I'm having an issue where my DKIM signatures are failing everywhere. There was a question on this here, but the original poster answered his own question, and the answer seems unrelated. After some digging, I had thought this might be a canonicalization problem with OpenDKIM and that the FixCRLF config setting might fix it, but it seems not to have done so. Now I'm thinking there might be some problem with my openssl implementation (see why below). How do I progress from here to further diagnose and fix this?
My diagnostic steps to date
This originally surfaced when I noticed that emails from my self-hosted domains to my gmail account had DKIM failures in the header. After some googling for how to test this, I discovered that the OpenDKIM README includes a section on testing. It seems a little out of date, as a couple of the resources don't really work ([email protected] seems not to exist, and [email protected] bounces the message as spam, which ... isn't really ideal for a testing service :) ); however, the Port25 verifiers seemed initially to be really useful, because they don't just tell you that you fail, they include the canonicalized headers. So, my first test came back with this:
Canonicalized Headers:
from:My'20'Name'20'<[email protected]>'0D''0A'
subject:Port25'20'check-auth'20'1'0D''0A'
date:Fri,'20'1'20'Oct'20'2021'20'07:10:19'20'+0200'0D''0A'
to:[email protected]'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=mydomain.com;'20's=default;'20't=1633065019;'20'bh=2ZDQvBeN3kIWoOxg0Ccz1E/Pi+j4hDPFKwXDhxotTAA=;'20'h=From:Subject:Date:To:From;'20'b=
I had turned on KeepTemporaryFiles in opendkim.conf, and the saved conanicalized headers on my server side look like this:
from:My Name <[email protected]>
subject:Port25 check-auth 1
date:Fri, 1 Oct 2021 07:10:19 +0200
to:[email protected]
dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633065019; bh=2ZDQvBeN3kIWoOxg0Ccz1E/Pi+j4hDPFKwXDhxotTAA=; h=From:Subject:Date:To:From; b=
To my eyes, those looked identical, but I started to wonder about the '0D''0A' on the Port25 side of things. I'm sending the original message from a Mac, and actually didn't know off the top of my head what MacOS uses for EOL. Some more googling and I stumbled upon this stackoverflow Q&A. That led me first to try sending plain-text email, but the same failure problem occurred. Going for the other option, I turned on FixCRLF in OpendDKIM. Indeed, opening the local temp file with vim in binary mode, it seems the setting is working:
from:My Name <[email protected]>^M
subject:Test with CRLF fixed(?)^M
date:Fri, 1 Oct 2021 07:40:52 +0200^M
to:[email protected]^M
dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633066853; bh=tt5a2hZTsPGjeXhj9bcF3Kt9N5uk4aYb/j8ciXTYUZA=; h=From:Subject:Date:To:From; b=
Unfortunately, still no love from the Port25 verifier.
As my last-ditch effort, it occurred to try this on my own server — sending an email between two different domains that are both hosted locally. This got at least a little interesting.
The mail log says:
...
Oct 1 05:50:27 ip-10-0-200-157 opendkim[22246]: 654F98004C: DKIM-Signature field added (s=default, d=mydomain.com)
...
Oct 1 05:50:27 ip-10-0-200-157 amavis[21845]: (21845-06) Checking: hRgGGArUlLf0 [88.101.121.213] <[email protected]> -> <[email protected]>
...
Oct 1 05:50:29 ip-10-0-200-157 amavis[21845]: (21845-06) hRgGGArUlLf0 FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5248A80051
Oct 1 05:50:29 ip-10-0-200-157 amavis[21845]: (21845-06) Passed CLEAN {RelayedInbound}, [88.101.121.213]:63859 [88.101.121.213] <[email protected]> -> <[email protected]>, Queue-ID: 654F98004C, Message-ID: <[email protected]>, mail_id: hRgGGArUlLf0, Hits: -0.799, size: 3683, queued_as: 5248A80051, 1878 ms
HOWEVER, in the actual headers of the received mail, I see
...
X-Spam-Status: No, score=-0.799 tests=[ALL_TRUSTED=-1, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1633067427; bh=+FsxBlX8LDcIVqvq7tKOtml1vsfEjh0rYTRVokBgmQ4=; h=From:Subject:Date:To:From; b=yDkI63wnvN8deIU4AtruGu4r/ybCTBLzmdwkTEhSYNCU56oGp0lP8n4FnXW7H67TL DFtlw/U9/MZPhR0Jeorl3gBdLebBV02v60wpLlFKXF5N4NL/cZbp8/U0liGZGVPoWj PP+OV/uOwNMDUhLG2I8jN88Zi9sHduo8xr7DOmy4=
...
Dkim-Filter: OpenDKIM Filter v2.11.0 ip-10-0-200-157.eu-central-1.compute.internal 654F98004C
...
Authentication-Results: mx.mymaildomain.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (OpenSSL error: data too large for modulus)" header.d=mydomain.com
That last line is my only remaining clue. I ... can't imagine that any data is actually too large, but maybe I'm having some OpenSSL problem? In particular, even though it's applying a signature, the signature is somehow wrong? I'm really quite at a loss as to where to go from here.
Any suggestions on what's wrong, or what to do next, much appreciated.
This is with OpendDKIM, AmavisD, Postfix:
# opendkim -V
opendkim: OpenDKIM Filter v2.11.0
Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
Active code options:
QUERY_CACHE
USE_DB
USE_LDAP
USE_ODBX
libopendkim 2.11.0: query_cache
# amavisd -V
amavisd-new-2.12.0 (20190725)
# postconf mail_version
mail_version = 2.10.1
0 Answers