<div dir="ltr"><div><div><div><div>Hello,<br><br></div>you are right. I enabled $enable_dkim_verification;<br></div>now it works.<br><br></div>thank you very much!<br></div><div><br></div>Johannes</div><div class="gmail_extra"><br><div class="gmail_quote">2017-10-04 20:55 GMT+02:00 A. Schulze <span dir="ltr"><<a href="mailto:sca@andreasschulze.de" target="_blank">sca@andreasschulze.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
Am 04.10.2017 um 14:41 schrieb Johannes Feigl:<br>
> hello,<br>
><br>
> on my debian system with amavisd-new-2.10.1 i found a problem with DKIM-verify and big messages.<br>
><br>
> if there is a standard mail it works, but when it got an attachment it fails.<br>
><br>
> the debug message looks like this:<br>
><br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: eval: From 2nd level domain: <a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a> <<a href="http://gmail.com" rel="noreferrer" target="_blank">http://gmail.com</a>>, EnvelopeFrom 2nd level domain: <a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a> <<a href="http://gmail.com" rel="noreferrer" target="_blank">http://gmail.com</a>><br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: performing public key lookup and signature verification<br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: DKIM, i=@<a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a> <<a href="http://gmail.com" rel="noreferrer" target="_blank">http://gmail.com</a>>, d=<a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a> <<a href="http://gmail.com" rel="noreferrer" target="_blank">http://gmail.com</a>>, s=20161025, a=rsa-sha256, c=relaxed/relaxed, fail, matches author domain<br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)<br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp ignored, message was truncated, invalid author domain signature<br>
> Oct 4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp result: - (truncated, ignored), author domain '<a href="http://gmail.com" rel="noreferrer" target="_blank">gmail.com</a> <<a href="http://gmail.com" rel="noreferrer" target="_blank">http://gmail.com</a>>'<br>
<br>
Hello,<br>
<br>
DKIM validation require access to full message body.<br>
For performance reasons amavisd-new present only $sa_mail_body_size_limit to spamassassin.<br>
<br>
> FAIL (BODY HAS BEEN ALTERED)<br>
><br>
> when i run spamassassin manually on the eml-file there is no problem<br>
> i finally found, that MAIL::DKIM is NOT getting the hole message.<br>
yes<br>
<br>
> whe i alter /usr/share/perl5/Mail/<wbr>SpamAssassin/Plugin/DKIM.pm,<br>
> about lile 771 (in my case), there is "my $str = $pms->{msg}->get_pristine; ... $verifier->PRINT($str);"<br>
><br>
> when i simply save the content of $str to a file, then i see that it has<br>
> been cutted.<br>
... at $sa_mail_body_size_limit ...<br>
<br>
> this seams to be the problem.<br>
no<br>
<br>
> do you have any idea how to prevent this?<br>
amavisd-new itself must do verify DKIM and inform SA about the result.<br>
That way DKIM signatures for any message (even large then $sa_mail_body_size_limit) can be verified.<br>
<br>
To enable that feature, set $enable_dkim_verification=1<br>
Without that setting SA don't "see" DKIM verification results and start verification itself.<br>
That fail for messages larger the $sa_mail_body_size_limit because SA can't access the full message...<br>
<br>
This feature is mentioned on <a href="https://amavis.org/" rel="noreferrer" target="_blank">https://amavis.org/</a><br>
"supports optional verification of DKIM and DomainKeys signatures regardless of mail size (even for mail not passed to SpamAssassin)"<br>
<br>
Andreas<br>
</blockquote></div><br></div>