[Rspamd-Users] DKIM not signing - help debugging

Philip Paeps philip at trouble.is
Thu Oct 22 09:48:06 UTC 2020 

On 2020-10-22 17:36:10 (+0800), André Peters wrote:

> ------ Originalnachricht ------
> Von: "Philip Paeps" <philip at trouble.is>
> An: "User questions" <users at lists.rspamd.com>
> Gesendet: 22.10.2020 11:19:53
> Betreff: Re: [Rspamd-Users] DKIM not signing - help debugging
>
>> On 2020-10-22 17:17:12 (+0800), Philip Paeps wrote:
>>
>>> On 2020-10-22 14:47:18 (+0800), André Peters wrote:
>>>
>>>> ------ Originalnachricht ------
>>>> Von: "Philip Paeps" <philip at trouble.is>
>>>> An: "User questions" <users at lists.rspamd.com>
>>>> Gesendet: 22.10.2020 08:27:59
>>>> Betreff: [Rspamd-Users] DKIM not signing - help debugging
>>>>
>>>>> rspamd is no longer DKIM signing my outbound email and I don't 
>>>>> understand why.
>>>>>
>>>>> As far as I can tell, nothing relevant has changed in the 
>>>>> configuration.
>>>>>
>>>>> The only thing I can glean from the logs is:
>>>>>
>>>>> 2020-10-22 06:14:20 #63177(rspamd_proxy) <0e6dd1>; dkim_signing; 
>>>>> lua_dkim_tools.lua:170: mail is ineligible for signing
>>>>>
>>>>> This is with debug_modules = [ "dkim_signing" ] in 
>>>>> local.d/logging.inc
>>>>>
>>>>> Any ideas on how I can debug this effectively?  Permissions 
>>>>> haven't changed, configuration hasn't changed.  I am confused.
>>>>>
>>>>> Many thanks!
>>>>> Philip
>>>>>
>>>>> -- Philip Paeps
>>>>> Senior Reality Engineer
>>>>> Alternative Enterprises
>>>>> -- Users mailing list
>>>>> Users at lists.rspamd.com
>>>>> https://lists.rspamd.com/mailman/listinfo/users
>>>>
>>>> Hi,
>>>>
>>>> Can you post your dkim signing config?
>>>>
>>>>   if settings.sign_authenticated and auser then
>>>>     lua_util.debugm(N, task, 'user is authenticated')
>>>>     is_authed = true
>>>>   elseif (settings.sign_networks and 
>>>> settings.sign_networks:get_key(ip)) then
>>>>     is_sign_networks = true
>>>>     lua_util.debugm(N, task, 'mail is from address in 
>>>> sign_networks')
>>>>   elseif settings.sign_local and is_local then
>>>>     lua_util.debugm(N, task, 'mail is from local address')
>>>>   elseif settings.sign_inbound and not is_local and not auser then
>>>>     lua_util.debugm(N, task, 'mail was sent to us')
>>>>   else
>>>>     lua_util.debugm(N, task, 'mail is ineligible for signing')
>>>>     return false,{}
>>>>   end
>>>>
>>>> See all non-matching criteria above. At least one setting must 
>>>> match to sign.
>>>
>>> dkim_signing {
>>>     use_esld = true;
>>>     allow_hdrfrom_mismatch = false;
>>>     selector = "dkim";
>>>     symbol = "DKIM_SIGNED";
>>>     sign_networks [
>>>         "127.2.4.7",
>>>     ]
>>>     domain {
>>>         trouble.is {
>>>             selector = "20190809-2048-eihatoow";
>>>         }
>>>     }
>>>     allow_envfrom_empty = true;
>>>     try_fallback = true;
>>>     sign_authenticated = true;
>>>     path = 
>>> "/usr/local/etc/rspamd/local.d/dkim_keys/$domain.$selector.key";
>>>     use_redis = false;
>>>     allow_username_mismatch = true;
>>>     sign_local = true;
>>>     key_prefix = "DKIM_KEYS";
>>>     use_domain = "header";
>>>     allow_hdrfrom_multiple = false;
>>> }
>>>
>>> I should match the first condition: I am authenticated and 
>>> sign_authenticated is set to true.
>>
>> But I'm not seeing the "user is authenticated" debug statement!  Aha.
>>
>> So ... the real question becomes: how do I tell rspamd that I am 
>> authenticated?  Or possibly: why did it used to be able to tell but 
>> can't anymore?
>>
>> Many thanks!
>>
>> Philip
>>
>> -- Philip Paeps
>> Senior Reality Engineer
>> Alternative Enterprises
>> -- Users mailing list
>> Users at lists.rspamd.com
>> https://lists.rspamd.com/mailman/listinfo/users
>>
>
> Hmm, but you _are_ authenticated? Which MTA do you use?

I use Postfix.

And I think I'm close to figuring it out.  My last two replies to the 
list _were_ signed.

The one thing that changed on my network is that rtadvd is running again 
and my laptop is getting an IPv6 address.  The messages that came in 
over IPv4 matched this local settings block:

```
toothfairy {
   ip = "2404:c800:9016:46a:4262:31ff:fe11:af6f";
   ip = "116.49.135.125";
   from = "root at toothfairy.yoo.trouble.is";
   from = "devnull at trouble.is";
   from = "printer-noreply at trouble.is";
   from = "philip at trouble.is";
   priority = high;
   want_spam = yes;
}
```

That block exists so the malformed email produced by my printer/scanner 
can get through rspamd unharmed.

When my laptop doesn't have an IPv6 address, it's NATed behind 
116.49.135.125.

So ... hypothesis: when a message matches this block, DKIM signing does 
not happen.  When it does not match this block, DKIM signing happens.

Testing my hypothesis by disabling IPv6 on my laptop for sending this 
message.  If this message is not signed, we know why.  Then I just have 
to fix it. ;-)

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises

More information about the Users mailing list