DKIM Signature Do Not Validate When Using SMTP To Send Mail

[Citricguy]

When I send a message using an external SMTP client, DKIM signauteres on messages will not successfully validate.

When I use the built in Zimbra webmail client they validate successfully every time.

Both tests use the same email address, username/password etc. The only difference is the client used to send the mail.

I used this guide: Configuring for DKIM Signing - Zimbra :: Wiki to configure DKIM without any issues other than the one noted above.

---

$zmcontrol -v
Release 8.0.0.GA.5434.UBUNTU10.64 UBUNTU10_64 FOSS edition.

---

To test DKIM, I used the port25.com service. Upon emailing check-auth@verifier.port25.com, here are the relevent results I recieved for both the Webmail send, and the SMTP send.

SMTP Test:
Result: fail (wrong body hash: expected RzsU67ywQxiXDb1FZkrH7WnlatX9SyWIGQ8D3jY6geA=)

Webmail Test:
Result: pass (matches From: notifications@removed.com)

I get the same results using Gmail's "mailed-by:" and "signed-by:" headers. Messages send using the Zimbra Webmail client are 'signed' whereas messages sent using a SMTP are also signed, but do not validate.

What other pertanent information can I supply to help?

[houarnet-tech]

I have the same problem than you have and found that the dkim was not validated only for my thunderbird linux client.
it's ok for thunderbird under windows, outlook...
I tryed to change the Content-Type from utf8 to ISO-8859-15 but without success.
Please post if you find the solution, i'm greatly interested.

[bloom]

I have the same problem than you have and found that the dkim was not validated only for my thunderbird linux client.
it's ok for thunderbird under windows, outlook...
I tryed to change the Content-Type from utf8 to ISO-8859-15 but without success.
Please post if you find the solution, i'm greatly interested.

I have the same problem.
With Zimbra 8.0.1, sending with Thunderbird (Windows, ver. 16, 17) from account-A@mydomain to account-B@mydomain on the server itself, makes DKIM signatures check fail.
Other clients as well as sending from Zimbra web interface between the same accounts is OK.

How to fix that? And who is causing problems - ZCS or Thundrbird?

Regards
Piotr

[quanah]

Can you post full headers from each mail message?

[bloom]

Can you post full headers from each mail message?

Sure, I'll try to attach 3 files to this post. The files are meant only for research here.

The first mail is between two accounts on the problematic host. DKIM fails.
The second one is mail to another domain (also running ZCS 8.0.1) sent with webmail - DKIM is OK.
And the last is the same sent with Thunderbird - DKIM fails.

All 3 emails were sent by one sender (from the same account). Every mail sent by this sender to any account (on their ZCS or on my ZCS) with Thunderbird will fail. Emails sent to Gmail - no problem, Gmail says DKIM ok.
I cannot reproduce it on my accounts. I installed Thunderbird on my Ubuntu laptop but I cannot force it to fail.

Regards
Piotr

[quanah]

Thanks. I notice both of the failed emails use HTML style mail rather than plain text. Does changing Thunderbird to use plain text email resolve the issue?

[Alex_Filatau]

I've looked through your messages an got confused that all of them have "Content-Type: multipart/alternative;", but non have actual body content or at least both parts, only "Content-Type: text/plain; charset=UTF-8; format=flowed" at best.
Thunderbird or ZWC are sending both parts like in following example:
Content-Type: multipart/alternative;
boundary="------------070600010706050305000505"

This is a multi-part message in MIME format.
--------------070600010706050305000505
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



--------------070600010706050305000505
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
</body>
</html>

--------------070600010706050305000505--

So did you cut the end of the messages or they were like this? Because DKIM signed Content-Type, and if some parts got missing after it, that's valid case of DKIM verification failure.

[bloom]

So did you cut the end of the messages or they were like this? Because DKIM signed Content-Type, and if some parts got missing after it, that's valid case of DKIM verification failure.

@Alex_Filatau: Yes, they were cut to show the headers. Here is the full message.
@quanah: Here is the full message in plaintext only. DKIM fails.

