Ubuntu Server Guide

opendkim double header signing following Postfix/DKIM guide if amavis is also in use

Bug #1218335 reported by Anders F. U. Kiær on 2013-08-29

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Server Guide	Fix Released	Undecided	Anders F. U. Kiær

Bug Description

Following the guide at https://help.ubuntu.com/community/Postfix/DKIM
will make opendkim sign the message two times, if you already have postfix use amavis.

To the core of the issue, postfix will use the (opendkim)milter before handing the message to the amavis. Then when amavis puts it back in the postfix queue and postfix will send it to the (opendkim)milter for a 2nd signature before delivering it.

Solution add a notice under common error and fixes for others that might have the same issue with Postfix\opendkim doublesigning when also using amavis.

One way to correct it is adding the no_milters parameter to the list of receive_override_options when putting the message back in the postfix queue. That is done in the postfix main.cf

snippet: /etc/postfix/main.cf -

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks, no_milters

Reason for putting it under this article, cause many newcomers believes it is the issue of postfix\opendkim settings and not the way you feed messages back to queue from amavis.

See original description

Tags:

Related branches

lp:~ablacksheep/serverguide/saucy

Merged into lp:~ubuntu-core-doc/serverguide/saucy at revision 161

Doug Smythies: Approve on 2013-08-30

lp:~ubuntu-core-doc/serverguide/saucy

Anders F. U. Kiær (ablacksheep) on 2013-08-29

description:

updated

Revision history for this message

Anders F. U. Kiær (ablacksheep) wrote on 2013-08-29:

Correction:
It was not the correct place to file the bug as the serverguide do not contain signing. But with the current configuration in line 1616 ( http://bazaar.launchpad.net/~ubuntu-core-doc/serverguide/raring/view/head:/serverguide/C/mail.xml#L1616 ) will the same double header sign (double run of milters) be trigged when people go change the opendkim to sign.

The double run of milters may also cause other double actions that is not really needed.

Changed in serverguide:
assignee:	nobody → Anders F. U. Kiær (ablacksheep)

Revision history for this message

Doug Smythies (dsmythies) wrote on 2013-08-29:

If you are going to fix it in the serverguide, then please fix it in the main branch. It is unlikely that 13.04 will ever get re-published, and we would want it fixed in the main branch and going forward.

Doug Smythies (dsmythies) on 2013-08-30

Changed in serverguide:
status:	New → Fix Committed

Doug Smythies (dsmythies) on 2013-10-17

Changed in serverguide:
status:	Fix Committed → Fix Released

Revision history for this message

Stefan Stefanov (s-stefanov) wrote on 2013-12-16:

Fix doesn't work for me, still having error messages from Amavis:

Dec 16 06:13:13 Server amavis[3835]: (03835-01) dkim: public key s=default d=mydomain.com v=DKIM1 g=* h=sha256 k=rsa t=s
Dec 16 06:13:13 Server amavis[3835]: (03835-01) dkim: FAILED Author+Sender+MailFrom signature by d=mydomain.com, From: <email address hidden>, a=rsa-sha256, c=simple/simple, s=default, <email address hidden>, ORIG [192.168.0.100]:40247, fail (OpenSSL error: data too small for key size)

I tried disabling DKIM signing by adding "$enable_dkim_signing = 0;" to /etc/amavis/conf.d/50-user - no joy. Any other ideas?

Revision history for this message

Fleish (lasnchpad) wrote on 2014-01-10:

thanks for logging this bug. I'm not running amavis, but was having the same problem because of a different content_filter

Revision history for this message

Stefan Stefanov (s-stefanov) wrote on 2014-01-11:

Ignore comment #3. Issue was not in opendkim but amavis - setting

$enable_dkim_verification = 0

/etc/amavis/conf.d/21-ubuntu_defaults

fixed it.

Revision history for this message

Thommie Rother (t-rother) wrote on 2016-08-26:

On 16.04 LTS I tried both solutions:

a) $enable_dkim_verification = 0 in /etc/amavis/conf.d/21-ubuntu_defaults
b) receive_override_options=no_header_body_checks,no_unknown_recipient_checks, no_milters in master.cf

I get either NO DKIM signature or two of them. Any new ideas?

Greetings, Thommie

Revision history for this message

Bram Bug (bram2) wrote on 2016-09-01:

Having the same problem with spamassassin (spamass-milter)

when I change

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:54321, unix:spamass/spamass.sock
non_smtpd_milters = inet:localhost:54321, unix:spamass/spamass.sock
milter_connect_macros = j {daemon_name} v {if_name} _

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:54321
non_smtpd_milters = inet:localhost:54321
milter_connect_macros = j {daemon_name} v {if_name} _

( postfix main.cf)

I get only one DKIM Header....

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.