1 (edited by shadowmaster 2016-12-07 22:04:06)

Topic: DKIM-signature (amavis problem)

Hi, Zhang.
You are my last hope.
The problem is when I send mail from outside (connecting to 587 port) using mailclient (thunderbird/android mail/etc) it doesn't get dkim-signature.
My amavis can't set originating flag while passing originating policy. Here it is on 10026 (only for sasl_authenticated on 587 (submission port is configured in postfix master.cf), foreign senders go to 10024 by default):

interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { 
  originating => 1,
  allow_disclaimers => 1, 
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],
  terminate_dsn_on_notify_success => 0,
};

Nevertheless, mails from @mynetworks (e.g. roundcube, or console, or local network) successfully get DKIM-signature without problem. DKIM keys are correct and configured properly.

I had an experiment adding client's ip-address to @mynetworks - and guess what? Mail was successfully signed, of course.
So that is the question: why can't amavis set this originating flag (originating => 1)? (now it says "dkim: not signing mail which is not originating from our site"). The policy 'ORIGINATING' really works, i see it in a maillog.

Thanks for any advice!


==== Required information ====
- iRedMail version (check /etc/iredmail-release): iredadmin 0.6.3
- Linux/BSD distribution name and version: FreeBSD 11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Nope.
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DKIM-signature (amavis problem)

Try to add "enable_dkim_signing => 1," in block "$policy_bank{'ORIGINATING'} = {  }" like this:

$policy_bank{'ORIGINATING'} = {
    enable_dkim_signing => 1,
    ...
};

Restart amavisd service and try again.

3

Re: DKIM-signature (amavis problem)

shadowmaster wrote:

Hi, Zhang.
You are my last hope.
..

shadowmaster, please update http://www.iredmail.org/forum/post53165.html if you find a solution.

4

Re: DKIM-signature (amavis problem)

ZhangHuangbin wrote:

Try to add "enable_dkim_signing => 1," in block "$policy_bank{'ORIGINATING'} = {  }" like this:

$policy_bank{'ORIGINATING'} = {
    enable_dkim_signing => 1,
    ...
};

Restart amavisd service and try again.


I tried, but that doesn't work.
Now i have $enable_dkim_signing = 1; for all policies in amavisd.conf.

5

Re: DKIM-signature (amavis problem)

I have same settings, but DKIM signing works for me.

*) There's a global setting in Amavisd config file:

$enable_dkim_signing = 0;          # Disable dkim signing globally.

*) In both $policy_bank{'ORIGINATING'} and $policy_bank{'MYNETS'}, enable DKIM signing like below:

$policy_bank{'ORIGINATING'} = {
    enable_dkim_signing => 1,
    ...
};

This works fine for me.

Could you please turn on debug mode in AMavisd and try again? FYI:
http://www.iredmail.org/docs/debug.amavisd.html

6

Re: DKIM-signature (amavis problem)

ZhangHuangbin wrote:

I have same settings, but DKIM signing works for me.

*) There's a global setting in Amavisd config file:

$enable_dkim_signing = 0;          # Disable dkim signing globally.

*) In both $policy_bank{'ORIGINATING'} and $policy_bank{'MYNETS'}, enable DKIM signing like below:

$policy_bank{'ORIGINATING'} = {
    enable_dkim_signing => 1,
    ...
};

This works fine for me.

Could you please turn on debug mode in AMavisd and try again? FYI:
http://www.iredmail.org/docs/debug.amavisd.html

Zhang, I assume your tests are not using FreeBSD 11 or amavisd-new-2.11.0,1

After much digging I found other people are having the same issue, https://bugzilla.redhat.com/show_bug.cgi?id=1364730

patch from https://lists.amavis.org/pipermail/amav … 04428.html seems to do the trick and now its working.

7

Re: DKIM-signature (amavis problem)

bartoruiz wrote:

Zhang, I assume your tests are not using FreeBSD 11 or amavisd-new-2.11.0,1

Not FreeBSD. I will give it a try now.

8

Re: DKIM-signature (amavis problem)

bartoruiz wrote:
ZhangHuangbin wrote:

I have same settings, but DKIM signing works for me.

*) There's a global setting in Amavisd config file:

$enable_dkim_signing = 0;          # Disable dkim signing globally.

