This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM issue with ed25519 selector

One of our customers is encountering the following DKIM issue. Emails from two suppliers are consistently being quarantined due to DKIM verification. The selectors are as follows:

s=strato-dkim-0003 c=relaxed/relaxed a=ed25519-sha256 b=512
s=strato-dkim-0002 c=relaxed/relaxed a=rsa-sha256 b=2048

On the selector "strato-dkim-0003," the XG firewall reports a "fail," and the email is quarantined (presumably because of the message: "Sophos Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have key length less than 1024 or more than 2048 bits.").

However, shouldn't the XG firewall fall back to the "strato-dkim-0002" selector, which is accepted?

The customer is experiencing this issue with two suppliers who both use the same provider. For now, I have implemented a workaround by excluding the mail servers of the provider from DKIM checks, but I don't consider this a proper solution.

The version is: XG310 (SFOS 19.5.3 MR-3-Build652)

This thread was automatically locked due to age.

Top Replies

JanosRapcsak over 1 year ago +1 verified

Hi Jules, this issue is already tracked under the ticket ID NC-125084 with a workaround available. Please contact support or send me a pm. Thank you, Janos

Parents

0 Vivek Jagad over 1 year ago

Hello Jules van Diesen ,

Thank you for reaching out to the community, Yes this is a known behavior - NC-124282/NC-125084 and a work around is available, request you to please log a service request, and revert us the case id here, so that we can expedite the workaround available.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jules van Diesen over 1 year ago in reply to Vivek Jagad

Hello Vivek Jagad,

I have logged service request 07041945

Best regards,

Jules
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan over 1 year ago in reply to Jules van Diesen

Hi Jules,

Thank you for sharing the case ID. Will put a note on your case.

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Erick Jan over 1 year ago in reply to Jules van Diesen
Hi Jules,

As for the update, the case handler has requested the below information. Kindly provide the necessary details through email directly with your case handler.

Would you kindly confirm the following details?

What is the serial number of the firewall?

Regarding the DKIM issue with the ed25519 selector, is it possible for us to reproduce the issue?

We require smtpd_main logs in debug mode and also the sample email.

Below are the steps we’ll take to capture all the logs and configuration from the firewall:

Enable debug for smtpd and collect smtpd_main.logs

service smtpd:debug -ds nosync

Take the screenshot of the config

Full email sample of failed dkim check
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Erick Jan over 1 year ago in reply to Jules van Diesen
Hi Jules,

As for the update, the case handler has requested the below information. Kindly provide the necessary details through email directly with your case handler.

Would you kindly confirm the following details?

What is the serial number of the firewall?

Regarding the DKIM issue with the ed25519 selector, is it possible for us to reproduce the issue?

We require smtpd_main logs in debug mode and also the sample email.

Below are the steps we’ll take to capture all the logs and configuration from the firewall:

Enable debug for smtpd and collect smtpd_main.logs

service smtpd:debug -ds nosync

Take the screenshot of the config

Full email sample of failed dkim check
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Erick Jan over 1 year ago in reply to Erick Jan

Hi,

To confirm, it matches NC-125084

Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel