DKIM - body has been altered - when enabling disclaimer function

[hoffmn01]

Hello,

we've got 2 mailgateways in production and we are happy with them. We recently noticed that DKIM is not working if we add a disclaimer through the mail filter actions. If we switch off the disclaimer, we get a valid/ok message for DKIM. If we enable disclaimer we get the following message:

DKIM Information:

DKIM Signature


Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=honicon.com; h=
    cc:content-type:content-type:date:from:from:message-id
    :mime-version:reply-to:subject:subject:to:to; s=dkimkey; bh=GNKR
    CocnB9XsSqDffSiU0Ow8Jrzj91Eku3G0Rx7YxSc=; b=Cj3nG+FEhtvqk4ZShOZF
    wKXiPoFD6/tsW1GikbN0rx26x+XNtc3uC0Dzcww2Xo3lTFgq334rEFefnRsEBSjc
    BJfRL+F49sr9zvOT8miUa8EcejHRw2saqr6EnFiFGk3t1uU+bpUTtiADntyEZ/r+
    7Ex4e3nkJkySxMWxdxue6n6oGAz16PywSHk+Cg5AUup5uNNXzSgtaf9j+D+pK4Gw
    tJzSw8syz1F5HgZZ1GThU4pZJLRhWJkm2wUIBWf1/Yv0+De+QYmye2dzNrEHOszl
    O/HVFoimcLl8QtpghlwEpD+He1KBW/es20YoIPc6P+3UJmgah18hPy+ogLWytSi1
    K29V4wrBYk0111n6gdB37mcxcKOjk73+QRACLD5wENGXyvnFSJoTrJ7PmawjCJqr
    L1oGtNH1+luKfcWdx+x3Of5gK9m9JmHnbnyR5GqkOJl3hG55tuiGaB4Qm2hF0KHT
    eIn9nb09mpr4kXqA82P38ntQjJxe/5F3NQhnQXMwGRxSQ0VYGYqUrxnRuxRIA9a2
    w4ZCyfNMZL8RiVtwztCUUsWheWYvKgpAqwjizG8ErzPHckiSUDP3Z1BReWLMZE/Q
    9IZH8Jm3prmWGILmFqDeZtVzFrBPhYMPUbcvInfwKlf016C59PGBeP/wa8GCsERz
    Zix44MnbARtusA6lIiuUf/k=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          honicon.com
s= Selector:        dkimkey
q= Protocol:       
bh=                 GNKR
    CocnB9XsSqDffSiU0Ow8Jrzj91Eku3G0Rx7YxSc=
h= Signed Headers:  cc:content-type:content-type:date:from:from:message-id
    :mime-version:reply-to:subject:subject:to:to
b= Data:            Cj3nG+FEhtvqk4ZShOZF
    wKXiPoFD6/tsW1GikbN0rx26x+XNtc3uC0Dzcww2Xo3lTFgq334rEFefnRsEBSjc
    BJfRL+F49sr9zvOT8miUa8EcejHRw2saqr6EnFiFGk3t1uU+bpUTtiADntyEZ/r+
    7Ex4e3nkJkySxMWxdxue6n6oGAz16PywSHk+Cg5AUup5uNNXzSgtaf9j+D+pK4Gw
    tJzSw8syz1F5HgZZ1GThU4pZJLRhWJkm2wUIBWf1/Yv0+De+QYmye2dzNrEHOszl
    O/HVFoimcLl8QtpghlwEpD+He1KBW/es20YoIPc6P+3UJmgah18hPy+ogLWytSi1
    K29V4wrBYk0111n6gdB37mcxcKOjk73+QRACLD5wENGXyvnFSJoTrJ7PmawjCJqr
    L1oGtNH1+luKfcWdx+x3Of5gK9m9JmHnbnyR5GqkOJl3hG55tuiGaB4Qm2hF0KHT
    eIn9nb09mpr4kXqA82P38ntQjJxe/5F3NQhnQXMwGRxSQ0VYGYqUrxnRuxRIA9a2
    w4ZCyfNMZL8RiVtwztCUUsWheWYvKgpAqwjizG8ErzPHckiSUDP3Z1BReWLMZE/Q
    9IZH8Jm3prmWGILmFqDeZtVzFrBPhYMPUbcvInfwKlf016C59PGBeP/wa8GCsERz
    Zix44MnbARtusA6lIiuUf/k=
Public Key DNS Lookup


