DKIM-Signature header is duplicated when email is sent to several recipients and sender domain name is long

Follow

Comments

11 comments

  • Avatar
    Sebastian Ludwig

    Why there is noch bug fix for Plesk Onyx 17.5.3? Because of this problem lots of mails where not delivered ...

    552 5.6.0 Headers too large (32768 max)
    554 5.4.6 Too many DKIM signatures
  • Avatar
    Alexandr Tumanov

    @Sebastian, the best solution in this case is upgrade to 17.8

    I cannot guarantee that this bugfix will be backported to 17.5 as 17.8 is actual one.

  • Avatar
    Sebastian Ludwig

    @Alexandr: In this case i will waiting for the April 17 (https://support.plesk.com/hc/en-us/articles/360002067053-What-are-Plesk-Onyx-17-8-Release-dates-for-Early-adopters-General-Availability-Stable-tiers-) with the upgrade. Our customers are informed to send only single mails.

    thx for your replay

  • Avatar
    Alexandr Tumanov

    @Sebastian, great! Plesk Onyx 17.8 is already available for upgrade but it is not GA yet.

  • Avatar
    Sebastian Ludwig

    @Alexandr We have upgraded our Plesk ... the problem is not resolved. Per recipient one ...

    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=crayssnlabs.de;
    	s=default; t=1523959929;
    	bh=[...]; l=312;
    	h=From:Subject:To;
    	b=[...]
  • Avatar
    Björn Mohrmann

    A "backport" to 17.5 has been declined, as the technical impact for running installation was considered too high: [URL="https://talk.plesk.com/threads/315-duplicate-dkim-signatures-in-one-email-header.340713/page-2#post-838903"]315 duplicate DKIM Signatures in one Email Header[/URL]

    As 17.8 is not yet GA, lets hope it will be fixed until June... otherwise I fear it will not be fixed at least until the next release - very, very annoying for such a serious bug that is already known for so long....

  • Avatar
    Alexandr Tumanov

    @Björn, Plesk Onyx 17.8 is already GA. The issue is currently under investigation again on 17.8

  • Avatar
    Edward Hasbrouck

    Bug summary says, "This bug will be fixed in Plesk Onyx 17.8."

    I still expereince this bug after today's update to Plesk Onyx Version 17.8.11, Update #5, on CentOS 6.9.

    Please update the summary to indicate status and expected timeline for fix.

     
       
  • Avatar
    Ivan Postnikov

    @Edward

    I have checked the bug status. The issue is still under the investigation.

    Currently, there is no ETA for the fix. However, after the fix will become available, this article will be updated.

  • Avatar
    Thomas Mooshammer (Edited )

    since i cant disable dkim as suggested and since there is no fix announced for plesk 17.5.x i came up with this solution for plesk 17.5.x
    it uses a custom plesk mailhandler to cleanout. duplicated headers.
    important: ensure proper linux lineendings in phpfile!

    # install file and set permissions
    cp DKIMSanitizer.php /usr/local/psa/handlers/hooks/DKIMSanitizer.php; \
    chown popuser.root /usr/local/psa/handlers/hooks/DKIMSanitizer.php; \
    chmod 0755 /usr/local/psa/handlers/hooks/DKIMSanitizer.php; \
    #
    # list DKIM enabled domains
    /usr/local/psa/admin/bin/mail_handlers_control --list | grep domainkeys
    #
    # register per dkim enabled domain, priority needs to be higher than the dkim signing handler (usually has priority 10)
    /usr/local/psa/admin/bin/mail_handlers_control --add --name=DKIMSanitizer \
    --type=sender-domain --mailname=DKIMDOMAIN.TLD --executable=/usr/local/psa/handlers/hooks/DKIMSanitizer.php \
    --queue=before-remote --priority=15
    #
    # and enable it
    /usr/local/psa/admin/bin/mail_handlers_control --enable --name=DKIMSanitizer \
    --type=sender-domain --mailname=DKIMDOMAIN.TLD \
    --queue=before-remote
    #
    # remove in case of problems
    /usr/local/psa/admin/bin/mail_handlers_control --remove --name=DKIMSanitizer \
    --type=sender-domain --mailname=DKIMDOMAIN.TLD \
    --queue=before-remote
    