Code:

Return-Path: k.drosd@waran.pl
Received: from mx1.waran.pl (LHLO mx1.waran.pl) (10.30.0.3) by mx1.waran.pl
 with LMTP; Wed, 5 Dec 2012 15:56:22 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by mx1.waran.pl (Postfix) with ESMTP id 81B6DB60A2E
	for <pkam@waran.pl>; Wed,  5 Dec 2012 15:56:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at new.waran.pl
X-Spam-Flag: NO
X-Spam-Score: -2.78
X-Spam-Level:
X-Spam-Status: No, score=-2.78 tagged_above=-10 required=6.6
	tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_SIGNED=0.1,
	T_DKIM_INVALID=0.01, T_UNKNOWN_ORIGIN=0.01] autolearn=no
Authentication-Results: mx1.waran.pl (amavisd-new); dkim=fail (1024-bit key)
	reason="fail (message has been altered)" header.d=waran.pl
Received: from mx1.waran.pl ([127.0.0.1])
	by localhost (mx1.waran.pl [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id aDkji-6_WMLY for <pkam@waran.pl>;
	Wed,  5 Dec 2012 15:56:21 +0100 (CET)
Received: from [192.168.1.157] (unknown [192.168.1.157])
	by mx1.waran.pl (Postfix) with ESMTPSA id C7EC7B60A2A
	for <pkam@waran.pl>; Wed,  5 Dec 2012 15:56:21 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.6.0 mx1.waran.pl C7EC7B60A2A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=waran.pl;
	s=BD0CFCB4-0E74-11E2-A350-C78F06A280BF; t=1354719381;
	bh=EuvG3uxm1m1caBXVLhQTCzfLPR5zRp8T2kmFitun5QY=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type:
	 Content-Transfer-Encoding;
	b=hnIRIwKk3x5+lZZA2++0xa1ghRQoos6zvBG68Wi0dXfO5VBL47LxlDSOPnF24IVA5
	 vUgskK8SUinJClk9+JnoMKdFA8lvO3mHh2SjHik8vysJ87jgTdUmpMC9edNM4T+8ru
	 ijbxOEHwJEc2ed8MByUMmiGkGK0DXd+z7zdzwWIc=
Message-ID: <50BF6096.10906@waran.pl>
Date: Wed, 05 Dec 2012 15:56:22 +0100
From: Krzysztof Drosd <k.drosd@waran.pl>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: pkam@waran.pl
Subject: gcxhnfghfgxh
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

dfhdfdfdfh
--=20
z wyrazami szacunku / Best Regards

Krzysztof Drosd
Project Coordinator
k.drosd@waran.pl
T: NOWY NUMER TELEFONU +48 56 699 44 00
F: +48 56 699 44 09


WARAN sp. z ograniczon=C4=85 odpowiedzialno=C5=9Bci=C4=85 sp. k.
Ceglana 6, 87-100 Toru=C5=84, PL
REGON: 340676257
NIP: 879-261-40-28
VATUE: PL8792614028
www.waran.pl
www.waran.pl/en


Tre=C5=9B=C4=87 powy=C5=BCszej wiadomo=C5=9Bci oraz do=C5=82=C4=85czone d=
o niej pliki s=C4=85 przeznaczone=20
dla konkretnego Adresata i mog=C4=85 zawiera=C4=87 informacje podlegaj=C4=
=85ce=20
ochronie. Je=C5=9Bli w efekcie pomy=C5=82ki wiadomo=C5=9B=C4=87 ta trafi =
do r=C4=85k Osoby=20
trzeciej, prosimy poinformowa=C4=87 o b=C5=82=C4=99dzie Nadawc=C4=99 i j=C4=
=85 usun=C4=85=C4=87.=20
Rozpowszechnianie, kopiowanie, drukowanie lub wykorzystywanie informacji=20
zawartych w mailu jest dzia=C5=82aniem prawnie zabronionym.
This e-mail and any files attached with it are confidential and intended=20
solely for the use of the individual to whom it is addressed. If you are=20
not the intended recipient of the e-mail you should not copy, modify,=20
distribute or take any action based on it. If you have received this=20
e-mail by mistake please notify the sender and delete this e-mail from=20
your system. Unauthorized publication, use, distribution, forwarding,=20
printing or copying of this e-mail and its attachments is strictly=20
prohibited.
---
Prosz=C4=99 pomy=C5=9Bl o ochronie =C5=9Brodowiska. Wydrukuj ten e-mail t=
ylko w=20
przypadku konieczno=C5=9Bci.
Please consider the environment. Please, print this e-mail only if=20
necessary.

[quanah]

Is the disclaimer on the bottom part of the original message, or added by something else?

[bloom]

Is the disclaimer on the bottom part of the original message, or added by something else?

It is part of the original message. I believe it is a signature defined in Thunderbird, but I would have to ask the sender to be sure.
The message was sent with Thunderbird to my account on the (same) server, displayed by me in Zimbra Webmail, and copy-and-pasted here.

Regards.
Piotr