Building DNS Query for dkimkey._domainkey.honicon.com
Retrieved this publickey from DNS: v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApddtS+aM6of4mtm6NcEddZSUWxGvsZlBzZqiR94f5HcCm16u8h1ayZj2jqso0QPbooBAHebCtDOQFEprIQLEnwRAVsof+Uhc2kTZZWSRhjT8WYppIVZ2ES4jG9fklelHEVuhB2Dkowv/m8FLbqWZN2J9L6g/Q0iL1dl9+pd7oq6yuv904qMSa+4/8pM/gyzNAhD2wRjga7iQk4fmmP/rMqClPIecPY5BMnoVhU6uwnupWjKcoSYm7jSF63RUf/tvZrs/TQGCo0jQnqerYz0Tqz+RIk2GbNGde33Sje7Z74hnFYd0PxwYsMdS3dIj432R2ojly7rjoPpGtwvBatjBWsjF5zfltYCjnQNrgksytyBAhmjSNQgbwEzHkUmrYR9DvdVTmx7VaA1UWwNvOrRgxpNFCFmNAV8TYec45fRLXiF2UmdXza/bPaskxNfL9bX8AqmsskqqkX4W89NEa00GvVjbD3vGgml+1Kh/SiVdVtMMpXHOjDY5kRA+s0kGbSxcUYpg0rFyOVYm3DNhFzGfQIT0UMq5rglpy85ELE0j2A2H5D13S1gQ1rtxisYPjdbxxGWkEb2ObkCwkM/jgy4QMP/6vStljz9tPLFqsaqa/GEJv1IibCnc3rlrr+omQcEKMsAVCeljhrb6f6F0TLkNzzklzCqftOWxrhpw0JG4JiMCAwEAAQ==
Validating Signature


result = fail
Details: body has been altered

So the body has been altered indicates that the disclaimer has been added after the DKIM signature. Is there anything we need to modify the order of the disclaimer and the DKIM (if it has an oder) ?

Here is the system information:

proxmox-mailgateway: 7.0-1
pmg-api: 7.0-8
pmg-gui: 3.0-5
pve-kernel-helper: 7.1-2
pve-kernel-5.11: 7.0-8
pve-kernel-5.4: 6.4-5
pve-kernel-5.11.22-5-pve: 5.11.22-10
pve-kernel-5.11.22-4-pve: 5.11.22-9
pve-kernel-5.11.22-3-pve: 5.11.22-7
pve-kernel-5.4.128-1-pve: 5.4.128-1
pve-kernel-5.4.124-1-pve: 5.4.124-2
pve-kernel-5.4.106-1-pve: 5.4.106-1
clamav-daemon: 0.103.3+dfsg-0+deb11u1
ifupdown: 0.8.36
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.3.0
libproxmox-acme-plugins: 1.3.0
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-9
libpve-http-server-perl: 4.0-2
libxdgmime-perl: 1.0-1
lvm2: 2.03.11-2.1
pmg-docs: 7.0-2
pmg-i18n: 2.5-1
pmg-log-tracker: 2.2.0-1
postgresql-13: 13.4-0+deb11u1
proxmox-mini-journalreader: 1.2-1
proxmox-spamassassin: 3.4.6-3
proxmox-widget-toolkit: 3.3-6
pve-firmware: 3.3-2
pve-xtermjs: 4.12.0-1
zfsutils-linux: 2.0.5-pve1

Any help is very appreciated!

Best regards,
Nico

 

[Stoiko Ivanov]

Cannot reproduce that here... - by sending a mail through PMG with a 'add Disclaimer' Rule and DKIM done by PMG.
(also code-wise the signature is done when a mail runs through the Accept or BCC action).

Is the dkim signature made by PMG on your deployment (and by the PMG which also adds the disclaimer)?

could you share the logs for this mail and your rule-system?

 

[hoffmn01]

Cannot reproduce that here... - by sending a mail through PMG with a 'add Disclaimer' Rule and DKIM done by PMG.
(also code-wise the signature is done when a mail runs through the Accept or BCC action).

Is the dkim signature made by PMG on your deployment (and by the PMG which also adds the disclaimer)?

could you share the logs for this mail and your rule-system?

