hmailserver dkim spam setting

[palinka]

I'm seeing a lot of legitimate messages getting scored as spam by *hmailserver* for failing dkim. By "a lot" I'm guessing somewhere between 5%-10%, which seems high to me. Also, spamassassin passes some of them for dkim. Here's an example:

Code: Select all

X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on MyServer
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,JAM_LARGE_FONT_SIZE,JAM_SMALL_FONT_SIZE,MIME_QP_LONG_LINE,SPF_PASS
 autolearn=disabled version=3.4.1
X-Spam-Report:
 * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record 
 *  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (redacted[at]icloud.com)
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 
 * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 
 * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 
 *  0.3 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (redacted[at]icloud.com) 
 *  0.0 HTML_MESSAGE BODY: HTML included in message 
 *  0.5 JAM_LARGE_FONT_SIZE RAW: Body of mail contains parts with very large font 
 *  0.5 JAM_SMALL_FONT_SIZE RAW: Body of mail contains parts with very small font 
 *  0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars  

[SNIP]
 
X-hMailServer-Spam: YES
X-hMailServer-Reason-2: Rejected by DKIM. - (Score: 5)
X-hMailServer-Reason-Score: 5

So you see that SA passes the message for dkim, while HMS rejects it. I believe the default HMS spam score for dkim fail is 5. I don't believe I ever changed it.

Because enough messages get caught up in this, I'm considering not allowing HMS to score for DKIM at all. However, it's caught plenty of real junk mail that way that SA missed or scored low. Before I get rid of HMS dkim checking, I figured I'd ask here to see if there are any opinions on the topic, since I'm sure I'm not the only one. Thanks in advance for your thoughts on the matter.

[SorenR]

My server only check for Virus, SPF and RBL's - SpamAssassin does the rest and then some

I've had a few false positives over the last couple of months but that's about it.

[palinka]

Yeah, redundancy is one good reason.

Why is hms failing dkim while sa passes the same message?

[mattg]

I think that you will find that

hMailserver checks only the most recent DKIM signature
SpamAssassin checks ALL DKIM signatures

[palinka]

I think that you will find that

hMailserver checks only the most recent DKIM signature
SpamAssassin checks ALL DKIM signatures

Interesting. I did not know that. However, there doesn't appear to be more than one dkim signature in the example message. Here is the header in full:

