postfix + opendkim: "Sender:" and "Message-Id" fields not included in signature

postfix

I got postfix and opendkim running. postfix communicates with opendkim via unix sockets. All this works as long as I don't add some special mail header fields to the list of fields that opendkim should sign.

postfix configuration:

main.cf:

...
smtpd_milters = unix:/var/spool/postfix/milter/opendkim

non_smtpd_milters = unix:/var/spool/postfix/milter/opendkim
...

In my opendkim.conf I have this entry:

...
AlwaysSignHeaders      To,Subject,MIME-Version,Content-Type,Sender,From,Message-Id,Date,Reply-To,List-Unsubscribe
...

If I send an email with the postfix sendmail command like this

sendmail -f [email protected] -i -t <<EOF
From: [email protected]
Sender: [email protected]
To: [email protected]
Subject: Test

Test
EOF

Gmail will inform me:

dkim=hardfail

Using the

Diagnostics true

entry in opendkim.conf it revealed via the "z=..." debug mail header entry that opendkim didn't include the "Message-Id" and "Sender" fields in the signature but reported the inclusion with the 

h=From:To:Subject:Date:MIME-Version:Content-Type:Sender:Reply-To:List-Unsubscribe;

mail header entry.

Digging into this I found out that when I remove the Message-Id and Sender fields from the "AlwaysSignHeaders" entry in opendkim.conf than Gmail is happy again.

Because I send mail with the sendmail command I can be certain that at least the "Sender:" field has to be available to postfix and opendkim right from the start.

So if opendkim will use all header fields that it gets than this means postfix is not giving opendkim all header fields. I tried to verify this by switching on verbose logging for the "cleanup" and "trivial-rewrite" processes of postfix, but I have to admit that I don't see anything useful in the logs, particularly I can't extract the information which mail header fields postfix is providing to opendkim. If anyone can make use of it I can post these logs here ...

I'm running out of ideas, so I hope someone can give me some useful pointers ...


I found out the reason (with help of the kind guys of the opendkim mailing list):

In my opendkim.conf file I had only the field

AlwaysSignHeaders       From,Sender,To,CC,Subject,Message-Id,Date

specified. It turned out that you need to add the SignHeaders field too, so now the config looks like:

...
SignHeaders             From,Sender,To,CC,Subject,Message-Id,Date
AlwaysSignHeaders       From,Sender,To,CC,Subject,Message-Id,Date
...

that's it.

Edit:

The folks from opendkim noted that AlwaysSignHeaders is deprecated, OversignHeaders should be used instead.


Have you tried to sign test message with both Message-ID: and Sender: headers present?

Your problem may be caused by milter getting message version before posstfix/MTA added the above mentioned headers (I am sure any good MTA fixes missing Message-Id: header).

http://www.elandsys.com/resources/sendmail/dkim.html : DKIM uses the email headers and body to generate a signature. If the headers are rewritten or text is appended to the message body after it has been signed, the dkim verification fails.

P.S. IMHO opendkim should provide option to generate itself missing message-id:

Added for future readers: OpenDKIM provides options to debug "headers changed" problems: KeepTemporaryFiles and TemporaryDirectory

http://www.opendkim.org/opendkim.conf.5.html

Related

Where to put project files with nginx
How can I automate a new linux server's initial setup?
Wildcard support for InputFileName in rsyslog?
Windows/IIS - HTTP Service could not be stopped
iptables doesn't seem to be blocking IPs I ban
If, using public keys only, an SSH client logs into (or is already logged into) a compromised SSH server, is the SSH client at risk too?
What happens after you deregister an EC2 instance from Elastic Load Balancer?
nginx is cutting the end of dynamic pages and caching them
Ansible playbook, create a user with the option --disabled-login
AUFS missing in Redhat Fedora, is there an alternative way of stacking directories?
How can I list all accessed files on process startup
What factors determine an appropriate SSL expiration date?