problem with DKIM and big messages

A. Schulze sca at andreasschulze.de
Wed Oct 4 20:55:10 CEST 2017



Am 04.10.2017 um 14:41 schrieb Johannes Feigl:
> hello,
> 
> on my debian system with amavisd-new-2.10.1 i found a problem with DKIM-verify and big messages.
> 
> if there is a standard mail it works, but when it got an attachment it fails.
> 
> the debug message looks like this:
> 
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: eval: From 2nd level domain: gmail.com <http://gmail.com>, EnvelopeFrom 2nd level domain: gmail.com <http://gmail.com>
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: performing public key lookup and signature verification
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: DKIM, i=@gmail.com <http://gmail.com>, d=gmail.com <http://gmail.com>, s=20161025, a=rsa-sha256, c=relaxed/relaxed, fail, matches author domain
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: signature verification result: FAIL (BODY HAS BEEN ALTERED)
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp ignored, message was truncated, invalid author domain signature
> Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp result: - (truncated, ignored), author domain 'gmail.com <http://gmail.com>'

Hello,

DKIM validation require access to full message body.
For performance reasons amavisd-new present only $sa_mail_body_size_limit to spamassassin.

> FAIL (BODY HAS BEEN ALTERED)
> 
> when i run spamassassin manually on the eml-file there is no problem
> i finally found, that MAIL::DKIM is NOT getting the hole message.
yes

> whe i alter /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm,
> about lile 771 (in my case), there is "my $str = $pms->{msg}->get_pristine; ... $verifier->PRINT($str);"
> 
> when i simply save the content of $str to a file, then i see that it has
> been cutted.
... at $sa_mail_body_size_limit ... 

> this seams to be the problem.
no

> do you have any idea how to prevent this?
amavisd-new itself must do verify DKIM and inform SA about the result.
That way DKIM signatures for any message (even large then $sa_mail_body_size_limit) can be verified.

To enable that feature, set $enable_dkim_verification=1
Without that setting SA don't "see" DKIM verification results and start verification itself.
That fail for messages larger the $sa_mail_body_size_limit because SA can't access the full message...

This feature is mentioned on https://amavis.org/
"supports optional verification of DKIM and DomainKeys signatures regardless of mail size (even for mail not passed to SpamAssassin)"

Andreas


More information about the amavis-users mailing list