Hello,
after migrating from another mail gateway to Proxmox Mail Gateway 9 we are seeing many false positives caused by DKIM validation.
Environment:
PMG 9.0.10
SpamAssassin 4.0.2
libmail-dkim-perl 1.20240923-1
pmgversion:
<Ausgabe von pmgversion -v>
Problem:
Several legitimate mails from different providers are classified as
DKIM_INVALID
KAM_DMARC_REJECT (7.0)
and therefore quarantined.
Examples:
- booking.com
- Strato hosted domains
- Microsoft 365
SpamAssassin result:
DKIM_INVALID(0.1)
DKIM_SIGNED(0.1)
DMARC_REJECT(0.1)
KAM_DMARC_REJECT(7)
...
Running SpamAssassin in debug mode on the quarantined EML shows:
DKIM signature verification result: FAIL (BODY HAS BEEN ALTERED)
The strange part is:
- DNS resolution works.
- DKIM public keys can be resolved correctly.
- The same message is accepted as DKIM_VALID by the upstream provider (Netarix).
Example:
X-Spam-Status (Netarix):
DKIM_VALID
DKIM_VALID_AU
score=-1.5
PMG:
DKIM_INVALID
KAM_DMARC_REJECT=7
The DKIM public keys resolve correctly:
dig TXT strato-dkim-0002._domainkey.busways.de
dig TXT strato-dkim-0003._domainkey.busways.de
Both return valid keys.
Question:
Has anybody seen this with PMG 9 / SpamAssassin 4.0.2?
Is there a known issue with DKIM verification resulting in
"BODY HAS BEEN ALTERED"
although upstream verification succeeds?
I can provide the original EML if required.
after migrating from another mail gateway to Proxmox Mail Gateway 9 we are seeing many false positives caused by DKIM validation.
Environment:
PMG 9.0.10
SpamAssassin 4.0.2
libmail-dkim-perl 1.20240923-1
pmgversion:
<Ausgabe von pmgversion -v>
Problem:
Several legitimate mails from different providers are classified as
DKIM_INVALID
KAM_DMARC_REJECT (7.0)
and therefore quarantined.
Examples:
- booking.com
- Strato hosted domains
- Microsoft 365
SpamAssassin result:
DKIM_INVALID(0.1)
DKIM_SIGNED(0.1)
DMARC_REJECT(0.1)
KAM_DMARC_REJECT(7)
...
Running SpamAssassin in debug mode on the quarantined EML shows:
DKIM signature verification result: FAIL (BODY HAS BEEN ALTERED)
The strange part is:
- DNS resolution works.
- DKIM public keys can be resolved correctly.
- The same message is accepted as DKIM_VALID by the upstream provider (Netarix).
Example:
X-Spam-Status (Netarix):
DKIM_VALID
DKIM_VALID_AU
score=-1.5
PMG:
DKIM_INVALID
KAM_DMARC_REJECT=7
The DKIM public keys resolve correctly:
dig TXT strato-dkim-0002._domainkey.busways.de
dig TXT strato-dkim-0003._domainkey.busways.de
Both return valid keys.
Question:
Has anybody seen this with PMG 9 / SpamAssassin 4.0.2?
Is there a known issue with DKIM verification resulting in
"BODY HAS BEEN ALTERED"
although upstream verification succeeds?
I can provide the original EML if required.