dkim failed according to proxmox, but ok for internal server

[Gambix]

Hello all,

i am newbie, my proxmox gateway has about a month of use. In this scenario, I am monitoring it closely for false positives (quarantined ham).

Today I saw a message in the quarantine with the following spam info:
X-SPAM-LEVEL: Spam detection results: 3
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DMARC_QUAR 0.1 DMARC quarantine policy
HEADER_FROM_DIFFERENT_DOMAINS 0.001 From and EnvelopeFrom 2nd level mail domains are different
HTML_IMAGE_ONLY_12 2.059 HTML: images with 800-1200 bytes of words
HTML_MESSAGE 0.001 HTML included in message
HTML_SHORT_LINK_IMG_1 0.001 HTML is very short with a linked image
KAM_DMARC_QUARANTINE 3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC quarantine policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H4 0.001 Very Good reputation (+4)
RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record

The sender was known so I said it is strange that they were assigned a spam level and quarantined. One thing that really caught my eye was the failed DKIM. Sure a failed DKIM raises suspicion.
I went on and clicked on whitelist, the email was sent to the internal server.
The internal server has DKIM verification and it passed (DKIM signature is valid according to internal server).

Question: what is happening ? who is right about DKIM here?

I downloaded the email before whitelisting it, so I could do some tests on it if needed.

 

[Stoiko Ivanov]

Please check that the maxspamsize (GUI->Configuration->Spam Detector) is set large enough for the mail in question.

 

[Gambix]

I have a limit of 262144 bytes (I guess it is the default). Email size as I downloaded is 385KB. Is this a reason for DKIM verification to fail?

I thought that DKIM being part of the SMTP headers was not subject to size limits that would take into consideration the DATA part.

If this is so, almost anyone sending an email with an attachment will trigger a DKIM fail.

What is max value for this parameter and what are the consequences? What would be good practice to set this value to ? 2MB? 5MB?

 

[Stoiko Ivanov]

What is max value for this parameter and what are the consequences? What would be good practice to set this value to ? 2MB? 5MB?

We'll probably adapt it in one of the future releases - for now I'd recommend setting it to the same size as you have for e-mails in general (GUI->Configuration-> Mail Proxy->Options)

The background for having that setting lower in the default settings was - that scanning the first part of the message usually was enough to gather most important parts for spam-detection, while scanning the complete mail increased the runtime without too much to gain.
(The setting also has been put in place a bit before DKIM was as wide-spread as it is today)

(Once we implement this it will be explained in the release-notes of the new version)

 

[Gambix]

Thanks Stoiko,
my setting for mail in general is quite high (50MB). I am going to test with this value, hoping I get no adverse effects on runtime. I could afford giving the virtual machine more RAM if needed. For now the VM has the default amount (4GB I think).

 

[BORT]

Hi

I have the same problem.