    

    and thats the actual handler

    #!/usr/bin/php -c /etc/php5/cli/phpmailhandler.ini
    <?php
    class DKIMSanitizer { /** * * @var string */ static $msg; static $count; static $sender; static $recipient; /** * * @var resource DebugLog File Pointer */ static $_debugLog = null; const STREAMBUFFERSIZE = 8192; const LOGNAME = 'DKIMSanitizer'; // optional path to logfile (writable to handler user) const LOGFILE = ''; // const LOGFILE = '/var/log/spamwatch/spamwatch_debug.log'; /** * regex to split headers from body */ const BODYPATTERN = '/^Content-Type/im'; /** * regex to catch all email-headers one by one * even multiline headers. */ const HEADERPATTERN = '/^(.+?): ((.|\r\n\s)+)\r\n/m'; /** * the pattern to match one or multiple DKIM-Signature Header */ // const DKIMPATTERN = '/^DKIM-Signature: ((.|\r\n\s)+)\r\n/m'; // msg is linux linefeed style, no carriage-return there!!! const DKIMPATTERN = '/^DKIM-Signature: ((.|\n\s)+)\n/m'; static function process() { try { self::_init_logfile(); $msg = self::_readInput(); $matches = array(); preg_match(self::BODYPATTERN, $msg, $matches, PREG_OFFSET_CAPTURE); if (isset($matches [0])) { $bodystartpos = $matches [0] [1]; $headers = substr($msg, 0, $bodystartpos); // self::logmsg('Got Original Headers: ' ."\n" . $headers); self::$count = 0; $headersnew = preg_replace_callback(self::DKIMPATTERN, array('self','dkim_callback'), $headers); // self::logmsg('Got NEW Headers: ' ."\n" . $headersnew); if (self::$count > 1) { // PASS self::logmsg(self::$sender . ': removed ' . (self::$count - 1) . ' duplicate DKIM Headers.'); $newmsg = $headersnew . substr($msg, $bodystartpos); fwrite(STDERR, 'PASS' . "\n"); fwrite(STDOUT, $newmsg); } else { // skip if no headers removed // self::logmsg('mailhandler->DKIMSanitizer(): No header removed.'); fwrite(STDERR, 'SKIP' . "\n"); // in case of SKIP do not output message } } } catch ( Exception $e ) { // skip or pass unaltered; self::logmsg('Exception in mailhandler->DKIMSanitizer():' . $e->getMessage()); // error_log('Exception in mailhandler->DKIMSanitizer():' . $e->getMessage()); fwrite(STDERR, 'SKIP' . "\n"); // in case of SKIP do not output message } } static function dkim_callback($match) { self::$count ++; if (self::$count > 1) { return ''; } // default return unaltered return $match [0]; } private static function _readInput() { global $argv; $context = @$argv [1]; $sender = @$argv [2]; $recipient = @$argv [3]; self::$sender = $sender; self::$recipient = $recipient; // read msg from STDIN $msg = ''; while ( ! feof(STDIN) ) { $msg .= fread(STDIN, self::STREAMBUFFERSIZE); } // save original message and prepare default result, if no daemon scans enabled.! self::$msg = $msg; // file_put_contents(self::LOGFILE.'.msg',$msg); return self::$msg; } private static function _init_logfile() { // open debuglog if debugging set if (strlen(self::LOGFILE) && ! self::$_debugLog) { self::$_debugLog = @fopen(self::LOGFILE, 'a'); // self::logmsg(' called.'); } // log environment vars! } public static function logmsg($msg, $level = 0, $cleanup = true, $severity = LOG_NOTICE) { if (self::$_debugLog && ! empty($msg)) { fwrite(self::$_debugLog, Date("d/m/Y H:i:s") . ': ' . self::LOGNAME . '[' . @getmypid() . '] ' . $msg . "\n"); } } } // to avoid problems with missing date.timezone in php.ini that causes warning messages in your logs date_default_timezone_set('Europe/Vienna'); // large attachments might take long, so maybe increase time limit, if (! ini_get('safe_mode')) { // this seems to have no impact at all....., even 1 does not halt the script. set_time_limit(120); } DKIMSanitizer::process();
  • Avatar
    Ivan Postnikov

    Hello @Thomas,

    Thank you for the provided workaround.

    Additionally, it is expected, that fix for Plesk 17.5 will be released in June.

Please sign in to leave a comment.

Have more questions? Submit a request