2

I'm checking my postfix setup with mail-server.net. I have SPF, DKIM, and DMARC setup and working. However, mail-server.net is claiming I have 2 DKIM signatures in a single message. How is this possible? Here's what my DNS records looks like:

Name Value TTL Options v=spf1 mx -all Default Edit | Remove

201705._domainkey v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgk...

_adsp._domainkey dkim=all

_dmarc v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r;fo=1;rf=afrf;rua=mailto:alescher@adventurecatsnw.com

As you can see, I've only included one DKIM signature key in the txt record. I'm using opendkim as the DKIM signer. I've only one key in the key.table record and one entry in the signing.table record. Does anyone have any ideas as to what could be the issue?

leschandrew
  • 197
  • 1
  • 5
  • 15

2 Answers2

3

I have the same problem (not solved yet) but I think it has to do with SpamAssassin.

It looks like the DKIM signature is added before and after SpamAssassin filter. 

my mailheader
Return-Path: <info@mydomain>
X-Original-To: info@mydomain
Delivered-To: info@mydomain
Received: by mail.mydomain (Postfix, from userid 1001)
    id 2D776B7CA; Wed,  7 Jun 2017 23:15:02 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain 2D776B7CA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain;
    etc.
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
    hostname.mydomain
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=3.0 tests=ALL_TRUSTED,DKIM_SIGNED,
    HTML_MESSAGE,T_DKIM_INVALID,URIBL_BLOCKED autolearn=no autolearn_force=no
    version=3.4.0
Received: from [mylocalip] (myprovider [myip])
    by mail.mydomain (Postfix) with ESMTPSA id BB..
    for <info@mydomain>; Wed,  7 Jun 2017 23:15:01 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain BB..
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain;
    etc.

cat /var/log/maillog | grep "DKIM-Signature field added"

Jun  8 00:02:34 host opendkim[762]: BCD70B75A: DKIM-Signature field added (s=default, d=mydomain)
Jun  8 00:02:34 host opendkim[762]: F3341B7CA: DKIM-Signature field added (s=default, d=mydomain)

check this answer: https://serverfault.com/questions/475416/is-there-a-reason-why-dkim-signs-every-mail-twice

zarvox
  • 189
  • 1
  • 1
  • 6
  • Thanks for the reply. I'm going to check that out myself. If you manage to solve it, post your answer here! I'll do the same. Good luck. – leschandrew Jun 08 '17 at 22:04
  • The answer you linked to solved it for me! Milter processing was occuring before and after amavis processing, and signing it twice. I set the milter to run after amavis as suggested in the link and it worked. Thanks! – leschandrew Jun 09 '17 at 19:48
  • I had the same problem with rspamd, where the dkim-signing module was enabled in addition to opendkim used by postfix – tanascius Apr 02 '20 at 20:46
1

My error was in /etc/postfix/master.cf and now its fixed.

This was my first postfix install and I had:

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamfilter
smtps     inet  n       -       n       -       -       smtpd -o content_filter=spamfilter
submission inet n       -       n       -       -       smtpd -o content_filter=spamfilter

I changed this to:

smtp      inet  n       -       n       -       -       smtpd 
smtps     inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd -o content_filter=spamfilter

Good luck!

zarvox
  • 189
  • 1
  • 1
  • 6