1 (edited by jasongo 2019-09-02 12:21:32)

Topic: Failed DKIM on ProtonMail and SparkPost Due to Duplicate Signed Header

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 MariaDB
- Deployed with iRedMail Easy or the downloadable installer? Deployed by hand and coffee
- Linux/BSD distribution name and version: Ubuntu 18.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Nope. Soon.
====

[PROBLEM]
On default Amavis configuration, it produces duplicate headers in the "h=" in the DKIM header signature.

Here's an excerpt of the email received by ProtonMail where it failed the DKIM.

Authentication-Results: mail20i.protonmail.ch; dmarc=pass (p=quarantine dis=none)
 header.from=mailsafe.io
Authentication-Results: mail20i.protonmail.ch; spf=pass
 smtp.mailfrom=postmaster@mailsafe.io

Authentication-Results: mail20i.protonmail.ch; dkim=permerror (0-bit key)
 header.d=mailsafe.io header.i=@mailsafe.io header.b="eHRTaYFd"

Authentication-Results: mta1.mailsafe.io (amavisd-new); dkim=pass (2048-bit key)
 reason="pass (just generated, assumed good)" header.d=mailsafe.io

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailsafe.io; h=
 message-id:user-agent:subject:subject:to:from:from:date:date
 :content-type:content-type:mime-version; s=dkim;

t=1567352037;
  x=1568216038; bh=9OvCLROR/LQj9NFJlsAmSlSi/ehK5phTZadM1dG+KsA=; b=
 eHRTaYFdind/C5q4ceHiUPio6KFu2Ba62UIwMYZyFv3njE2cr6koOQLpnb5DUHns
 J5dRqJzY2fPA7CIzkcKHLW16mdSVQ3Lu+7dOdqj748v4alOIAZyxKJtL8lllWvLa
 E+iV8AMtTh6sl8OJooGTfz6017vhdLR7sBKsK6/1Uq0/6baz6QUzvOmwWXoCp8AK
 b1JBBNoYaC99z26LEzLwqXspGgm9d5ludottpUKC5VrrQNgviXS04ST6pj3uSkfU
 Q+mhFE1CS+x8ROvxk6L9HB1u0gAJ4N/ohyWjXgEw5VkcpqlfYe1sCFOWoaQFl1BG sKs/OTYeJI/zlUZzWUlXfQ==
X-Virus-Scanned: Debian amavisd-new at mta1.mailsafe.io
Mime-Version: 1.0
Content-Type: text/html
Date: Sun, 01 Sep 2019 23:33:57 +0800
From: 
To: 
Subject: Topic Mastery
User-Agent: MailSafe Webmail
Message-Id: <dsd@mailsafe.io>

Note that the headers signed by Amavis includes some duplicates.

In most email systems like Gmail, the DKIM verification was observed to be adapting to this graciously by removing the duplicates. However, Protonmail and SparkPost DKIM validator does not remove those duplicates and will strictly use all the indicated headers in the verification.

[SOLUTION]
The solution I found is to explicitly declare the $signed_header_fields in the /etc/amavis/conf.d/50-user as follows:

$signed_header_fields{'to'} = 1;
$signed_header_fields{'from'} = 1;
$signed_header_fields{'subject'} = 1;
$signed_header_fields{'message-id'} = 1;
$signed_header_fields{'content-type'} = 1;
$signed_header_fields{'date'} = 1;
$signed_header_fields{'mime-version'} = 1;

The resulting signed headers will be clean of duplicates as seen in the received email in Protonmail. Note that the DKIM already passes validation.

Authentication-Results: mail12i.protonmail.ch; dmarc=pass (p=quarantine dis=none)
 header.from=mailsafe.io
Authentication-Results: mail12i.protonmail.ch; spf=pass
 smtp.mailfrom=postmaster@mailsafe.io

Authentication-Results: mail12i.protonmail.ch; dkim=pass (2048-bit key)
 header.d=mailsafe.io header.i=@mailsafe.io header.b="gr34qaTS"

Authentication-Results: mta1.mailsafe.io (amavisd-new); dkim=pass (2048-bit key)
 reason="pass (just generated, assumed good)" header.d=mailsafe.io

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailsafe.io; h=
 message-id:user-agent:subject:to:from:date:content-type :mime-version; s=dkim;

 t=1567395677; x=1568259678; bh=6VZEqHtxGn BThJQJCg3mtgNFgU4d9+sv6JBWfFWH0T8=;
 b=gr34qaTSXyHUKQgx6RdEO4bK1w
 C0GGA7lnpOvhbVNMXl+MbEg4yyxkiKDbahVq5ve6aynHHQJbuiJslJEd8JCcr3S7
 my1Vn609+ByWbGer1cO5IMOArh52nrk525EmnVBd00v4zMd9z3bA2h3XnZjyU90Z
 /I3O0PkC2nHPiIC6OhPD3M7UnMbuT/VFqxzqRWQuHeIFGmz15Wq2DxDjtHAgwWAh
 sPPC7vsdx+Gs3zmZpyD7f+ufIpp8oBWWZ1QLCEt9E2bq4MMKJNGKKC2YzO4ZLSDu
 4QMhFnJcy2lfw/bHG9kQYYFBhJqwAQ169tWCvdbtdooDSBBonfHVeZ/e0weQ==
X-Virus-Scanned: Debian amavisd-new at mta1.mailsafe.io
Mime-Version: 1.0
Content-Type: text/html
Date: Mon, 02 Sep 2019 11:41:17 +0800
From: 
To: 
Subject: can u verify?
User-Agent: MailSafe Webmail
Message-Id: <dddd@mailsafe.io>

Let this be known to everyone who might experience failing DKIM validation on few systems but having a valid DKIM on others.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Failed DKIM on ProtonMail and SparkPost Due to Duplicate Signed Header

Looks like bug of Amavisd-new, could you help report to Amavisd team?
https://gitlab.com/amavis/amavis

By the way, In `/usr/sbin/amavisd-new`:

  my(@sign_headers) = qw(From Sender Reply-To Subject Date Message-ID To Cc
    In-Reply-To References MIME-Version Content-Type Content-Transfer-Encoding
    Content-ID Content-Description Resent-Date Resent-From Resent-Sender
    Resent-To Resent-Cc Resent-Message-ID List-Id List-Post List-Owner
    List-Subscribe List-Unsubscribe List-Help List-Archive);

So i guess we need more "$signed_header_fields{'XXX'} = 1;" lines?