[Rspamd-Users] DKIM not signing - help debugging

Philip Paeps philip at trouble.is
Fri Oct 23 02:28:20 UTC 2020 

On 2020-10-22 17:48:06 (+0800), Philip Paeps wrote:
> On 2020-10-22 17:36:10 (+0800), André Peters wrote:
>
>> ------ Originalnachricht ------
>> Von: "Philip Paeps" <philip at trouble.is>
>> An: "User questions" <users at lists.rspamd.com>
>> Gesendet: 22.10.2020 11:19:53
>> Betreff: Re: [Rspamd-Users] DKIM not signing - help debugging
>>
>>> On 2020-10-22 17:17:12 (+0800), Philip Paeps wrote:
>>>
>>>> On 2020-10-22 14:47:18 (+0800), André Peters wrote:
>>>>
>>>>> ------ Originalnachricht ------
>>>>> Von: "Philip Paeps" <philip at trouble.is>
>>>>> An: "User questions" <users at lists.rspamd.com>
>>>>> Gesendet: 22.10.2020 08:27:59
>>>>> Betreff: [Rspamd-Users] DKIM not signing - help debugging
>>>>>
>>>>>> rspamd is no longer DKIM signing my outbound email and I don't 
>>>>>> understand why.
>>>>>>
>>>>>> As far as I can tell, nothing relevant has changed in the 
>>>>>> configuration.
>>>>>>
>>>>>> The only thing I can glean from the logs is:
>>>>>>
>>>>>> 2020-10-22 06:14:20 #63177(rspamd_proxy) <0e6dd1>; dkim_signing; 
>>>>>> lua_dkim_tools.lua:170: mail is ineligible for signing
>>>>>>
>>>>>> This is with debug_modules = [ "dkim_signing" ] in 
>>>>>> local.d/logging.inc
>>>>>>
>>>>>> Any ideas on how I can debug this effectively?  Permissions 
>>>>>> haven't changed, configuration hasn't changed.  I am confused.
>>>>>>
>>>>>> Many thanks!
>>>>>> Philip
>>>>>>
>>>>>> -- Philip Paeps
>>>>>> Senior Reality Engineer
>>>>>> Alternative Enterprises
>>>>>> -- Users mailing list
>>>>>> Users at lists.rspamd.com
>>>>>> https://lists.rspamd.com/mailman/listinfo/users
>>>>>
>>>>> Hi,
>>>>>
>>>>> Can you post your dkim signing config?
>>>>>
>>>>>   if settings.sign_authenticated and auser then
>>>>>     lua_util.debugm(N, task, 'user is authenticated')
>>>>>     is_authed = true
>>>>>   elseif (settings.sign_networks and 
>>>>> settings.sign_networks:get_key(ip)) then
>>>>>     is_sign_networks = true
>>>>>     lua_util.debugm(N, task, 'mail is from address in 
>>>>> sign_networks')
>>>>>   elseif settings.sign_local and is_local then
>>>>>     lua_util.debugm(N, task, 'mail is from local address')
>>>>>   elseif settings.sign_inbound and not is_local and not auser then
>>>>>     lua_util.debugm(N, task, 'mail was sent to us')
>>>>>   else
>>>>>     lua_util.debugm(N, task, 'mail is ineligible for signing')
>>>>>     return false,{}
>>>>>   end
>>>>>
>>>>> See all non-matching criteria above. At least one setting must 
>>>>> match to sign.
>>>>
>>>> dkim_signing {
>>>>     use_esld = true;
>>>>     allow_hdrfrom_mismatch = false;
>>>>     selector = "dkim";
>>>>     symbol = "DKIM_SIGNED";
>>>>     sign_networks [
>>>>         "127.2.4.7",
>>>>     ]
>>>>     domain {
>>>>         trouble.is {
>>>>             selector = "20190809-2048-eihatoow";
>>>>         }
>>>>     }
>>>>     allow_envfrom_empty = true;
>>>>     try_fallback = true;
>>>>     sign_authenticated = true;
>>>>     path = 
>>>> "/usr/local/etc/rspamd/local.d/dkim_keys/$domain.$selector.key";
>>>>     use_redis = false;
>>>>     allow_username_mismatch = true;
>>>>     sign_local = true;
>>>>     key_prefix = "DKIM_KEYS";
>>>>     use_domain = "header";
>>>>     allow_hdrfrom_multiple = false;
>>>> }
>>>>
>>>> I should match the first condition: I am authenticated and 
>>>> sign_authenticated is set to true.
>>>
>>> But I'm not seeing the "user is authenticated" debug statement!  
>>> Aha.
>>>
>>> So ... the real question becomes: how do I tell rspamd that I am 
>>> authenticated?  Or possibly: why did it used to be able to tell but 
>>> can't anymore?
>>>
>>> Many thanks!
>>>
>>> Philip
>>>
>>> -- Philip Paeps
>>> Senior Reality Engineer
>>> Alternative Enterprises
>>> -- Users mailing list
>>> Users at lists.rspamd.com
>>> https://lists.rspamd.com/mailman/listinfo/users
>>>
>>
>> Hmm, but you _are_ authenticated? Which MTA do you use?
>
> I use Postfix.
>
> And I think I'm close to figuring it out.  My last two replies to the 
> list _were_ signed.
>
> The one thing that changed on my network is that rtadvd is running 
> again and my laptop is getting an IPv6 address.  The messages that 
> came in over IPv4 matched this local settings block:
>
> ```
> toothfairy {
>   ip = "2404:c800:9016:46a:4262:31ff:fe11:af6f";
>   ip = "116.49.135.125";
>   from = "root at toothfairy.yoo.trouble.is";
>   from = "devnull at trouble.is";
>   from = "printer-noreply at trouble.is";
>   from = "philip at trouble.is";
>   priority = high;
>   want_spam = yes;
> }
> ```
>
> That block exists so the malformed email produced by my 
> printer/scanner can get through rspamd unharmed.
>
> When my laptop doesn't have an IPv6 address, it's NATed behind 
> 116.49.135.125.
>
> So ... hypothesis: when a message matches this block, DKIM signing 
> does not happen.  When it does not match this block, DKIM signing 
> happens.
>
> Testing my hypothesis by disabling IPv6 on my laptop for sending this 
> message.  If this message is not signed, we know why.  Then I just 
> have to fix it. ;-)

So that message wasn't signed.  I've done some more experimenting and I 
can confirm that every message that hits that settings block does not 
get signed.  Can anyone help me understand why?

Thanks.
Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises

More information about the Users mailing list