Hello @Stoiko Ivanov, yes I am willing to provide you any information. Can you please direct me, how to produce the best possible output for your review? I think the tracking center view might be a bit too much away from the real action, do you agree?

The dkim signature is done on PMG.

 

[Stoiko Ivanov]

for the rule-system `pmgdb dump` should yield a good overview - paste it here in code tags)
for the concrete mail the tracking center should provide the correct snippet of the logs

you can also send me a testmail (s.ivanov _at_ proxmox.com) which goes through your PMG setup - that should help to see what goes wrong where

 

[hoffmn01]

for the rule-system `pmgdb dump` should yield a good overview - paste it here in code tags)
for the concrete mail the tracking center should provide the correct snippet of the logs

you can also send me a testmail (s.ivanov _at_ proxmox.com) which goes through your PMG setup - that should help to see what goes wrong where

Hello @Stoiko Ivanov ,

here comes the dump:

Found RULE 4 (prio: 98, in, active): Blacklist
  FOUND FROM GROUP 2: Blacklist
    OBJECT 1: nomail@fromthisdomain.com
    OBJECT 72: email.lead-forensics-success.co.uk
    OBJECT 73: email.leadforensicsmm.com
  FOUND ACTION GROUP 18: Block
    OBJECT 31: block message
Found RULE 2 (prio: 96, in, active): Block Viruses
  FOUND WHAT GROUP 9: Virus
    OBJECT 22: active
  FOUND ACTION GROUP 19: Quarantine
    OBJECT 32: Move to quarantine.
  FOUND ACTION GROUP 20: Notify Admin
    OBJECT 33: notify __ADMIN__
Found RULE 3 (prio: 96, out, active): Virus Alert
  FOUND WHAT GROUP 9: Virus
    OBJECT 22: active
  FOUND ACTION GROUP 18: Block
    OBJECT 31: block message
  FOUND ACTION GROUP 20: Notify Admin
    OBJECT 33: notify __ADMIN__
  FOUND ACTION GROUP 21: Notify Sender
    OBJECT 34: notify __SENDER__
Found RULE 1 (prio: 93, in, active): Block Dangerous Files
  FOUND WHAT GROUP 8: Dangerous Content
    OBJECT 16: content-type=application/javascript
    OBJECT 17: content-type=application/x-executable
    OBJECT 15: content-type=application/x-java
    OBJECT 14: content-type=application/x-ms-dos-executable
    OBJECT 18: content-type=application/x-ms-dos-executable
    OBJECT 19: content-type=message/partial
    OBJECT 20: filename=.*\.(vbs|pif|lnk|shs|shb)
    OBJECT 21: filename=.*\.\{.+\}
  FOUND ACTION GROUP 15: Remove attachments
    OBJECT 28: remove matching attachments
Found RULE 5 (prio: 90, in, active): Modify Header
  FOUND ACTION GROUP 13: Modify Spam Level
    OBJECT 26: modify field: X-SPAM-LEVEL:__SPAM_INFO__
Found RULE 13 (prio: 89, in, inactive): Quarantine Office Files
  FOUND WHAT GROUP 7: Office Files
    OBJECT 9: content-type=application/msword
    OBJECT 7: content-type=application/vnd\.ms-excel
    OBJECT 8: content-type=application/vnd\.ms-powerpoint
    OBJECT 11: content-type=application/vnd\.oasis\.opendocument\..*
    OBJECT 10: content-type=application/vnd\.openxmlformats-officedocument\..*
    OBJECT 12: content-type=application/vnd\.stardivision\..*
    OBJECT 13: content-type=application/vnd\.sun\.xml\..*
  FOUND ACTION GROUP 23: Attachment Quarantine (remove matching)
