DKIM Signature Failed - body hash (bh) mismatched

[ignaciogutierrez]

Hi, I have installed and configured Postal in 4 domains, great work congratulations !!!

I use Postfix in my domains to relay mails into Postal, working good !!

But I have problems with DKIM Signature in one domain where I use an old support ticket named: osticket ( php ), when that app send an email, dkim signature fail.

GMail shows DKIM Fails
https://ondmarc.com shows: body hash mismatched
https://dkimvalidator.com/ also shows: result = fail / Details: body has been altered

I think is maybe it's because message is in base64 with blank lines.

Note: If I send an email from terminal ssh, dkim signature pass ok

Result on ondmarc.com

The message has a valid signature, but this is the raw error:

    "error": "bad signature",
    "explanation": "body hash mismatched",
    "source": 0,
    "tag": "bh"

Result on dkimvalidator.com

DKIM Information:
DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sait.mx; s=postal-g4lx9d; t=1597352261; bh=4kHXUP5bBJYGm4YppyJSFG/mVknFsv4NMaQwTnGFh3E=; h=to:subject:from:date:message-id; b=E0TDvc+BeCXtvrmTcEud8iVCro1jb/s9iwOrsEEyuCOzjry5IcccOr6DYOatOFpGA40AbJeiAX1HD8BBXQKQW7VRTJEAxVmb+9bQYMahRybuFvHsuTQWyz7ZpsDHlpBVg8LG9K9V2zAXmT9Y8J11+qEH0uPoGrDBeRZvoPkQyYQ=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          sait.mx
s= Selector:        postal-g4lx9d
q= Protocol:        
bh=                 4kHXUP5bBJYGm4YppyJSFG/mVknFsv4NMaQwTnGFh3E=
h= Signed Headers:  to:subject:from:date:message-id
b= Data:            E0TDvc+BeCXtvrmTcEud8iVCro1jb/s9iwOrsEEyuCOzjry5IcccOr6DYOatOFpGA40AbJeiAX1HD8BBXQKQW7VRTJEAxVmb+9bQYMahRybuFvHsuTQWyz7ZpsDHlpBVg8LG9K9V2zAXmT9Y8J11+qEH0uPoGrDBeRZvoPkQyYQ=
Public Key DNS Lookup

Building DNS Query for postal-g4lx9d._domainkey.sait.mx
Retrieved this publickey from DNS: v=DKIM1; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3RnbaUAW0col8JCxXKZIO+CavSIpmbuN8QRXyjFl3SwqMyBNF/CNnzbR5hX8hpxGnjGuIP8cKuoabVcAfDhXXilZ5UUHS4hevDBtyFWvmFj0k1rhTFZ0TGo5UC5t5WPd7qDcBm/Fpb0TeRjOnLsIr0Yev1ghXAWbWWtxW+ENQsQIDAQAB;
Validating Signature

result = fail
Details: body has been altered

Original Message

Received: from postal.saitnube.com (postal.saitnube.com [138.68.248.63])
	by relay-6.us-west-2.relay-prod (Postfix) with ESMTPS id 9418A21BCA
	for <[email protected]>; Thu, 13 Aug 2020 20:57:41 +0000 (UTC)
Resent-Sender: [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sait.mx; s=postal-g4lx9d; t=1597352261; bh=4kHXUP5bBJYGm4YppyJSFG/mVknFsv4NMaQwTnGFh3E=; h=to:subject:from:date:message-id; b=E0TDvc+BeCXtvrmTcEud8iVCro1jb/s9iwOrsEEyuCOzjry5IcccOr6DYOatOFpGA40AbJeiAX1HD8BBXQKQW7VRTJEAxVmb+9bQYMahRybuFvHsuTQWyz7ZpsDHlpBVg8LG9K9V2zAXmT9Y8J11+qEH0uPoGrDBeRZvoPkQyYQ=
X-Postal-MsgID: zO8hTinyNrED
Received: from soporte.sait.mx (::ffff:199.217.112.175 [::ffff:199.217.112.175]) by postal.saitnube.com with SMTP; Thu, 13 Aug 2020 20:57:41 -0000
Received: by soporte.sait.mx (Postfix, from userid 48)
	id 8B3713C07FA; Thu, 13 Aug 2020 20:57:40 +0000 (UTC)
To: [email protected]
Subject: SAIT Servicio 099957 prueba de correo
X-PHP-Originating-Script: 48:mail.php
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=utf-8
MIME-Version: 1.0
From: "Soporte SAIT" <[email protected]>
Date: Thu, 13 Aug 2020 15:57:40 -0500
Message-ID: <[email protected]>
X-Mailer: osTicket Mailer
In-Reply-To: <lvjj8o8EophKB9d9NXpsOGZF@fb2321fb46>
References: <lvjj8o8EophKB9d9NXpsOGZF@fb2321fb46>

LS0gUmVzcG9uZGVyIGFycmliYSBkZSBlc3RhIGxpbmVhIC0tCistLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tKwp8IFNlcnZpY2lvIFNBSVQgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKKy0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCnwgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsg

fAp8IHwgKkVzdGltYWRvIElnbmFjaW8gR3V0acOpcnJleiBUb3JyZXJvLCogICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCB8CnwgKy0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLSsgfAp8IHwgU3Ugc2VydmljaW8gaGEgdGVuaWRvIHJlc3B1ZXN0YSAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8IHwKfCB8ICojT3Jk

