-1

I am configuring opendkim+postfix. It is working OK and sent messages are correctly signed but the incomming messages are all marked as dkim=fail reason="signature verification failed"

How con I debug this problem?

Return-Path: <sender@gmail.com>
Delivered-To: recipient@mydomain.com
Received: from localhost (mailserver [127.0.0.1])
    by mydomain.com (Postfix) with SMTP id 4DDF93F966
    for <recipient@mydomain.com>; Tue, 24 Oct 2017 13:56:43 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mydomain.com 4DDF93F966
Authentication-Results: mydomain.com;
    dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jmdDmXQb"
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.215.43; helo=mail-lf0-f43.google.com; envelope-from=sender@gmail.com; receiver=recipient@mydomain.com 
DMARC-Filter: OpenDMARC Filter v1.3.2 mydomain.com 2DBE03F963
Authentication-Results: mail.mydomain.com; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.mydomain.com; spf=pass smtp.mailfrom=sender@gmail.com

The syslog reports this which looks OK

Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: [209.85.215.45] [209.85.215.45] not internal
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: not authenticated
Oct 24 14:08:39 mailz opendkim[3325]: 4A29F3F938: DKIM verification successful

But later it adds:

Oct 24 14:08:43 mailzener postfix/cleanup[3194]: 6CC243F95E: message-id=<CAMXuvOM+jKLkE=0FrQ+cSqFesmPQujpHoVsfH9G_URg9uYtm1g@mail.gmail.com>
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: no signing table match for 'sender@gmail.com'
Oct 24 14:08:43 mailzener opendkim[3325]: 6CC243F95E: bad signature data

My opendkim configuration file is this:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
#InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

OversignHeaders         From
LogWhy                  Yes
X-Header                yes
MilterDebug     9
ResolverTracing Yes
user3099887
  • 161
  • 2
  • 10

1 Answers1

1

As you can see from the Queue ID 4A29F3F938 vs 6CC243F95E, these are two different mails.

4A29F3F938 is incoming and is verifying OK. 6CC243F95E is outgoing, and I guess opendkim tries to sign the mail. You need to elaborate on your processing of the mail in the lines inbetween :)

Ralf Hildebrandt
  • 543
  • 2
  • 16