    OBJECT 36: remove matching attachments
Found RULE 12 (prio: 87, in+out, inactive): Block Multimedia Files
  FOUND WHAT GROUP 6: Multimedia
    OBJECT 5: content-type=audio/.*
    OBJECT 6: content-type=video/.*
  FOUND ACTION GROUP 15: Remove attachments
    OBJECT 28: remove matching attachments
Found RULE 6 (prio: 85, in, active): Whitelist
  FOUND FROM GROUP 3: Whitelist
    OBJECT 2: mail@fromthisdomain.com
  FOUND ACTION GROUP 17: Accept
    OBJECT 30: accept message
Found RULE 9 (prio: 82, in, active): Block Spam (Level 10)
  FOUND WHAT GROUP 12: Spam (Level 10)
    OBJECT 25: Level 10
  FOUND ACTION GROUP 18: Block
    OBJECT 31: block message
Found RULE 8 (prio: 81, in, active): Quarantine/Mark Spam (Level 5)
  FOUND WHAT GROUP 11: Spam (Level 5)
    OBJECT 24: Level 5
  FOUND ACTION GROUP 14: Modify Spam Subject
    OBJECT 27: modify field: subject:SPAM: __SUBJECT__
  FOUND ACTION GROUP 19: Quarantine
    OBJECT 32: Move to quarantine.
Found RULE 7 (prio: 80, in, active): Quarantine/Mark Spam (Level 3)
  FOUND WHAT GROUP 10: Spam (Level 3)
    OBJECT 23: Level 3
  FOUND ACTION GROUP 14: Modify Spam Subject
    OBJECT 27: modify field: subject:SPAM: __SUBJECT__
  FOUND ACTION GROUP 19: Quarantine
    OBJECT 32: Move to quarantine.
Found RULE 10 (prio: 70, out, inactive): Block outgoing Spam
  FOUND WHAT GROUP 10: Spam (Level 3)
    OBJECT 23: Level 3
  FOUND ACTION GROUP 18: Block
    OBJECT 31: block message
  FOUND ACTION GROUP 20: Notify Admin
    OBJECT 33: notify __ADMIN__
  FOUND ACTION GROUP 21: Notify Sender
    OBJECT 34: notify __SENDER__
Found RULE 16 (prio: 68, out, active): Disclaimer hoffmn01
  FOUND FROM GROUP 29: hoffmn01
    OBJECT 53: redacted@honicon.com
  FOUND ACTION GROUP 30: hoffmn01
    OBJECT 54: disclaimer
Found RULE 11 (prio: 67, out, active): Disclaimer hoffml01
  FOUND FROM GROUP 40: hoffml01
    OBJECT 65: redacted@honicon.com
  FOUND ACTION GROUP 37: hoffml01
    OBJECT 63: disclaimer
Found RULE 15 (prio: 63, out, active): Disclaimer gillnc01
  FOUND FROM GROUP 28: gillnc01
    OBJECT 52: redacted@honicon.com
  FOUND ACTION GROUP 27: gillnc01
    OBJECT 51: disclaimer
Found RULE 14 (prio: 62, out, active): Disclaimer uebrid01
  FOUND FROM GROUP 39: uebrid01
    OBJECT 67: redacted@honicon.com
  FOUND ACTION GROUP 35: uebrid01
    OBJECT 61: disclaimer
Found RULE 17 (prio: 61, out, active): Disclaimer knispk01
  FOUND FROM GROUP 41: knispk01
    OBJECT 66: redacted@honicon.com
  FOUND ACTION GROUP 38: knispk01
    OBJECT 64: disclaimer
Found RULE 21 (prio: 60, out, active): Disclaimer service
  FOUND FROM GROUP 42: Honicon Service
    OBJECT 70: redacted@honicon.com
    OBJECT 69: redacted@honicon.com
    OBJECT 71: redacted@honicon.com
    OBJECT 68: service@honicon.com
  FOUND ACTION GROUP 25: Disclaimer Honicon
    OBJECT 48: disclaimer
Found RULE 19 (prio: 40, out, active): Disclaimer
  FOUND FROM GROUP 34: NOT HONICON
    OBJECT 59: otherdomain1.com
    OBJECT 58: otherdomain2.de
    OBJECT 60: otherdomain3.de
  FOUND ACTION GROUP 22: Disclaimer allgemein
    OBJECT 35: disclaimer

The tracking center says:

