206E02D.A9985 to SQL
May 31 09:26:43 cac MailScanner[23921]: 99FCB206E02D.A9985: Logged to MailWatch SQL
May 31 09:26:43 cac postfix/smtp[24258]: 9AE0A207BE14: to=<check-auth at verifier.port25.com>, relay=verifier.port25.com[38.95.177.125]:25, delay=7.4, delays=6.8/0.01/0.42/0.17, dsn=2.6.0, status=sent (250 2.6.0 message received)
May 31 09:26:43 cac postfix/qmgr[21592]: 9AE0A207BE14: removed


Gao




On 16-05-31 11:21 AM, Jerry Benton wrote:
> Where in the process does your MTA do the signing? When it comes in, or on the way out? Is that configurable? Obviously, if MailScanner adds a signature to the email after it is signed, it is going to fail.
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
>> On May 31, 2016, at 2:13 PM, Gao <gao at pztop.com> wrote:
>>
>> HI,
>>
>> I just found out an "issue":
>>
>> With the default MailScanner(v4.8.5) setting "Sign Clean Messages = yes", it seems MailScanner append the clean report AFTER OpenDKIM sign the message. This breaks the DKIM with  "wrong body hash" error.
>>
>> Change "Sign Clean Messages" to "no" fixes the DKIM problem.
>>
>> So, is there a way to control OpenDKIM and let it sign the message last?
>>
>> Gao
>>
>>
>>
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/listinfo/mailscanner
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20160531/8d319233/attachment.html>

More information about the MailScanner mailing list