*) In both $policy_bank{'ORIGINATING'} and $policy_bank{'MYNETS'}, enable DKIM signing like below:

$policy_bank{'ORIGINATING'} = {
    enable_dkim_signing => 1,
    ...
};

This works fine for me.

Could you please turn on debug mode in AMavisd and try again? FYI:
http://www.iredmail.org/docs/debug.amavisd.html

Zhang, I assume your tests are not using FreeBSD 11 or amavisd-new-2.11.0,1

After much digging I found other people are having the same issue, https://bugzilla.redhat.com/show_bug.cgi?id=1364730

patch from https://lists.amavis.org/pipermail/amav … 04428.html seems to do the trick and now its working.

Ow yeah, that's it!
Added "$msginfo->originating(c('originating'));" to "Amavis::load_policy_bank($_,$msginfo) for @bank_names;" and now it works as expected!
Thank you so much!

9

Re: DKIM-signature (amavis problem)

I can reproduce this issue. We must report this issue to FreeBSD port maintainer since Amavisd team didn't release a new version yet.

10

Re: DKIM-signature (amavis problem)

== UPDATE ==

I contacted the last one maintainer (flo@), and kindly asking for help to patch Amavisd in ports tree.

11

Re: DKIM-signature (amavis problem)

bartoruiz or shadowmaster,
I found the same problem on Ubuntu 14.04 but I have no idea how to patch the amavisd. Can you help me with this? Thanks.

12

Re: DKIM-signature (amavis problem)

alex.w wrote:

I found the same problem on Ubuntu 14.04 but I have no idea how to patch the amavisd. Can you help me with this? Thanks.

According to the patch ( https://lists.amavis.org/pipermail/amav … 04428.html ), you just need to modify (ADD, in this case) one line in file /usr/local/sbin/amavisd.

--- amavisd.orig    Tue Apr 26 21:24:33 2016
+++ amavisd    Fri Jul  1 01:03:15 2016
@@ -34338,6 +34329,7 @@ sub collect_some_dkim_info($) {
     $sig_ind++;
   }
   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
 # if (ll(5) && $sig_ind > 0) {
 #   # show which header fields are covered by which signature

Please do some research with Google to understand how to read a patch file.

13 (edited by alex.w 2017-01-03 09:08:34)

Re: DKIM-signature (amavis problem)

Zhang,
Thank you for your prompt response. I couldn't find the amavisd file in /usr/sbin/ and /usr/local/sbin/. The only file I thought close to /usr/sbin/amavisd is /usr/sbin/amavisd-new. Then I copied and renamed them into /home/it/amavisd. I also dump the patch into /home/it/amavis-fix.patch. But it failed when I tried to patch:
mx:~$ patch < amavis-fix.patch
patching file amavisd
Hunk #1 FAILED at 34338.
1 out of 1 hunk FAILED -- saving rejects to file amavisd.rej
mx:~$ sudo amavisd-new -h
amavisd-new-2.7.1 (20120429)

I also add whitelisting to amavis. :
mx:~$ tail -n 20 /etc/amavis/conf.d/50-user
# Duplicate or multiple occurrence of a header field
$allowed_header_tests{'multiple'} = 0;

# Missing some headers. e.g. 'Date:'
$allowed_header_tests{'missing'} = 0;

1;  # insure a defined return

# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check                                                                              this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-che                                                                             ck this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-che                                                                             ck this mail

};

14

Re: DKIM-signature (amavis problem)

Amavisd-new 2.7 should be fine without patch. The patch is for Amavisd-new-2.11.0.
What's your issue please?

