Comment 30 for bug 1770532
Revision history for this message
| Adam Jacobs (bllfr0g) wrote Re: [Bug 1770532] Re: DKIM signing not working in bionic | #30 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Thanks++
> On Nov 5, 2018, at 02:06, Christian Ehrhardt <email address hidden> wrote:
>
> Thanks Thomas!
>
> ** Tags removed: verification-needed verification-
> ** Tags added: verification-done verification-
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> DKIM signing not working in bionic
>
> Status in amavisd-new package in Ubuntu:
> Fix Released
> Status in amavisd-new source package in Bionic:
> Fix Committed
> Status in amavisd-new source package in Cosmic:
> Fix Released
> Status in amavisd-new package in Debian:
> Confirmed
>
> Bug description:
> [Impact]
>
> * There is a known upstream issue in 2.0.11 breaking DKIM signing.
> - https:/
> - https:/
>
> * given the activity on the report it seems plenty of people set this up
> pre-Bionic and are now running into these failures on upgrade to the
> current LTS.
>
> * Add a fix to avoid more people being hit by this on upgrade and forced
> to deploy workarounds (or drop the functionality)
>
> [Test Case]
>
> * Setup amavisd for DKIM signing, see
> https:/
> or any of
> https:/
> https:/
> ...
> There seem to be a lot all doing the same essential steps.
>
> TL;DR would be:
> $ apt install amavisd-new
> $ mkdir -p /var/db/dkim/
> $ amavisd-new genrsa /var/db/
> Add in /etc/amavis/
> $enable_
> dkim_key(
> @dkim_signature
> { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
> @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
> 192.168.0.0/16); # list your internal networks
> - Now showkeys will report your key including the pblic key you'll need
> - amavisd-new showkeys
> - add the public key (as displayed) to your DNS zone, increment SOA sequence number and reload DNS;
> - then test signing and a published key
> - amavisd-new testkeys
>
> Never the less you'd need to setup a lot of details and it feels
> unclear if you test the right thing, therefor my preference is with so
> many users reporting about the issue to rely on them to test their
> real setups.
>
> [Regression Potential]
>
> * Lacking upstream being active there is always a chance things are
> missed, but multiple people came up with very similar solutions and
> multiple people tested these successfully.
> The actual change sets the originating flag where it is needed on the
> creation of dkim signatures.
> Due to that setups not triggering dkim_make_
> affected at all. And those that use dkim_make_
> failing now due to the issue.
>
> [Other Info]
>
> * Upstream seems essentially dead atm, so it is on the community (users
> reporting patches on the ML) and the Distributions (e.g. Fedora have
> taken a very similar change) alone for now.
> * For some extra confidence I'd ask for some extra time in proposed for
> this update.
>
> ----
>
> Upon upgrading to bionic, amavisd-new DKIM signing no longer works.
>
> A quick google search reveals that this is a known bug in amavisd
> 2.11.0:
>
> https:/
> https:/
>
> The redhat bug includes a proposed (one-line) patch. Fedora has
> already taken up this patch in their repo. I've applied the patch to
> my bionic server and it is a good fix there, too.
>
> Requesting that ubuntu also includes this patch in its repo.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: amavisd-new 1:2.11.0-1ubuntu1 [modified: usr/sbin/
> ProcVersionSign
> Uname: Linux 4.15.0-20-generic x86_64
> ApportVersion: 2.20.9-0ubuntu7
> Architecture: amd64
> Date: Thu May 10 18:57:32 2018
> PackageArchitec
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> XDG_RUNTIME_
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: amavisd-new
> UpgradeStatus: Upgraded to bionic on 2018-05-10 (0 days ago)
> modified.
> modified.
> mtime.conffile.
> mtime.conffile.
>
> To manage notifications about this bug go to:
> https:/