DKIM Signature Body Hash Does Not Verify
DKIM Signature Body Hash Does Not Verify
Hello All,
Recently encountered an issue with DKIM where the signature body hash does not match/verify with the public DNS record. I have no idea why this is happening checked just about everything I can thing of. I am using mxtoolbox to run external deliverability tests.
Everything else in order but this keeps on churning out errors. Anyone seen this or have any clues on the issue?
Recently encountered an issue with DKIM where the signature body hash does not match/verify with the public DNS record. I have no idea why this is happening checked just about everything I can thing of. I am using mxtoolbox to run external deliverability tests.
Everything else in order but this keeps on churning out errors. Anyone seen this or have any clues on the issue?
Last edited by arkitoure on Sat Sep 26, 2020 9:59 am, edited 1 time in total.
Re: DKIM Signature Body Hash Does Not Verify
Try the following:
Code: Select all
#su - zimbra
zimbra@mail:$ /opt/zimbra/postfix/sbin/postconf -e disable_mime_output_conversion='yes'
zimbra@mail:$ zmmtactl restart
Re: DKIM Signature Body Hash Does Not Verify
phoenix wrote:Try the following:
Code: Select all
#su - zimbra zimbra@mail:$ /opt/zimbra/postfix/sbin/postconf -e disable_mime_output_conversion='yes' zimbra@mail:$ zmmtactl restart
Thx for picking this up! Tried it (with updated dir) and no cigar unfortunately.
Code: Select all
/opt/zimbra/common/sbin/postconf -e disable_mime_output_conversion='yes'
Re: DKIM Signature Body Hash Does Not Verify
And another strange related thing...I get no response when testing the validity of the DKIM sig against the server
This specific domain returns crickets, nothing, yet other domains do.
This specific domain returns crickets, nothing, yet other domains do.
Last edited by arkitoure on Sat Sep 26, 2020 9:59 am, edited 2 times in total.
Re: DKIM Signature Body Hash Does Not Verify
Do you get the same result when it's sent to another test site (or google, perhaps)? Have you tried regenerating you DKIM signature for that domain?
Re: DKIM Signature Body Hash Does Not Verify
phoenix wrote:Do you get the same result when it's sent to another test site (or google, perhaps)? Have you tried regenerating you DKIM signature for that domain?
Its the only domain that returns no result. I did try regen the DKIM for the domain after my last message. Same situation.
Its strange this, nothing really in the logs either to ID anything. And naturally this is causing bounced/blocked emails to major mail points like Yahoo, AOL, MS–Hotmail, etc..a serious issue.
Searched the whole net including our forums here for any tidbit of info and still a nothing burger.
I wonder could there be account and/or domain specific settings via the admin UI that would cause this issue? Maybe something is switched off/on somewhere. Lost.
Noticed your link to Rspamd...you still running this?
Re: DKIM Signature Body Hash Does Not Verify
This is strange! What size key did you generate? Could there be a problem with your DNS records? Is it all email from this particular domain that's having the problem?
Yes, I'm still running Rspamd and it's a fantastic and lightweight alternative to the ZCS antispam system.
Yes, I'm still running Rspamd and it's a fantastic and lightweight alternative to the ZCS antispam system.
Re: DKIM Signature Body Hash Does Not Verify
2048-bit signature standard. Maybe try lesser just for kicks?
Perhaps version related?
Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P10 w/ Zextras Installed.
DNS checks out, on AWS R53 and all is well in that regard. Same format as other domains in same environ.
Bothering me enough now that Im thinking of upgrading in hopes it clears the issue. Im running production multi-server dist storage though with clients so downtime out of the blue is not a good place to be.
On Rspamd whats the eta for integration? And perhaps with a positive effect on DKIM?
Cheers for your help here!
Perhaps version related?
Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P10 w/ Zextras Installed.
DNS checks out, on AWS R53 and all is well in that regard. Same format as other domains in same environ.
Bothering me enough now that Im thinking of upgrading in hopes it clears the issue. Im running production multi-server dist storage though with clients so downtime out of the blue is not a good place to be.
On Rspamd whats the eta for integration? And perhaps with a positive effect on DKIM?
Cheers for your help here!
Re: DKIM Signature Body Hash Does Not Verify
I wouldn't have thought this would be related to the ZCS version but I always like to keep on the most recent release. I'm not really sure if Opendkim had any problems similar to this but I never had any problems with it but that was a few years ago.
I'll have a think about this and see what I can come up with, although you must remember that you're talking to an amateur here, I don't do this for a day job.
I hate to say this but you must be joking! Zimbra (Synacor) having any contact with a forum member is unheard of in these forums. There has been absolutely no contact from Zimbra regarding Rspamd although I'm a great fan of it and I'd recommend it for any ZCS installation and for an experienced admin it's fairly trivial to implement.arkitoure wrote:On Rspamd whats the eta for integration? And perhaps with a positive effect on DKIM?!
I'll have a think about this and see what I can come up with, although you must remember that you're talking to an amateur here, I don't do this for a day job.
Re: DKIM Signature Body Hash Does Not Verify
I've just sent them an email to their test account at ping@tools.mxtoolbox.com - I see the same failure as you and yet I can send mail anywhere (including google, Yahoo etc) without that problem occurring.
Well, I'm somewhat confused by the results from the MXtoolbox site as they are somewhat unexpected. It would lead me to think their validation is having problems, if you have an account with them have you tried contacting them to see if there is a problem?
Are you relaying any of the mail through another server? Here's a link that does explain the problem (and resolution) for opendkim but I don't know if it's applicable in your case: https://askubuntu.com/questions/1127344 ... ron-output
Well, I'm somewhat confused by the results from the MXtoolbox site as they are somewhat unexpected. It would lead me to think their validation is having problems, if you have an account with them have you tried contacting them to see if there is a problem?
Are you relaying any of the mail through another server? Here's a link that does explain the problem (and resolution) for opendkim but I don't know if it's applicable in your case: https://askubuntu.com/questions/1127344 ... ron-output