- Plesk 12.5 for Linux
- Plesk Onyx for Linux
Note: This article has the reference to the issue with the fix available:
- #PPPM-5149 "Signature verification failed for DKIM-signed mail sent from one Plesk server to another due to excessively strict DKIM canonicalization."
- Plesk Onyx Update 6 14 November 2016 (Linux)
- The following mail settings are turned on: Allow signing outgoing mail and Verify incoming mail in Tools & Settings > Mail Server Settings on sending and receiving mail servers.
- Use DKIM spam protection system to sign outgoing email messages is enabled in Home > Domains > example.com > Mail Settings.
- /var/log/maillog on receiving server contains the following error:
CONFIG_TEXT: DKIM verify result: DKIM verification failed: signature verification failed
Product bug PPPM-5149 is created. DKIM has two canonicalization modes - simple and relaxed.
c=simple/simple mode is used by default. But some servers and mail clients can make changes in e-mail headers and body such as a number or white spaces, letters case in header, spaces in the end of body string. And DKIM signature gets invalid.
The bug was fixed in Plesk Onyx Update 6.
Install the latest Plesk updates.
Also, for Plesk Onyx 17.0 on Debian 8.6 the following workaround can be applied:
Connect to the server via SSH
Download the hotfix for Plesk Onyx 17.0.17:
# cd /root
# wget https://support.plesk.com/hc/en-us/article_attachments/115004356765/dk_sign
Backup the file
# cp /opt/psa/handlers/hooks/dk_sign /opt/psa/handlers/hooks/dk_sign.orig
Replace the original file with the downloaded one:
# mv -f /root/dk_sign /opt/psa/handlers/hooks/