15 (edited by alex.w 2017-01-03 09:09:45)

Re: DKIM-signature (amavis problem)

Zhang,
Email from SOGO has DKIM signature but emaisl from mail clients such as: Thunderbird don't have one.
From SOGO:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; h= user-agent:message-id:to:mime-version:subject:subject:date:date :content-type:content-type:from:from; s=dkim; t=1482996666; x= 1483860667; bh=T187A03U8q55Kle4eBSo2ObgW6m7xvI8bQ1VV4ITHkc=; b=w a7kVk/LFJO69l2zPhQYqATCGin3bdq7KDm77TkoLAibr+lhhq8kd9mWPEMnb9TVx zjyqwz6JBOBB1FXDahByDmAEtoAPO0zTsebN5fLxF9+XtSJEzfjtKMQ0T2gjx0TL RWQ0xCV4gshxH/7a7y+gw9WFi/rxGAmcLQvmkSeCTM=
The only thing I modified from amavis is whitelisting. Does it affect the dkim signing?
mx:~$ tail -n 20 /etc/amavis/conf.d/50-user
# Duplicate or multiple occurrence of a header field
$allowed_header_tests{'multiple'} = 0;

# Missing some headers. e.g. 'Date:'
$allowed_header_tests{'missing'} = 0;

1;  # insure a defined return

# This policy will perform virus checks only.
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

$interface_policy{'10026'} = 'VIRUSONLY';
$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check                                                                              this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-che                                                                             ck this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-che                                                                             ck this mail

};
Edited:
I've commented out the whitelisting mechanism and mail sent from Thunderbird is signed. So my problem is how to whitelist some email accounts from spam check but not affecting the DKIM signing. I will use another thread for my problem. Thanks.

16

Re: DKIM-signature (amavis problem)

alex.w wrote:

$interface_policy{'10026'} = 'VIRUSONLY';

Port 10026 is used by policy "ORIGINATING" by default, you changed this. And it DOES impact the DKIM signing because your 'VIRUSONLY' policy doesn't enable DKIM signing.

Try to add 'originating => 1,' in your VIRUSONLY policy, restart amavisd service and try again.

17

Re: DKIM-signature (amavis problem)

Zhang,
I can achieve the whitelist by modifying ORIGINATING policy bank.
I move the code below before ORIGINATING declaration:
# Load whitelist
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

I move the code below inside ORIGINATING declaration:
    bypass_spam_checks_maps   => ['@whitelist_sender_maps'],  # don't spam-check this mail
    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-check this mail
    bypass_header_checks_maps => ['@whitelist_sender_maps'],  # don't header-check this mail

Thank you very much for your assistance.

18

Re: DKIM-signature (amavis problem)

Seems we're talking about different things. Let's focus on the DKIM signing issue:

*) iRedMail configures Postfix to use port 10026 as filter for outgoing emails in /etc/postfix/master.cf, transport 'submission'.

*) Port 10026 is served by Amavisd, with policy "ORIGINATING". It has setting "originating => 1," to identify the emails are sent by your local users, so it will sign DKIM signature on processed emails.

You keep the port 10026, but use a different policy (-> VIRUSONLY). it's ok to do this change, but you should add "originating => 1," to your policy to enable dkim signing.

19

Re: DKIM-signature (amavis problem)

Zhang,
I've removed my VIRUSONLY policy bank so my DKIM signing problem is solved. I moved my whitelisting mechanism to ORIGINATING policy bank. So my new ORIGINATING policy bank becomes like this:
# Load whitelist
read_hash(\%whitelist_sender, '/etc/amavis/whitelist');
@whitelist_sender_maps = (\%whitelist_sender);

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
    originating => 1,  # declare that mail was submitted by our smtp client
    allow_disclaimers => 1,  # enables disclaimer insertion if available
    enable_dkim_signing => 1,

    # notify administrator of locally originating malware
    virus_admin_maps => ["root\@$mydomain"],
    spam_admin_maps  => [],
    bad_header_admin_maps => [],
    banned_admin_maps => ["root\@$mydomain"],
    warnbadhsender   => 1,
    warnbannedsender => 1,

    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    #smtpd_discard_ehlo_keywords => ['8BITMIME'],

    # don't remove NOTIFY=SUCCESS option
    terminate_dsn_on_notify_success => 0,

    # don't perform spam/virus/header check.
    #bypass_spam_checks_maps => [1],    # spam
    #bypass_header_checks_maps => [1],  # bad header
    #bypass_virus_checks_maps => [1],   # virus
    #bypass_banned_checks_maps => [1],  # banned file names and types

    bypass_banned_checks_maps => ['@whitelist_sender_maps'],  # don't banned-check this mail
};
One cup of coffe served on your table. Xie-xie ni.

Alex Wijoyo

20

Re: DKIM-signature (amavis problem)

Thanks for the coffee. smile