"headers rsa verify failed", but DKIM seems ok #4782
Replies: 1 comment
-
Came across your message while investigating the same issue. My situation: For me it seems to have been a Postfix header check/change done on rspamd server - it hides the LAN IP in the first received line for security reasons: File (/etc/postfix/main.cf): 'header_check' contents (1 line): Once I remove this check from postfix, DKIM passed fine from that server. Oddly enough, DMARC always showed 'passing' entire time. |
Beta Was this translation helpful? Give feedback.
-
I received a message from our servers, the first server with rspamd reported a failed validation and the next server reported a successful validation. This got my attention.
Message path: NEWSLETTER -> MAILHOST -> RELAY -> M365
The NEWSLETTER server created a message, which it forwarded to its MTA and so on. MAILHOST created DKIM signature. The destination mailbox is in M365. On RELAY is rspamd version 3.4 (from the OS repository).
Message headers:
The signature contains a
z=
parameter that contains a copy of the signed headers. Fun part, header from RELAY:and from M365
First check failed and second pass... part from rspamd log from RELAY:
My guess: "List-Unsubscribe:=0D=0A=20<https://www.med.muni.cz..."
List-Unsubscribe header, there is a newline before the value. This is confirmed by the "z" parameter in the DKIM signature "=0D=0A".
It looks like the rspamd DKIM check on RELAY ignores the rest of the header on subsequent lines (see logs), whereas M365 does not. Then the DKIM check on RELAY is fail and on M365 pass.
If my assumption is correct, is it possible to modify the behavior of the DKIM check to validate multi-line headers?
Beta Was this translation helpful? Give feedback.
All reactions