DKIM Signature Body Hash Does Not Verify

[arkitoure]

Hello All,

Recently encountered an issue with DKIM where the signature body hash does not match/verify with the public DNS record. I have no idea why this is happening checked just about everything I can thing of. I am using mxtoolbox to run external deliverability tests.

Everything else in order but this keeps on churning out errors. Anyone seen this or have any clues on the issue?

[phoenix]

Try the following:

Code: Select all

#su - zimbra
zimbra@mail:$ /opt/zimbra/postfix/sbin/postconf -e disable_mime_output_conversion='yes'
zimbra@mail:$ zmmtactl restart  

[arkitoure]

Try the following:

Code: Select all

#su - zimbra
zimbra@mail:$ /opt/zimbra/postfix/sbin/postconf -e disable_mime_output_conversion='yes'
zimbra@mail:$ zmmtactl restart  

Thx for picking this up! Tried it (with updated dir) and no cigar unfortunately.

Code: Select all

/opt/zimbra/common/sbin/postconf -e disable_mime_output_conversion='yes'

Any idea why this may be happening? Running a multi-domain setup but never seen this before in all my previous installations. I was poking around the /opt/zimbra/conf/opendkim-localnets.conf.in to see if something in there could be the cause.

[arkitoure]

And another strange related thing...I get no response when testing the validity of the DKIM sig against the server


This specific domain returns crickets, nothing, yet other domains do.

[phoenix]

Do you get the same result when it's sent to another test site (or google, perhaps)? Have you tried regenerating you DKIM signature for that domain?

[arkitoure]

Do you get the same result when it's sent to another test site (or google, perhaps)? Have you tried regenerating you DKIM signature for that domain?

Its the only domain that returns no result. I did try regen the DKIM for the domain after my last message. Same situation.

Its strange this, nothing really in the logs either to ID anything. And naturally this is causing bounced/blocked emails to major mail points like Yahoo, AOL, MS–Hotmail, etc..a serious issue.

Searched the whole net including our forums here for any tidbit of info and still a nothing burger.

I wonder could there be account and/or domain specific settings via the admin UI that would cause this issue? Maybe something is switched off/on somewhere. Lost.

Noticed your link to Rspamd...you still running this?

[phoenix]

This is strange! What size key did you generate? Could there be a problem with your DNS records? Is it all email from this particular domain that's having the problem?

Yes, I'm still running Rspamd and it's a fantastic and lightweight alternative to the ZCS antispam system.

[arkitoure]

2048-bit signature standard. Maybe try lesser just for kicks?

Perhaps version related?

Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P10 w/ Zextras Installed.

DNS checks out, on AWS R53 and all is well in that regard. Same format as other domains in same environ.

Bothering me enough now that Im thinking of upgrading in hopes it clears the issue. Im running production multi-server dist storage though with clients so downtime out of the blue is not a good place to be.

On Rspamd whats the eta for integration? And perhaps with a positive effect on DKIM?

Cheers for your help here!

[phoenix]

I wouldn't have thought this would be related to the ZCS version but I always like to keep on the most recent release. I'm not really sure if Opendkim had any problems similar to this but I never had any problems with it but that was a few years ago.

On Rspamd whats the eta for integration? And perhaps with a positive effect on DKIM?!

I hate to say this but you must be joking! Zimbra (Synacor) having any contact with a forum member is unheard of in these forums. There has been absolutely no contact from Zimbra regarding Rspamd although I'm a great fan of it and I'd recommend it for any ZCS installation and for an experienced admin it's fairly trivial to implement.

I'll have a think about this and see what I can come up with, although you must remember that you're talking to an amateur here, I don't do this for a day job.

[phoenix]

I've just sent them an email to their test account at ping@tools.mxtoolbox.com - I see the same failure as you and yet I can send mail anywhere (including google, Yahoo etc) without that problem occurring.

Well, I'm somewhat confused by the results from the MXtoolbox site as they are somewhat unexpected. It would lead me to think their validation is having problems, if you have an account with them have you tried contacting them to see if there is a problem?

Are you relaying any of the mail through another server? Here's a link that does explain the problem (and resolution) for opendkim but I don't know if it's applicable in your case: https://askubuntu.com/questions/1127344 ... ron-output