Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio DKIM signature in outgoing mail fails SpamAssassin T_DKIM_INVALID rule
  •  
TuKerMaN

Messages: 5
Karma: 0
Send a private message to this user
Tested in Kerio Connect 9.2.3 and 9.2.5 p3, several domains (all using the same 1024 bit key). The test where done in several online and mail checkers, and sent through Outlook 2013, Kerio Connect (webmail), Firebird...

Original message as seen in Kerio Connect sents:

Date: Wed, 11 Oct 2017 16:43:47 -0300
Subject: Testing DKIM Signature
X-Mailer: Kerio Connect 9.2.5 patch 3/Kerio Connect Client
X-User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101
Firefox/52.0
Message-ID: <7566235-2872<_at_>mail.host-media.com.ar>
From: Martin Rozanski <tukerman<_at_>tukerman.com.ar>
To: FLPpTuiQqsCgzj@dkimvalidator.com, mailtest<_at_>unlocktheinbox.com,
84799@SpamScoreChecker.com, ins-x2h3igwc<_at_>isnotspam.com
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-FHZS0InOUT1h3fhwtm+S"

--=-FHZS0InOUT1h3fhwtm+S
Content-Type: text/plain; charset="utf-8"



--=-FHZS0InOUT1h3fhwtm+S
Content-Type: text/html; charset="utf-8"

<html><head></head><body><br></body></html>
--=-FHZS0InOUT1h3fhwtm+S--


Unlock The Inbox response: (www . unlocktheinbox . com)

Publication: RFC 6376 DKIM Validation Check
Signature Found: Yes
SmarterMail DKIM Test: Passed
MailBee.NET DKIM Test: Passed
LimiLabs DKIM Test: Passed
SpamAssassin DKIM Test: Failed - Bad Signature

Publication: RFC 6376 DKIM Signature Additional Information
Version: v=1
Key Algorithm: a=rsa-sha256
Canonicalization: c=simple/simple
Domain Name: d=tukerman.com.ar
Selector: s=mail
Signed Headers: h=from:subject:date:message-id:to:mime-version:content-type
Body Hash: bh=U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=
Signature Data: b=Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXv SE1agFWvS9PBl5lONYD
56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWfvqFGz3jrA+2SG7IphDo v6WfvMyzMfYcvGv/A7
rFlG5J6vMFWdKtSQ=

Public DKIM Key
Selector Location: mail._domainkey.tukerman.com.ar
DNS Record Found: Yes
Record Syntax: v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6UfYzXzWNG8 eiR/vk4xtksLDSPWT36iRIKMBsbc7XcEP8L6B/vXqHXh+3/M6fPb288H/IH6 zSly8N2aREWgFPm31GOqMhc5Mn7Dgd/WHVeNgL1gPVNfCHmbqhyIkpQkE9xI sGqZG8vwmhySN5iSxbzYPp4yl187GqaGN/Q8D7+wIDAQAB
Key Size: 1024 bits
Record Length: 226 bytes

Spam Assassian Results
Content analysis details: (You scored -2.3 points, 5.0 or higher is considered to be spam)
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at www . dnswl . org, medium trust [200.42.89.132 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.1066]
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid



DKIM Validator: (dkimvalidator . com)

Original message:
Received: from mail.host-media.com.ar (mail.host-media.com.ar [200.42.89.132])
by relay-3.us-west-2.relay-prod (Postfix) with ESMTPS id C39962003F1
for <FLPpTuiQqsCgzj<_at_>dkimvalidator.com>; Wed, 11 Oct 2017 19:43:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=tukerman.com.ar; s=mail;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=;
b=Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXv SE1agFWvS9PBl5lONYD
56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWfvqFGz3jrA+2SG7IphDo v6WfvMyzMfYcvGv/A7
rFlG5J6vMFWdKtSQ=
X-Footer: dHVrZXJtYW4uY29tLmFy
Received: from localhost ([127.0.0.1])
by mail.host-media.com.ar (Kerio Connect 9.2.5 patch 3) with ESMTPSA
for FLPpTuiQqsCgzj<_at_>dkimvalidator.com;
Wed, 11 Oct 2017 16:43:47 -0300
Date: Wed, 11 Oct 2017 16:43:47 -0300
Subject: Testing DKIM Signature
X-Mailer: Kerio Connect 9.2.5 patch 3/Kerio Connect Client
X-User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101
Firefox/52.0
Message-ID: <7566235-2872<_at_>mail.host-media.com.ar>
From: Martin Rozanski <tukerman<_at_>tukerman.com.ar>
To: FLPpTuiQqsCgzj@dkimvalidator.com, mailtest<_at_>unlocktheinbox.com,
84799@SpamScoreChecker.com, ins-x2h3igwc<_at_>isnotspam.com
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-FHZS0InOUT1h3fhwtm+S"

--=-FHZS0InOUT1h3fhwtm+S
Content-Type: text/plain; charset="utf-8"