Code: Select all

Return-Path: [redacted]@icloud.com
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on MyServer
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,JAM_LARGE_FONT_SIZE,JAM_SMALL_FONT_SIZE,MIME_QP_LONG_LINE,SPF_PASS
 autolearn=disabled version=3.4.1
X-Spam-Report: * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record *  0.0 FREEMAIL_FROM Sender
 email is commonly abused enduser mail provider *      ([redacted][at]icloud.com)
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily *  
 valid * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
 author's *       domain * -0.1 DKIM_VALID Message has at least one valid
 DKIM or DK signature *  0.3 FREEMAIL_ENVFROM_END_DIGIT Envelope-from
 freemail username ends in *      digit ([redacted][at]icloud.com) *  0.0
 HTML_MESSAGE BODY: HTML included in message *  0.5 JAM_LARGE_FONT_SIZE
 RAW: Body of mail contains parts with very large *       font *  0.5
 JAM_SMALL_FONT_SIZE RAW: Body of mail contains parts with very small *    
 font *  0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
 chars  *
Received: from st13p35im-asmtp002.me.com (st13p35im-asmtp002.me.com [17.164.199.65])
 by my-hmailserver-smtp-banner.tld with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256
 bits=128) ; Thu, 4 Oct 2018 06:47:21 -0400
Received: from process-dkim-sign-daemon.st13p35im-asmtp002.me.com by
 st13p35im-asmtp002.me.com (Oracle Communications Messaging Server 8.0.2.2.20180531
 64bit (built May 31 2018)) id <0PG200L00LRC0000@st13p35im-asmtp002.me.com>
 for me@mydomain.tld; Thu, 04 Oct 2018 10:45:53 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;	s=04042017; t=1538649953;
 bh=Vyeqcd1H0pSXxMJUp/In17T+Dx+egoGynQ81gqe6wFk=; h=From:Content-type:MIME-version:Date:Subject:Message-id:To;
 b=jQ0QoojFB8o9khngcvc0NYo6U7puN+hM4RzdVvwVywqO39fL7KRQmh9F05MF+Qlze
 cNI3cPACMI7Y0gT2yUA48uo7eDLSPKr2K2Fn9yp76sr2QEq0fyYjiaoLeUg3NG+fTp
 y24gB36Rqy5ZMhelDA4VPVR8RnoRiEZ0vzAHrvRqjkTqJC1xVSNRxKNEQVd9rOCV70
 XlIZG9fYWTjp6a9WsL83XDF/M8cGq0l3KbNj6vN5KIwxqHB8KiIjCgZGOs7pFES1r4
 YnBujUgUaqV5o2XnlNQi+8U/NJJefwaUN/w/AwdO+HKFG8gkJyYv6JejGpnu2fbFCt
 ZSuLeq3fcCciw==
Received: from icloud.com ([127.0.0.1]) by st13p35im-asmtp002.me.com (Oracle Communications
 Messaging Server 8.0.2.2.20180531 64bit (built May 31 2018)) with ESMTPSA
 id <0PG200HVYLWFEG10@st13p35im-asmtp002.me.com> for me@mydomain.tld; Thu,
 04 Oct 2018 10:45:52 +0000 (GMT)
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000
 definitions=main-1810040110
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-04_05:,, signatures=0
From: [name redacted] <[redacted]@icloud.com>
Content-type: multipart/alternative; boundary=Apple-Mail-0EE51250-EC9D-4CAD-AA36-4773A68E783C
Content-transfer-encoding: 7bit
MIME-version: 1.0 (1.0)
Date: Thu, 04 Oct 2018 06:45:51 -0400
Subject: Re: Your Latest SunPower Monitoring Monthly Report
Message-id: <7E008599-4693-426E-8AEB-5E3F66F1B4F0@icloud.com>
References: <20181004045029.Horde.de6tg3ygrvds2pruKWNAA2a@mydomain.tld>
In-reply-to: <20181004045029.Horde.de6tg3ygrvds2pruKWNAA2a@mydomain.tld>
To: [ME] <me@mydomain.tld>
X-Mailer: iPhone Mail (16A366)
X-hMailServer-Spam: YES
X-hMailServer-Reason-2: Rejected by DKIM. - (Score: 5)
X-hMailServer-Reason-Score: 5
X-Envelope-To: me@mydomain.tld
X-Envelope-OriginalTo: me@mydomain.tld
X-Envelope-From: [redacted]@icloud.com
X-hMailServer-Unsubscribe: 1:0
X-hMailServer-LoopCount: 1

If I'm reading correctly, it goes

1) mua > icloud.com
2) icloud.com > st13p35im-asmtp002.me.com (i assume this is an icloud server)
3) also received from: process-dkim-sign-daemon.st13p35im-asmtp002.me.com > st13p35im-asmtp002.me.com??? inserts icloud dkim??
4) st13p35im-asmtp002.me.com > my hmailserver

1, 2 & 3 all look to be internal to icloud/apple and only one dkim signature was inserted. I'm not sure where dkim could be broken.

* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

I don't know if this is important or not, but the message was his reply in this chain: 3rd party > me > fwd to my friend > his reply back to me. I assume the original message headers were obliterated after forwarding/replying with only the current message transport headers inserted/reviewed by SA/HMS. If that's the case, nothing from the original message could cause it to fail - and as far as I know, my message forwarded to my friend did not fail dkim at his end (I wouldn't know for sure but he received the message in any case).

[mattg]

So when the message was received by hMailserver there was no DKIM signature

The previous received header is followed immediately by a DKIM header

[palinka]

So when the message was received by hMailserver there was no DKIM signature

The previous received header is followed immediately by a DKIM header

Ah. Understood. Thanks. Is there a reason HMS doesn't check all signatures? In this case I got the message directly from apple's mail servers (I think) and if their process is out of order, wouldn't the world's mail servers also fail dkim for icloud accounts?

My receiving account used to be hosted at google apps before I moved it to HMS. I looked for a message from the same sender to see the headers, which were indeed in the same order as my example above. However, gmail passed it for dkim. Is this a bug with HMS? Or is HMS adhering to a stricter version of dkim authentication?

[mattg]

I don't know the answers to your questions

In saying that, having a valid DKIM as Sent (or as Received) makes more sense to me. Why should a message pass DKIM, and then be changed / modified by another server, and not have to be DKIM signed again

[palinka]

I don't know the answers to your questions

In saying that, having a valid DKIM as Sent (or as Received) makes more sense to me. Why should a message pass DKIM, and then be changed / modified by another server, and not have to be DKIM signed again

I agree that makes perfect sense. Now I'm curious as to why gmail passes it, and even more so as to why icloud - a large mail provider - would knowingly screw things up.