Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mail from GMX is marked as DKIM invalid despite signature being correct #284

Closed
Leseratte10 opened this issue Jan 4, 2022 · 2 comments
Closed

Mail from GMX is marked as DKIM invalid despite signature being correct #284

Leseratte10 opened this issue Jan 4, 2022 · 2 comments
Assignees
@lieser
Labels
default sign rules/favicon question
Milestone
4.1.0

Comments

@Leseratte10
Copy link

I've just received an email from a @gmx.de mail address, and the extension displays "Invalid (Wrong signer (should be gmx.de))".

The DKIM-Signature in the mail is the following:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1641291076;
	bh=1871sDa3FgeUiL4DMO9/BACzOWz+ylh7He1AvqWy0Ms=;
	h=X-UI-Sender-Class:From:To:Subject:Date;
	b=GVe6wlAsVeGqqzZaI5/RGRXQf/Pl96LDDaVkzdFfVFmjh8o+A5SVWh+m1cMf6iToR
	 OuS8QiIFaQ3j/ctFW4bNY+9LKSFn3sN3VdLMRwTz3LNevPacGdZsEukaY3xK8y+L5R
	 1NcXD6dW99O0LYUigvs1HQxIiSRWdq3epHVuhpVE=

Does this fail because the sender is "gmx.de" but the DKIM Signature mentions "gmx.net"?
Other mail servers that handled that mail during transport marked the signature as valid:

Authentication-Results: mail.lima-city.de;
	dkim=pass (1024-bit key; secure) header.d=gmx.net header.i=@gmx.net header.b="GVe6wlAs";
	dkim-atps=neutral
X-Rspamd-Authentication-Results: mail.lima-city.de;
	dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=GVe6wlAs;
	spf=pass (mail.lima-city.de: domain of example@gmx.de designates 212.227.17.21 as permitted sender) smtp.mailfrom=example@gmx.de;
	dmarc=pass (policy=none) header.from=gmx.de

The error console prints this:

DKIM_Verifier.AuthVerifier	DEBUG	 AuthResult result found:  {"version":"3.0","dkim":[{"version":"2.0","result":"PERMFAIL","errorType":"DKIM_POLICYERROR_WRONG_SDID","errorStrParams":["gmx.de"]}],"spf":[{"method":"spf","method_version":1,"result":"pass","propertys":{"smtp":{"mailfrom":"example@gmx.de"},"header":{},"body":{},"policy":{}}}],"dmarc":[{"method":"dmarc","method_version":1,"result":"pass","propertys":{"smtp":{},"header":{"from":"gmx.de"},"body":{},"policy":{}}}]}

Uploading the full email content to https://www.appmaildev.com/en/dkim also displays that the DKIM signature is valid, so there seems to be a bug in the plugin - or I configured something in a wrong way.
@lieser lieser self-assigned this Jan 5, 2022
@lieser
Copy link
Owner

lieser commented Jan 5, 2022

The error is not coming from an invalid signature, but from the sign rules one can configure in the policy tab. This is something specific to the addon.
The DKIM specification itself does not require any alignment between the from address and the signing domain.

In your case I'm assuming you have enabled the DMARC heuristic, which results in this unintended result.
You can create a user sign rule to specify that gmx.net should be a valid signing domain for gmx.de mails.
I will probably also add such a rule to the default ones.

See also

@lieser lieser added this to the 4.1.0 milestone Jan 5, 2022
lieser added a commit that referenced this issue Jan 27, 2022
@lieser
Allow gmx.de mails to be signed by gmx.net (#284)
0a19b70
@lieser
Copy link
Owner

lieser commented Jan 27, 2022

Added a default rule to allow gmx.de mails to be signed by gmx.net.

@lieser lieser closed this as completed Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lieser lieser

Labels
default sign rules/favicon question
Projects
None yet
Milestone
4.1.0
Development

No branches or pull requests
2 participants
@lieser @Leseratte10