ZW46KiAwOTk5NTcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgfCB8CnwgfCAqQXN1bnRvOiogcHJ1ZWJhIGRlIGNvcnJlbyAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwg

fAp8ICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rIHwKfCB8IGFxdWkgdmEgb3RybyAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgfCB8CnwgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgfAp8IHwgKlBhcmEg

c2VndWltaWVudG8gZGVsIHNlcnZpY2lvIHZpc2l0ZToqICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICB8IHwKfCB8IFtodHRwOi8vc29wb3J0ZS5zYWl0Lm14L3RpY2tl

dHMucGhwP2lkPTM0OTg1XSgjKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCB8

CnwgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsgfAp8IHwgKlBhcmEgY29uc3VsdGFyIHRv

ZG9zIHN1cyBzZXJ2aWNpb3MsIHZpc2l0ZToqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICB8IHwKfCB8IFtodHRwOi8vc29wb3J0ZS5zYWl0Lm14L3RpY2tldHMucGhwXSgjKSAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCB8CnwgKy0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLSsgfAp8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwK

Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCnwgSW5nLiBJZ25hY2lvIEd1dGnDqXJy

ZXogVG9ycmVybyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgIHwKfCBDVE8gU0FJVCBTb2Z0d2FyZSBBZG1pbmlzdHJhdGl2byAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CnwgRU1haWw6IGln

bmFjaW9Ac2FpdC5jb20ubXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgfAp8IFNreXBlOiBpZ25hY2lvZ3V0aWVycmV6ICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwK

fCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CnwgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgfAp8IFNBSVQgU29mdHdhcmUgQWRtaW5pc3RyYXRpdm8gICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKfCBbd3d3LnNvcG9y

dGUuc2FpdC5teF0oIykgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICB8CnwgRGVwYXJ0YW1lbnRvIGRlIFNvcG9ydGUgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAp8

IFRlbC4gKDY1MykgNTM0LTg4MDAgZXh0IDIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t

LS0tLS0tLS0rClJlZi1NaWQ6ICRNRDhDQUE9PSRmMzQ4ZjYyMzdlQGZiMjMyMWZiNDYK

[willpower232]

the spacing certainly looks odd, I presume that message is being sent with SMTP to Postal? It would be good to see the message as it was sent from osticket in case there is some kind of conversion occurring which leads to the wrong hash being generated.

[saschaarthur]

Hello,

We can as well confirm that in some rare cases (~0.1%) our DKIM signature seems to be wrongly calculated by postal. Our Dmarc/DKIM is set to stricly reject non matching signatures. Our message we deliver to postal via api

Our Dmarc reports also confirm exactly this problematic.

Opening the mail which tries to be delievered inside of thunderbird/testing it against https://www.appmaildev.com/en/dkimfile also proofs that the dkim hash seems to be broken..

In this rare case also "redeliver" fails with this message:

550-5.7.26 Unauthenticated email from xxx.com is not accepted due to domain's 550-5.7.26 DMARC policy. Please contact the administrator of xxx.com domain 550-5.7.26 if this was a legitimate mail. Please visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative. l188si4946828ybf.176 - gsmtp

We were unable to reproduce the issue till now..

If @ignaciogutierrez can reproduce that its only in some cases failing (or maybe his domain has content which let us reproduce the issue), we may have a good starting point here..

[ignaciogutierrez]

the spacing certainly looks odd, I presume that message is being sent with SMTP to Postal? It would be good to see the message as it was sent from osticket in case there is some kind of conversion occurring which leads to the wrong hash being generated.

Yes the message is using smtp. I use Php Osticket as app, php use mail() function in Centos OS, I have postfix as a mail agent that send all mail to Postal.

I will try to find a way to see the message as it was sent from osticket, maybe in Postfix are some tools, but the message do include a additional LF in each line.

[ignaciogutierrez]

We were unable to reproduce the issue till now..

If @ignaciogutierrez can reproduce that its only in some cases failing (or maybe his domain has content which let us reproduce the issue), we may have a good starting point here..

Yes we can reproduce the issue, in fact all mail sent using OSticket has the problem

[dragoangel]

Any comment on it? Issue reproduce in some cases endlessly: if you try resend same email is will be signed incorrectly again and again, at same time changing from or body little bit fix issue for one email. @willpower232 set bug status please and this big issue actually that mail singed incorrectly even in 0.9% cases.

[saschaarthur]

Not a discussion. Still an unsolved issue..

[dragoangel]

Can you please contact @adamcooke in postal slack and provide your failed samples, this could help to resolve this issue. Adam tried to reproduce this with my samples, but without success

[saschaarthur]

Added ruf and fo=1 option to my dmarc entry to gather examples of broken dkim signature mails. Will come back to @adamcooke as soon as i have examples.

[adamcooke]

I've just rewritten the DKIM canonicalisation to directly reference the RFC. In the absence of any reproduction steps, I'm hoping this will be sufficient to remove these odd DKIM signing issues.

[saschaarthur]

deploying your mentioned #1506 to check if the issues still persists

[saschaarthur]

Sadly i also need to confirm that theres still emails where dkim seems to fail.

postal-001 is patched with 189dfa5, postal2-4 is still running the old version as you can see its still about ~0.1% failing dkim alignment.

Im trieing to gather example mails, but adding ruf=mailto:[email protected]; fo=1 didnt deliver me any so far.. Any idea what could be wrong about this approach? If i get it right about these headers, the providers should deliver me broken dkim mails or do i miss something here?

[dragoangel]

No, they are, but mostly nobody support RUF

[saschaarthur]

Thanks for the insights @dragoangel. Are you able to generate a broken dkim example?

@adamcooke needs an example to reproduce the issue to fix it.

I send him my examples private via slack so far.

[dragoangel]

Yes, I can reproduce it, and I send them far ago and few days ago.

[dragoangel]

Unfortunately not have a clue why all this not work as expected