DKIM always fails on incomming emails if DKIM is 2048 bit

[xorcz]

Hello,
DKIM always fails if the key is 2048. For example gmail:

Mar 31 23:02:19 mail amavis[24232]: (24232-01) dkim: public key s=20210112 d=gmail.com v=DKIM1 k=rsa, 2048-bit key
Mar 31 23:02:19 mail amavis[24232]: (24232-01) dkim: FAILED Author+Sender+MailFrom signature by d=gmail.com, From: <anon@gmail.com>, a=rsa-sha256, c=relaxed/relaxed, s=20210112, i=@gmail.com, fail (message has been altered)

Code: Select all

ar 31 23:02:19 mail amavis[24232]: (24232-01) get_deadline get_body_digest - deadline in 480.0 s, set to 30.000 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_deadline digest_pre - deadline in 480.0 s, set to 288.000 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) prolong_timer digest_pre: timer 288, was 288, deadline in 480.0 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) DNS resolver created, UDP payload size 1220, NS: 127.0.0.1
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_body_digest: reading header section from memory
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_body_digest: feeding header section to DKIM verifier
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_body_digest: sending h/b separator to DKIM
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_deadline digest_hdr - deadline in 480.0 s, set to 288.000 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) prolong_timer digest_hdr: timer 288, was 288, deadline in 480.0 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_body_digest: reading mail body from memory, 1 DKIM signatures
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_deadline digest_body - deadline in 479.9 s, set to 288.000 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) prolong_timer digest_body: timer 288, was 288, deadline in 479.9 s
Mar 31 23:02:19 mail amavis[24232]: (24232-01) get_body_digest: message size 2404, header+sep 2397, body 7
Mar 31 23:02:19 mail amavis[24232]: (24232-01) body type (8bit-MIMEtransport): unlabeled, good (h=0, b=0)
Mar 31 23:02:19 mail amavis[24232]: (24232-01) body hash: ef2334b35ce1e268856facb2daad034a
Mar 31 23:02:19 mail amavis[24232]: (24232-01) ip_from_received: 209.85.222.43
Mar 31 23:02:19 mail amavis[24232]: (24232-01) ip_from_received: no IP address in:  by mail-ua1-f43.google.com with SMTP id r7so17069709uaj.2\n        for <anon@example.com>; Fri, 31 Mar 2023 14:02:19 -0700 (PDT)\n
Mar 31 23:02:19 mail amavis[24232]: (24232-01) lookup_ip_acl (public_nets) arr.obj: key="127.0.0.1" matches "!127.0.0.0/8", result=0
Mar 31 23:02:19 mail amavis[24232]: (24232-01) lookup_ip_acl (public_nets) arr.obj: key="209.85.222.43" matches "::ffff:0:0/96", result=1
Mar 31 23:02:19 mail amavis[24232]: (24232-01) trace: ESMTP://[127.0.0.1]:54216 < ESMTPS://[209.85.222.43]:35791 < SMTP://x
Mar 31 23:02:19 mail amavis[24232]: (24232-01) dkim: public key s=20210112 d=gmail.com v=DKIM1 k=rsa, 2048-bit key
Mar 31 23:02:19 mail amavis[24232]: (24232-01) dkim: FAILED Author+Sender+MailFrom signature by d=gmail.com, From: <anon@gmail.com>, a=rsa-sha256, c=relaxed/relaxed, s=20210112, i=@gmail.com, fail (message has been altered)

I thought it is a DNS problem, but server receives the key (in 2 parts)

Code: Select all

[zimbra@mail ~]$ dig txt 20210112._domainkey.gmail.com @127.0.0.1

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> txt 20210112._domainkey.gmail.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38568
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;20210112._domainkey.gmail.com.	IN	TXT

;; ANSWER SECTION:
20210112._domainkey.gmail.com. 300 IN	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8JxVBMLHZRj1WvIMSHApRY3DraE/EiFiR6IMAlDq9GAnrVy0tDQyBND1G8+1fy5RwssQ9DgfNe7rImwxabWfWxJ1LSmo/DzEdOHOJNQiP/nw7MdmGu+R9hEvBeGRQ" "Amn1jkO46KIw/p2lGvmPSe3+AVD+XyaXZ4vJGTZKFUCnoctAVUyHjSDT7KnEsaiND2rVsDvyisJUAH+EyRfmHSBwfJVHAdJ9oD8cn9NjIun/EHLSIwhCxXmLJlaJeNAFtcGeD2aRGbHaS7M6aTFP+qk4f2ucRx31cyCxbu50CDVfU+d4JkIDNBFDiV+MIpaDFXIf11bGoS08oBBQiyPXgX0wIDAQAB"

;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 31 23:51:59 CEST 2023
;; MSG SIZE  rcvd: 482

It does not fail for most of messages, where mailserver has 1024 bit DKIM.

Zimbra is the latest 8.8.15. I am not aware of any customizations related to DKIM.

Where to look?

[xorcz]

I have to correct myself. For protonmail it works fine and the DKIM key is 2048. So no idea.