Spamassassin DKIM DNS issue

domain-name-system dkim postfix cpan spamassassin

Here is the setup where I encounter my issues :

My computer has the IP 10.6.2.5. There is a DNS server ns.isp6.lab with the IP 10.6.2.4 (I can reach it).

My computer has Postfix + Dovecot + SpamAssassin installed. I receive emails signed with DKIM from the domain isp6.lab. They're signed with this domain key : mail._domainkey.isp6.lab

When I do dig mail._domainkey.isp6.lab TXT I get an answer with the public RSA key.

The problem is that Spammassassin doesn't find it, here is a part the header of a received email :

X-Spam-HAM-Report: 
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*      valid
*  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

So I activated the debug logs in SpamAssassin and here is what I found :

cat spamd.log | grep dkim

Tue Oct  7 16:38:50 2014 [21673] dbg: dkim: performing public key lookup and signature verification
Tue Oct  7 16:39:00 2014 [21673] dbg: dkim: DKIM, [email protected], d=isp6.lab, s=mail, a=rsa-sha256, c=relaxed/simple, invalid, matches author domain
Tue Oct  7 16:39:00 2014 [21673] dbg: dkim: signature verification result: INVALID (PUBLIC KEY: DNS QUERY TIMEOUT FOR MAIL._DOMAINKEY.ISP6.LAB)

I checked my /etc/resolv.conf: domain isp6.lab search isp6.lab nameserver 10.6.2.4

I am now searching for hours on this issues (it doesn't seem well documented), I checked that I had all CPAN required modules, etc; I really have no idea what else I could do.

Thanks in advance for your help.

Edit : Maybe something can be done in the NET::DNS module? I don't really understand how all these modules are used, configured, and interact with each other.


Solution 1:

Maybe you hit bug related with NET::DNS and spamassassin. It explained in this blog and this SA mailing list. The excerpt from the blog

Net::DNS version 0.76 changed the field name holding a set of nameservers in a Net::DNS::Resolver object: it used to be ‘nameservers’, but is now split into two fields: ‘nameserver4′ and ‘nameserver6′.

Mail/SpamAssassin/DnsResolver.pm relied on the internal field name of a Net::DNS::Resolver object to obtain a default list of recursive name servers, so the change in Net::DNS broke that.

Solution:

Check your repo, if they have fixed the issue in newer release. If not, you can apply the patch manually from here

Related

Postfix sending and receiving in strange way.
Hosting 2 versions of the same Java website in tomact
ipmi on a supermicro mothercard
why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?
Load balance DNS requests
NSCD TTL and DNS TTL, which one is stronger?
Is the TCP checksum over the payload?
Saving MySQL databases without mysqldump
VMWare serial connection between two vm hosts
What is a quicker DNS Setup?
No control panel equivalent of exim /etc/mailips file for configuring IPs for each domain's outgoing mail?
PostgreSQL v9.3.4 memory usage Issue on Windows Server 2008 R2