The body hash is a certain value which consists of a string of characters determined by the hash algorithm. In this case, it is computed based on the message body. After seeing this error, we concluded that the ‘body canocalization’ was set on relaxed, which should avoid issues with body hash calculations.
I have successfully installed Postfix and OpenDkim on my server, and it's correctly signing mail from several different domains. The host we'll call webhost.example.com. It's running Ubuntu 18.04.2 LTS, Postfix 3.3.0 and OpenDKIM v2.11.0
Today I wanted to get output from some CRON jobs sent to my Gmail account so I set up the required entries in the KeyTable and SigningTable and generated the keys and tested it with a one line email to myself.
This should generate an email from [email protected]. It does, correctly signed by OpenDKIM, and delivered to my Gmail account where it successfully passes validation.
Here's what I get at GMail:
So far, so good.
I set up my cron jobs and add the line
The output is generated, signed and mailed, but GMail fails the DKIM validation with
Here's the complete email. If it's useful this is output from a curl request.
The emails from cron also fail the Port25 verifier in the same way
So, the question is:
Why does my DKIM configuration correctly sign everything but output from CRON?
What can I do to fix this?
I could try using a script to run the curl request and send the email with mail, but I have a number of other cron jobs to add yet and I'd rather fix the underlying problem before trying work-arounds.
Redd HerringRedd Herring
1 Answer
Since there was little response here I posted this question on ServerFault. Here's the answer I got, courtesy of cora. Setting the FixCRLF flag solved the problem. I haven't yet investigated the temporary files to see if there's more information to be had there.
The authentication results done by mx.google.com imply there's something different in the respecitve body between the messages you send on the command line and the ones which are send by a cron job: 'body hash did not verify'.
One common problem with OpenDKIM are irregular line endings. RFC 5322 states that 'CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body.' So maybe the messages send by you manually have correct line endings, but the ones send by a cron job do not. You can try to set 'FixCRLF yes' in the config of OpenDKIM.
Despite whether this is the cause, you can enable 'KeepTemporaryFiles' in OpenDKIM: 'Instructs the filter to create temporary files containing the header and body canonicalizations of messages that are signed or verified. The location of these files can be set using the TemporaryDirectory parameter. Intended only for debugging verification problems.' That way you can compare the original body and the one delivered to GMail and probably find out what's the difference that causes the validation error.
Redd HerringRedd Herring
Not the answer you're looking for? Browse other questions tagged postfixgmaildkim or ask your own question.
HiWe have a client who has just had a DKIM domainkey setup for them. Unfortunately some emails are not getting through to the end users (especially if using Mimecast mail servers).
We have been doing some testing and have found that:
Emails that do not have an attached file - it pass the DKIM checks.
If emails have attached documents, they seem to pass OK as well.
If emails have got an attached email that was originally from the sender, it passes OK
If an email has an attached email from a third party (that has originally been changed with DKIM) it fails the DKIM test on our/the recipients servers. This has happened to us and we use exchange online servers.
When it fails it says dkim=fail (body hash did not verify)
They have a valid SPF record also setup and every email through the testing procedure seems to pass on the SPF checks without any failures.
There is no DMARC record setup yet, but as far as I can see this is the next step after we have got DKIM working correctly.
Unfortunately our client who is having this problem quite often forward a lot of emails during their working day so need this resolving.
Any help would be appreciated.