DKIM signing not working in bionic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
amavisd-new (Debian) |
Fix Released
|
Unknown
|
|||
amavisd-new (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* There is a known upstream issue in 2.0.11 breaking DKIM signing.
- https:/
- https:/
* given the activity on the report it seems plenty of people set this up
pre-Bionic and are now running into these failures on upgrade to the
current LTS.
* Add a fix to avoid more people being hit by this on upgrade and forced
to deploy workarounds (or drop the functionality)
[Test Case]
* Setup amavisd for DKIM signing, see
https:/
or any of
https:/
https:/
...
There seem to be a lot all doing the same essential steps.
TL;DR would be:
$ apt install amavisd-new
$ mkdir -p /var/db/dkim/
$ amavisd-new genrsa /var/db/
Add in /etc/amavis/
$enable_
dkim_key(
@dkim_signature
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16); # list your internal networks
- Now showkeys will report your key including the pblic key you'll need
- amavisd-new showkeys
- add the public key (as displayed) to your DNS zone, increment SOA sequence number and reload DNS;
- then test signing and a published key
- amavisd-new testkeys
Never the less you'd need to setup a lot of details and it feels unclear if you test the right thing, therefor my preference is with so many users reporting about the issue to rely on them to test their real setups.
[Regression Potential]
* Lacking upstream being active there is always a chance things are
missed, but multiple people came up with very similar solutions and
multiple people tested these successfully.
The actual change sets the originating flag where it is needed on the
creation of dkim signatures.
Due to that setups not triggering dkim_make_
affected at all. And those that use dkim_make_
failing now due to the issue.
[Other Info]
* Upstream seems essentially dead atm, so it is on the community (users
reporting patches on the ML) and the Distributions (e.g. Fedora have
taken a very similar change) alone for now.
* For some extra confidence I'd ask for some extra time in proposed for
this update.
----
Upon upgrading to bionic, amavisd-new DKIM signing no longer works.
A quick google search reveals that this is a known bug in amavisd 2.11.0:
https:/
https:/
The redhat bug includes a proposed (one-line) patch. Fedora has already taken up this patch in their repo. I've applied the patch to my bionic server and it is a good fix there, too.
Requesting that ubuntu also includes this patch in its repo.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: amavisd-new 1:2.11.0-1ubuntu1 [modified: usr/sbin/
ProcVersionSign
Uname: Linux 4.15.0-20-generic x86_64
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Thu May 10 18:57:32 2018
PackageArchitec
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: amavisd-new
UpgradeStatus: Upgraded to bionic on 2018-05-10 (0 days ago)
modified.
modified.
mtime.conffile.
mtime.conffile.
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 911 lines (+695/-3)10 files modifieddebian/README.Debian (+17/-0)
debian/amavisd-new-postfix.dirs (+3/-0)
debian/amavisd-new-postfix.postinst (+93/-0)
debian/amavisd-new-postfix.postrm (+20/-0)
debian/changelog (+461/-0)
debian/control (+26/-3)
debian/etc/conf.d/21-ubuntu_defaults (+19/-0)
debian/etc/conf.d/40-policy_banks (+33/-0)
debian/patches/105_amavisd_fix_originating_dkim_signing.patch (+22/-0)
debian/patches/series (+1/-0)
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 80 lines (+52/-0)4 files modifieddebian/changelog (+9/-0)
debian/patches/100_more_amavisd_helpers_fixes (+19/-0)
debian/patches/105_amavisd_fix_originating_dkim_signing.patch (+22/-0)
debian/patches/series (+2/-0)
- Robie Basak: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 80 lines (+52/-0)4 files modifieddebian/changelog (+9/-0)
debian/patches/100_more_amavisd_helpers_fixes (+19/-0)
debian/patches/105_amavisd_fix_originating_dkim_signing.patch (+22/-0)
debian/patches/series (+2/-0)
Changed in amavisd-new (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: server-next |
Changed in amavisd-new (Debian): | |
status: | Unknown → Confirmed |
Changed in amavisd-new (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in amavisd-new (Ubuntu Cosmic): | |
status: | Confirmed → In Progress |
Changed in amavisd-new (Ubuntu Bionic): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
status: | Triaged → In Progress |
Changed in amavisd-new (Ubuntu Bionic): | |
assignee: | Christian Ehrhardt (paelzer) → nobody |
Changed in amavisd-new (Debian): | |
status: | Confirmed → Fix Released |
There are two patches floating out there:
a) https:/ /lists. amavis. org/pipermail/ amavis- users/2016- July/004428. html (the one you applied I believe) some_dkim_ info($) { :load_policy_ bank($_ ,$msginfo) for @bank_names; >originating( c('originating' )); >dkim_signature s_valid( \@signatures_ valid) if @signatures_valid;
--- amavisd.orig Tue Apr 26 21:24:33 2016
+++ amavisd Fri Jul 1 01:03:15 2016
@@ -34338,6 +34329,7 @@ sub collect_
$sig_ind++;
}
Amavis:
+ $msginfo-
$msginfo-
# if (ll(5) && $sig_ind > 0) {
# # show which header fields are covered by which signature
b) https:/ /lists. amavis. org/pipermail/ amavis- users/2018- February/ 005297. html smtp_request( $$$$) { ipaddr_ policy' lookup
Amavis: :load_policy_ bank($_ ,$msginfo) for @bank_names_cl; >originating( c('originating' ));
--- amavisd.orig Tue Apr 26 21:24:33 2016
+++ amavisd Fri Aug 5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_
}
# load policy banks from the 'client_
+ $msginfo-
@@ -34338,6 +34330,7 @@ sub collect_
$sig_ind++;
}
Amavis:
+ $msginfo-
$msginfo-
# # show which header fields are covered by which signature
It's unfortunate upstream is no longer responsive.
Would you perhaps be able to comment on or even test the second patch?