--=-FHZS0InOUT1h3fhwtm+S
Content-Type: text/html; charset="utf-8"

<html><head></head><body><br></body></html>
--=-FHZS0InOUT1h3fhwtm+S--


DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=tukerman.com.ar; s=mail;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=;
b=Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXv SE1agFWvS9PBl5lONYD
56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWfvqFGz3jrA+2SG7IphDo v6WfvMyzMfYcvGv/A7
rFlG5J6vMFWdKtSQ=


Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: simple/simple
d= Domain: tukerman.com.ar
s= Selector: mail
q= Protocol:
bh= U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=
h= Signed Headers: from:subject:date:message-id:to:mime-version:content-type
b= Data: Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXvSE 1agFWvS9PBl5lONYD
56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWfvqFGz3jrA+2SG7IphDo v6WfvMyzMfYcvGv/A7
rFlG5J6vMFWdKtSQ=
Public Key DNS Lookup

Building DNS Query for mail._domainkey.tukerman.com.ar
Retrieved this publickey from DNS: v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6UfYzXzWNG8 eiR/vk4xtksLDSPWT36iRIKMBsbc7XcEP8L6B/vXqHXh+3/M6fPb288H/IH6 zSly8N2aREWgFPm31GOqMhc5Mn7Dgd/WHVeNgL1gPVNfCHmbqhyIkpQkE9xI sGqZG8vwmhySN5iSxbzYPp4yl187GqaGN/Q8D7+wIDAQAB
Validating Signature

result = pass


SpamAssassin:
SpamAssassin Score: -0.388
Message is NOT marked as spam
Points breakdown:
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at www . dnswl . org, medium trust [200.42.89.132 listed in list.dnswl.org]
1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and suggests discarding the rest
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 TVD_SPACE_RATIO No description available.
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid



Spam Score Checker (spamscorechecker . com)

SpamAssassin Rules Broken
* 1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail and [score:
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid


Postmark Spam Check (spamcheck . postmarkapp . com)

pts rule name description
---- ---------------------- --------------------------------------------------
1.8 DKIM_ADSP_DISCARD No valid author signature, domain signs all mail
and suggests discarding the rest

-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at www . dnswl . org, medium
trust
[200.42.89.132 listed in list.dnswl.org]
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 TVD_SPACE_RATIO TVD_SPACE_RATIO
0.0 BODY_URI_ONLY Message body is only a URI in one line of text or for
an image




What can be wrong? Other DKIM checkers/validators shows "passed", only SpamAssassin "T_DKIM_INVALID" rule fails. I'm not sure it's an SpamAssassin problem because sending mails for this domain, with the same private/public keys but from another MTA different from Kerio's one goes OK, but I can't find anything different between the signatures created except Kerio fragment the "b=" field in 3 lines, and the other MTA sends it as one entire line.

Example in Kerio:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=tukerman.com.ar; s=mail;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=;
b=Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXv SE1agFWvS9PBl5lONYD
56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWfvqFGz3jrA+2SG7IphDo v6WfvMyzMfYcvGv/A7
rFlG5J6vMFWdKtSQ=


Example in Exchange with DKIM plug-in:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=tukerman.com.ar; s=mail;
h=from:subject:date:message-id:to:mime-version:content-type;
bh=U6zAeLyJYQm/gKrk5e+xEUWY+1CpnS/MWbNJf6uXLpA=;
b=Y3Iy7HWt99qKzmyZ/2HC8QM5EZL2sKWH4OMmfogrWzNqolTNSWXLSiJwXv SE1agFWvS9PBl5lONYD56DcCn7eGRimupLCF8XFd6vU3hcf9trEEc7f/nnWf vqFGz3jrA+2SG7IphDov6WfvMyzMfYcvGv/A7rFlG5J6vMFWdKtSQ=
  •  
rigo

Messages: 122
Karma: -3
Send a private message to this user
Is this a new DMIM setup, if so I remember DNS could not handle long key and ended up using short key. If so there is a file associated in Kerio that holds key, just cut-n-paste new short key, restart server.
Also had another domain bark at key, also a DNS issue and ended deleting DNS record (modifying did not do it) and that got it going.
  •  
TuKerMaN

Messages: 5
Karma: 0
Send a private message to this user
DKIM is setup correctly, and correctly validated by major providers (Google, MS, Yahoo, etc). The problem arises with mail servers using SpamAssassin as SPAM filters. SA does not validates the DKIM signature Kerio is doing, and this adds SPAM score.

Don't know if it's a Kerio or SA bug. Kerio Connect signatures get validated everywhere except with SA, and SA validates another signatures (ex. Exchange w/ DKIM plugin) correctly but not Kerio's ones, at least with my setup Sad
Previous Topic: Kerio Connect crashing every 10 minutes
Next Topic: Import from Office365
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 19 09:13:17 CEST 2017

Total time taken to generate the page: 0.00401 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.