Oct 13 14:30:37 derznmx01 postfix/smtpd[70902]: connect from unknown[10.0.10.8]
Oct 13 14:30:37 derznmx01 postfix/smtpd[70902]: Anonymous TLS connection established from unknown[10.0.10.8]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Oct 13 14:30:37 derznmx01 postfix/smtpd[70902]: A74C7107B9: client=unknown[10.0.10.8]
Oct 13 14:30:37 derznmx01 postfix/cleanup[70905]: A74C7107B9: message-id=<f5bf6719-c6d2-55fa-16fa-b7b9ce01fa97@honicon.com>
Oct 13 14:30:37 derznmx01 postfix/qmgr[1759]: A74C7107B9: from=<redacted@honicon.com>, size=1738, nrcpt=1 (queue active)
Oct 13 14:30:37 derznmx01 postfix/smtpd[70902]: disconnect from unknown[10.0.10.8] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 13 14:30:37 derznmx01 pmg-smtp-filter[69731]: 102FA6166D16DAB812: new mail message-id=<f5bf6719-c6d2-55fa-16fa-b7b9ce01fa97@honicon.com>#012
Oct 13 14:30:37 derznmx01 pmg-smtp-filter[69731]: 102FA6166D16DAB812: added disclaimer (rule: Disclaimer hoffmn01)
Oct 13 14:30:37 derznmx01 pmg-smtp-filter[69731]: 102FA6166D16DAB812: added disclaimer (rule: Disclaimer hoffmn01)
Oct 13 14:30:37 derznmx01 postfix/smtpd[70910]: connect from localhost.localdomain[127.0.0.1]
Oct 13 14:30:37 derznmx01 postfix/smtpd[70910]: BAD46107C7: client=localhost.localdomain[127.0.0.1], orig_client=unknown[10.0.10.8]
Oct 13 14:30:37 derznmx01 postfix/cleanup[70905]: BAD46107C7: message-id=<f5bf6719-c6d2-55fa-16fa-b7b9ce01fa97@honicon.com>
Oct 13 14:30:37 derznmx01 postfix/qmgr[1759]: BAD46107C7: from=<redacted@honicon.com>, size=24983, nrcpt=1 (queue active)
Oct 13 14:30:37 derznmx01 postfix/smtpd[70910]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 13 14:30:37 derznmx01 pmg-smtp-filter[69731]: 102FA6166D16DAB812: accept mail to <SXL1oa2Gdf0E4Z@dkimvalidator.com> (BAD46107C7) (rule: default-accept)
Oct 13 14:30:37 derznmx01 pmg-smtp-filter[69731]: 102FA6166D16DAB812: processing time: 0.107 seconds (0, 0.032, 0)
Oct 13 14:30:37 derznmx01 postfix/lmtp[70906]: A74C7107B9: to=<SXL1oa2Gdf0E4Z@dkimvalidator.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.14, delays=0.01/0.01/0/0.11, dsn=2.5.0, status=sent (250 2.5.0 OK (102FA6166D16DAB812))
Oct 13 14:30:37 derznmx01 postfix/qmgr[1759]: A74C7107B9: removed
Oct 13 14:30:45 derznmx01 postfix/smtp[70911]: BAD46107C7: to=<SXL1oa2Gdf0E4Z@dkimvalidator.com>, relay=31045262.in1.mandrillapp.com[54.245.105.146]:25, delay=7.4, delays=0.04/0.01/6.8/0.56, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A77B420DE5)
Oct 13 14:30:45 derznmx01 postfix/qmgr[1759]: BAD46107C7: removed

The test mail is on the way. Thank you!

 

[Stoiko Ivanov]

Hm - Thanks for the mails - the disclaimer - seems a bit long (far longer than the 2048 byte limit in the API) - is PMG adding the disclaimer (and if yes - how and where did you modify the source to accept such a long disclaimer)?

I got 4 mails from you (DKIM vs Disclaimer with Disclaimer, and DKIM vs Disclaimer without Disclaimer I - III) - only DKIM vs Disclaimer without Disclaimer actually verified here.

I tried reproducing your mail here - by adding the long disclaimer to my PMG (which needs modification due to the length) and sending a few testmails - here the dkim-signature verifies...

could you maybe also share the text in the disclaimer object (if you like put it in a text-file and send it to me in a zip)

Is there anything after PMG before the mail goes to the internet, which might be interfering (e.g. a firewall doing deep-packet inspection?)

 

[hoffmn01]

Hm - Thanks for the mails - the disclaimer - seems a bit long (far longer than the 2048 byte limit in the API) - is PMG adding the disclaimer (and if yes - how and where did you modify the source to accept such a long disclaimer)?

I got 4 mails from you (DKIM vs Disclaimer with Disclaimer, and DKIM vs Disclaimer without Disclaimer I - III) - only DKIM vs Disclaimer without Disclaimer actually verified here.

