problem with DKIM and big messages

Johannes Feigl johannesfeigl at gmail.com
Thu Oct 5 06:27:43 CEST 2017 

Hello,

you are right. I enabled $enable_dkim_verification;
now it works.

thank you very much!

Johannes

2017-10-04 20:55 GMT+02:00 A. Schulze <sca at andreasschulze.de>:

>
>
> Am 04.10.2017 um 14:41 schrieb Johannes Feigl:
> > hello,
> >
> > on my debian system with amavisd-new-2.10.1 i found a problem with
> DKIM-verify and big messages.
> >
> > if there is a standard mail it works, but when it got an attachment it
> fails.
> >
> > the debug message looks like this:
> >
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: eval: From 2nd
> level domain: gmail.com <http://gmail.com>, EnvelopeFrom 2nd level
> domain: gmail.com <http://gmail.com>
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: performing
> public key lookup and signature verification
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: DKIM, i=@
> gmail.com <http://gmail.com>, d=gmail.com <http://gmail.com>, s=20161025,
> a=rsa-sha256, c=relaxed/relaxed, fail, matches author domain
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: signature
> verification result: FAIL (BODY HAS BEEN ALTERED)
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp
> ignored, message was truncated, invalid author domain signature
> > Oct  4 10:57:06 mail amavis[8781]: (08781-02) SA dbg: dkim: adsp result:
> - (truncated, ignored), author domain 'gmail.com <http://gmail.com>'
>
> Hello,
>
> DKIM validation require access to full message body.
> For performance reasons amavisd-new present only $sa_mail_body_size_limit
> to spamassassin.
>
> > FAIL (BODY HAS BEEN ALTERED)
> >
> > when i run spamassassin manually on the eml-file there is no problem
> > i finally found, that MAIL::DKIM is NOT getting the hole message.
> yes
>
> > whe i alter /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm,
> > about lile 771 (in my case), there is "my $str =
> $pms->{msg}->get_pristine; ... $verifier->PRINT($str);"
> >
> > when i simply save the content of $str to a file, then i see that it has
> > been cutted.
> ... at $sa_mail_body_size_limit ...
>
> > this seams to be the problem.
> no
>
> > do you have any idea how to prevent this?
> amavisd-new itself must do verify DKIM and inform SA about the result.
> That way DKIM signatures for any message (even large then
> $sa_mail_body_size_limit) can be verified.
>
> To enable that feature, set $enable_dkim_verification=1
> Without that setting SA don't "see" DKIM verification results and start
> verification itself.
> That fail for messages larger the $sa_mail_body_size_limit because SA
> can't access the full message...
>
> This feature is mentioned on https://amavis.org/
> "supports optional verification of DKIM and DomainKeys signatures
> regardless of mail size (even for mail not passed to SpamAssassin)"
>
> Andreas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20171005/655316b5/attachment.html>

More information about the amavis-users mailing list