ot: dkim "fail (message has been altered)" ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ot: dkim "fail (message has been altered)" ?

lists-3
I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: geko.sbt.net.au (amavisd-new);
    dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
    domainkeys=fail (1024-bit key)
    reason="fail (message has been altered)"
    header.from=[hidden email]
    header.d=dossierinfotech.in.net

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?

thanks,

Voytek

Reply | Threaded
Open this post in threaded view
|

Re: ot: dkim "fail (message has been altered)" ?

Benny Pedersen-2
[hidden email] skrev den 2019-06-01 15:39:
> I'm attempting to implement dkim/dmarc, noticed that many spam messages
> have like "fail (message has been altered)":

wow

> Authentication-Results: geko.sbt.net.au (amavisd-new);
>     dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
>     domainkeys=fail (1024-bit key)
>     reason="fail (message has been altered)"
>     header.from=[hidden email]
>     header.d=dossierinfotech.in.net

run amavisd-milter ?

did you report to that maillist ?

mailer@ is imho a dsn of content from dsn, why did this fail ?

> is that something that can be rejected/blocked in Postfix, and how? or
> where should that be utilized ?

postfix can only disable  milters, so you you like to stop it, do it in
opendkim, but do not reject your self from millists, eg
whitelist/disable maillist milters first
Reply | Threaded
Open this post in threaded view
|

Re: ot: dkim "fail (message has been altered)" ?

Ralph Seichter-2
In reply to this post by lists-3
* lists:

> Authentication-Results: geko.sbt.net.au (amavisd-new);
>   dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
>   domainkeys=fail (1024-bit key)
>   reason="fail (message has been altered)"

Domainkeys is long since deprecated. Also, the DKIM signature is
reported as OK, so that's not really a good example.

In any case, many mailing lists break DKIM sigs by modifying the subject
line or body of messages, so rejecting/discarding mail based on DKIM
alone is prone to cause trouble for you. DMARC offers an approach that
also includes SPF, but it has problems of its own.

> is that something that can be rejected/blocked in Postfix, and how? or
> where should that be utilized ?

You appear to be using amavis, so I suggest you use amavis' spam scoring
mechanisms instead of Postfix.

-Ralph