DKIM+disclaimer problems after upgrade to mail2 module

With Amavisd we don’t have the disclaimer issue even if still body has been modified. Amavisd just added the header about it and not play with body hash.
DKIM accepted this so this mast be just milter implementation in order to proceed with sending message.

: There are some caveats you should be aware of before using MIMEDefang.
: MIMEDefang potentially alters e-mail messages. This breaks a “gentleman’s
: agreement” that mail transfer agents do not modify message bodies. This
: could cause problems, for example, with encrypted or signed messages.

I understand your concern but I think this is correct description because finally we are modifying.

Amavisd-new disclaimer and DKIM signing | Howtoforge - Linux Howtos and Tutorials

This is old thread and amavisd/milter described but have some sens and a bit of code and config.
Looks like in OpenDKIM should be options to which headers are restricted to sign in and which one not.

Does the DKIM RFC allow to not add a body signature? If so, I’d expect a feature in OpenDKIM to disable it accordingly.

phpmailer - body has been altered failure on DKIM validation - Stack Overflow

woo maybe this is easy fix for all of this?

it should but I did not found good documentation on it…I must admit I did not search a lot

not tested yet but done with python-milter

It is thought for mailling list because the body is modified to add trailers to messages (eg: instructions on how to get off the list) but we go back to the same conclusion RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures

then in /etc/opendkim.conf

-Canonicalization        relaxed/relaxed
+Canonicalization        relaxed/simple
+MaximumSignedBytes     0

Only the From: field will be signed in the header and you reach the goal…but read this RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures

You have mention this before and both agreed don’t sign content at all is not a way exactly from security point of view.
I read today this one also: ( I think you mention this as well )

Postfix Before-Queue Content Filter

I think this can be the best solution. Just not sure how difficult is this one in implementation.

GitHub - dploeger/disclaimr: Disclaimr - Mail Disclaimer Server

This is interesting too.
Thank you that you don’t give up on this topic.
Hopefully next few days give us clear direction.

I was responding to

this has no updates since two years, it is an important step with a database interaction and a web interface to add a specific disclaimer following the email address (probably by doing a regex on the From: field)

Let’s make a step back to this: the order of filters, which is the key of the issue.

:thinking: I wonder if it is possible to postpone the DKIM signature after alterMIME, by running opendkim-testmsg command in dfilt itself. Here:

nethserver-mail/disclaimer/usr/libexec/nethserver/disclaimer-send at 85a3921d74bd12dfdc6b74f16764faa5e99f3f83 · NethServer/nethserver-mail · GitHub

We should disable DKIM milter wherever alterMIME is enabled; instead, run opendkim-testmsg in disclaimer-send wrapper wherever both are enabled. It could be done with some logic in /etc/opendkim/SigningTable and disclaimer-send.

1 Like

I’m experimenting a bug fix and it looks promising: my first test with gmail and another NethServer MTA are successful! @quality_team, @zimny do you want to check it out?

Just install

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-mail2-disclaimer-2.2.1-1.3.pr51.gef71036.ns7.noarch.rpm

These are the message headers from gmail:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@nethserver.net header.s=default header.b=jXUfOjEq;
       spf=pass (google.com: best guess record for domain of first.user@nethserver.net designates 206.189.5.67 as permitted sender) smtp.mailfrom=first.user@nethserver.net
Received: by mailx1.nethserver.net (Postfix, from userid 8)
	id 88A7240843D; Wed, 13 Jun 2018 09:12:02 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailx1.nethserver.net 88A7240843D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nethserver.net;
	s=default; t=1528881122;
	bh=VXQukySTlu0yBeapOLzbfJ08nlfQzTpTn7kpbApSToI=;
	h=Subject:From:To:Cc:Date:From;
	b=jXUfOjEq3p1deLM2N6jggPybqANUlyeE1M7KGSNQv33oFj1TuTp8f/1bqt6MlBl2H
	 4nA8Ff2o80Gl7Lv/80m+cS6/W1rxKy2wcbQby2GPp/tIh8HMl4q2OtGFoVqre4lsru
	 cHlBoUd3pSMpjxpA16PnPv4zXJlif72ZgR8M6AzPLKS0BMHpikmp07IkAz7ktfK5qw
	 wErO99odzTvCLWTyGQs9gdZhgHfrq81eCycF2DpoQEqmfCtjtmPspqYL4Kyp1tQr+n
	 TI35kzajLC7SaWoUVzcepplbGsnmHf4iI4yN8D0aqx4bx8Ynr3g+RbToPHio41vX9X
	 X/mHfJ6eolwrQ==

More info here:

https://github.com/NethServer/nethserver-mail/pull/51

3 Likes

Will do and appreciate your involvement!!!
Like I always said this community should be an example even for commercial products.
But now is almost 11 o’clock in the morning so looks like Zimny is going bed :slight_smile:
Promise to test agains google, apple and my uk government subcontractor :slight_smile:
Fortunately I’m admin there and our test will not be threatened like a terrorist AlJasira :slight_smile: atak

Thank you for your work

1 Like

There are some packages in nethserver-testing now!

Please @zimny, you lobbied for this fix: now it’s time to test! Run the following commands

  yum --enablerepo=nethserver-testing update nethserver-mail2-\*

Please @saitobenkei, give it a spin too: if this issue is verified, you can easily expand the solution and create personal signatures from it :wink:

Other people interested? Please step in! /cc @quality_team @danb35 @GG_jr

3 Likes

@stephdl found an issue. Patch added, download the new RPMs from nethserver-testing

 yum --enablerepo=nethserver-testing update nethserver-mail2-\*
1 Like

Hi Davide,

Sorry but not able to do the check earlier.
Can confirm that in all my cases the issue is resolved.
DKIM verified, excellent work!

5 Likes

Davide do you think this is permanent fix or we get in to it again when altermime will gone from repo?

As we got multiple confirmations that the problem is solved the fix is going to be released: in this way – yes – the fix is permanent.

The altermime package comes from RHEL/CentOS repositories. As the alterMIME project is dead since years everything depends on RHEL choices. I expect they’ll go on with it at least for the 7 lifecycle.

Altermime sends SIGSEGV sometimes, and is a dead project. The reason to still work on it for mail2 is providing backward compatibility and a smooth upgrade path. As said by the docs, new implementations shouldn’t use it at all. They should go to a client-based solution instead, which one I don’t know (maybe windows users can centralize the setup with GPOs?).

Let’s ask the @webtop_team: any improvement to disclaimer by your side?

1 Like

Currently in the WebTop 5 roadmap it is not planned to implement any option that allows to add an automatic client-side disclaimer.

We will evaluate with the other components of the @webtop_team if something can be done in the future :thinking:

2 Likes

with sogo it can be fully automated during the user creation/editing event (at neast on SME, dunno here)
HTH

1 Like

If I found the option to add the disclaimer (it is disappeared) I could also try…