DKIM fails when email signature is activated

[181874]

I found out the DKIM from Zimbra works fine.
The issue lies at my firewall (Sophos XG) as I use it as an outgoing relay without modifying the message itself.

This is confirmed issue by Sophos and should be fixed somewhere in the future.

The temporary workaround is to allow Zimbra "talk" directly to other emailserver - so DKIM works without any issues.

[JDunphy]

I don't seem to have this problem but it is interesting because it works sometimes and not other times if I understand your initial comment. I am investigating this from the perspective of Zimbra's postfix having to rewrite this to 7bit when 8BITMIME isn't supported. The test site listed does support 8BITMIME so one question is there a smart relay involved that zimbra passes the email on to before delivery to the test site. Does it fail for email you send to yourself with your attached signature in text+html mode... does converting the email to text only make any difference before sending out the signature to that test site. I have more questions than answers at this point but am exploring the scenario where something is encoding after it has been cryptographically signed. Adding an email signature shouldn't have any effect on the SignHeaders in opendkim.conf ... yet it does. hmmmm?
This comment in one of the threads I read about this mentioned we "should" be fine because we use a content filter to sign the headers unless there is another piece to the puzzle such as a smart relay or transparent proxy involved that is forcing this to be re-encoded after the fact.

Before you can send via SMTP, you will need to force the message into the 7bit or 8bit encoding, depending on what the server supports/requires (e.g. an SMTP server that does not support the 8BITMIME extension will require that messages be in the 7bit encoding...

So our SMTP server is not the final destination for most of the email we send (in general)... and while our SMTP server may support 8BITMIME, the destination SMTP server might not, which means that your SMTP server will be forced to re-encode the message before passing it along to the next SMTP server. If the message was cryptographically signed while the message was in the 8bit encoding, then it will no longer verify in that case.

Ref: http://lists.opendkim.org/archive/opend ... /3698.html

[king0770]

Folks, just a little update on this issue.

It was discovered (not by me), that if the domain disclaimer contains over 999 characters, this will cause the dkim hash body failure.

We've been thinking it's complex signatures because complex signatures have html which is more characters. But it applies to both. Text or HTML, if it's over 999, it'll fail dkim.

So, keep the domain disclaimers to around 900 characters (just to be safe). We have an internal bug report on this.