OpenDKIM
OpenDKIM copied to clipboard
trusteddomainproject
failed to parse Authentication-Results on valid headers
Some emails show above error and when accompanied by a DMARC reject policy the email is subsequently rejected.
The email in this case was from american airlines customer relations - they use exchange servers. After changing the email to be used to gmail, and re-sending, the reply went through to gmail just fine.
I examined the email sent to google and the DKIM-signature looks fine to me and google is fine with it as well - showing dkim and dmarc both pass:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh...
So seems to be a bug with OpenDKIM.
Is there any chance that a fix is in the works for opendkim?
I do see Auth results header from google, but there is also another one lower down; I wonder if the second one causing a problem for opendkim? The second one looks like it should be ignored - but perhaps it isn't and that triggered the reject - not sure why opendkim is even reading that auth results at all - I'd expecting it to create one not read an un-trusted one. But perhaps someone can share how to fix this ...
thanks ;)
Authentication-Results: mx.google.com; dkim=pass [email protected] header.s=selector2 header.b=ksOGfQcS; arc=pass (i=1); spf=pass (google.com: domain of [email protected] designates 40.107.77.81 as permitted sender) [email protected]; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=aa.com
... Authentication-Results: spf=softfail (sender IP is 144.9.232.1) smtp.mailfrom=aa.com; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=fail action=oreject header.from=aa.com;
Is there a way I can debug the milter if i save the headers I have from google - see why the milter is failing? I see a miltertest.c program but its not too clear at quick glance how I can throw a file with mail and headers and step thru debugger to see where the failure stems from?
Look closely. That second Authentication-Results header is not valid. (No authserv-id.)
Probably OpenDKIM's behaviour in response is incorrect. But bug title is wrong. ;-)
Thanks for following up on this - and awesome to see things moving forward nicely - appreciate your looking at this.
Honestly I haven't seen things moving forward. I'm just a fellow user looking at old bugs to assess how dead this project is.
ok gotcha - opendmarc is very much alive which is nice - hopefully dkim and arc will likewise get more attention :)
I see the following in my logs:
opendkim[15609]: 0A5D11EEF20: failed to parse authentication-results: header field
opendkim[15609]: 0A5D11EEF20: bad signature data
from a particular sender that our mail server receives from NAM04-MW2-obe.outbound.protection.outlook.com
If I save that email to a file, from mutt, and run the python script dkimverify on it, I consistently get:
$ cat message.txt | python3 dkimverify.py
signature ok
$
I'm at a loss to figure out what exactly opendkim thinks is "bad" about the signature data.
Anyone know how I can debug this further?
this is a zombie project - i gave up on opendkim a couple years ago.
I've switched to dkimpy which not only works well and is properly maintained but also supports elliptic curves (I sign with both RSA and EC).
good luck,
I've been reading about it just now: https://pypi.org/project/dkimpy-milter/
Looks like I can integrate it with my Postfix setup similarly to the way I have OpenDKIM. This might be the replacement I've been looking for. Honestly, I haven't been so happy with OpenDKIM and was wondering what alternatives were out there. Thanks for the tip!
Yes - i use postfix and once config set up changing milters is straightforward.