[Rspamd-Users] rspamd DKIM, Mimecast and Content-Encoding

Benny Pedersen me at junc.eu
Mon Oct 21 14:48:33 UTC 2024 

Florian Effenberger skrev den 2024-10-21 15:41:
> Hello,
> 
> lately, I've been struggling to send a message to a domain that 
> recently switched to Mimecast. I get DKIM rejections for the majority, 
> but not for all messages. Clients are mostly Thunderbird and Roundcube.
> 
> I consider my setup pretty much standard (DKIM signing in rspamd via 
> Postfix milter, no other filters that change mail content), and all 
> major e-mail providers and half a dozen of DKIM/DMAR testing sites 
> confirm the signature is proper.
> 
> I now tested it with aboutmy.email and get errors on the message body 
> signature, but only if the Content-Transfer-Encoding is 8bit. If I 
> switch to quoted-printable, it works just fine - and I can confirm I 
> can deliver to the Mimecast-enabled domain in this case as well.
> 
> My dkim_signing.conf and my arc.conf contain this:
> (FreeBSD, but I have the same problem on Debian with the rspamd-Repo)
> 
> path = "/usr/local/var/lib/rspamd/dkim/$selector.key";
> selector_map = "/usr/local/etc/rspamd/dkim_selectors.map";
> allow_username_mismatch = true;

why this ?

> try_fallback = false;
> use_esld = false;
> 
> For years I never had any deliverability issue, rspamd is just rock 
> solid for me, so I wonder whether I miss something here... anyone has 
> any advice where to start looking for?

X-Spam-Status	Yes, score=6.37 tagged_above=-999 required=5 
tests=[AUTHRES_DKIM_FAIL=0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, 
DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.17, 
KAM_DMARC_STATUS=3, MAILING_LIST_MULTI=-0.1, RELAYCOUNTRY_BAD_DE=0.5, 
RELAYCOUNTRY_GOOD=-0.5, SPF_HELO_NONE=3, SPF_PASS=-0.1] autolearn=no 
autolearn_force=no
ARC-Authentication-Results	i=1; mail.rspamd.net; dkim=fail ("body hash 
did not verify") header.d=effenberger.org header.s=202410 
header.b=MXy1XUNL
Authentication-Results	mx.junc.eu (amavisd-new); dkim=pass (1024-bit 
key) header.d=lists.rspamd.com header.b="b1+0y5Hs"; dkim=fail (2048-bit 
key) reason="fail (message has been altered)" header.d=effenberger.org 
header.b="MXy1XUNL"
Authentication-Results	mail.rspamd.net; dkim=fail ("body hash did not 
verify") header.d=effenberger.org header.s=202410 header.b=MXy1XUNL

why is sys4.de have spf helo none ?

why is sys4 using rspamd BEFORE openARC is validated, its currently 
AFTER dkim is breaked  :(

yes i know rspamd can do the task with ARC, but imho the mail flow is 
incorrect, if mailman3 is doing its job before rspamd, it breaks

in your dkim signer please disable 8bitmime before dkim signing

> 
> Thanks a lot
> Florian

More information about the Users mailing list