I tried reproducing your mail here - by adding the long disclaimer to my PMG (which needs modification due to the length) and sending a few testmails - here the dkim-signature verifies...

could you maybe also share the text in the disclaimer object (if you like put it in a text-file and send it to me in a zip)

Is there anything after PMG before the mail goes to the internet, which might be interfering (e.g. a firewall doing deep-packet inspection?)

Hello @Stoiko Ivanov ,

thank you for your message. In fact we modified the disclaimer directly within the db as the API was not willing to accept our block and this was a key feature we wanted to have from "the old system". It was working this way fine until July 2021. After that the issues with the DKIM started. We upgraded the PMG from 6 to 7 around July. Someone might come to the point, that the upgrade may have had an impact to the situation.

PMG is adding the disclaimer and after that it leaves our premises and is not intercepted by any DPI or similar. I will send you the content of the signatures via mail as a zip.

Thank you and best regards,
Nico

 

[Stoiko Ivanov]

PMG is adding the disclaimer and after that it leaves our premises and is not intercepted by any DPI or similar. I will send you the content of the signatures via mail as a zip.

Thanks - I did manage to reproduce the problem (and verify that it does not occur in 6.4)
I could also reproduce the issue with an updated PMG 6.4 - so the upgrade from 6 to 7 is probably not the reason

Oddly enough nothing in the PMG sources changed in that area of the code - so I need to analyze this a bit further...

Thanks for the report in any case - I'll comment here once I got some better idea what's going wrong where

 

[Stoiko Ivanov]

Ok - could not reproduce it with a fresh 6.3 install - are you sure that this worked at some point - and if yes could you provide the version where this last worked?

 

[hoffmn01]

Ok - could not reproduce it with a fresh 6.3 install - are you sure that this worked at some point - and if yes could you provide the version where this last worked?

I believe it was 6.4 at that time. Please see the mail I just sent you for the source of the message that was delivered ok.
Thank you and best regards,
Nico

 

[Stoiko Ivanov]

Ok - could not reproduce it with a fresh 6.3 install

Sorry - again wrote this quite confusingly - I can reproduce the issue with 6.3 as well - meaning - I don't see how that worked with 6.3/6.4 (did not try even older PMG versions)

 

[Stoiko Ivanov]

The mail also has in it's headers:

mx.google.com; dkim=neutral (body hash did not verify)

 

[hoffmn01]

The mail also has in it's headers:

mx.google.com; dkim=neutral (body hash did not verify)

Hi @Stoiko Ivanov ,

good spotted. We played around with the disclaimers, but there was no way of having multiple actions or having multiple rules applied for sending messages, to have an ability to split the long disclaimer.:


Do you think we discovered a bug in general?

 

[Stoiko Ivanov]

Do you think we discovered a bug in general?

potentially - still trying to nail down what triggers it

I think that it's long lines without any new-line inbetween - so if you like to experiment a bit - which your disclaimer has a few because of the base64 encoded embedded images

 

[Stoiko Ivanov]

Ok - I think I found the root-cause (and my initial guess was somewhat correct):
* PMG simply adds the Disclaimer as is - in your case with lines exceeding 998 character
* Lines longer than 998 characters are forbidden by the SMTP RFC - see:
http://www.postfix.org/postconf.5.html#smtp_line_length_limit
https://www.rfc-editor.org/rfc/rfc5322.html (section 2.1.1)
* PMG signs the message and passes it on to postfix (on port 10025)
* postfix "fixes" the message as described in the docs on smtp_line_length_limit by splitting lines at 998 with <CR><LF><SPACE>
* this in turn invalidates the body-hash of the DKIM signature.

I think that you noticed this just now (and not earlier) because some mail-providers seem to penalize such errors now a bit more

Currently I think this will be fixed in PMG, by simply warning the user if they enter a disclaimer with such long lines (and storing it like postfix would transform it (inserting a newline after 990 characters)

For your deployment I'd suggest to consider adding this quite large disclaimer on the MUA Side (in your Thunderbird/Webmail/other Client Signature configuration), the actual Mailserver which relays through PMG (if the server has any support for this) - or if this is indeed not feasible in any of those two - to manually adapt your disclaimer in PMG to include new-lines at or before 990 characters.