This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM Broken in 9.706-9?

Hey everyone,

is anyone using DKIM on the Sophos UTM - and has anybody else problems with it after the update to 9.706-9? We had reports that after the update multiple customers were blocking us due to spam detection. We then checked the headersin mxtoolbox, and we get a DKIM error: "Body Hash did not Verify". When we implemented DKIM and DMARC we tested both, and it was working for several months now. We also checked the headers, there were no porblems before. 

I did not find anything relating to this, but I know that exim was updated in the last versions, and I saw that exim has a bug with DKIM (https://help.atmail.com/hc/en-us/articles/900007082823-Exim-v-4-94-2-and-DKIM). But I do not want to change any mailserver config files on the sophos, so the fix in this website is nothing I want to try...

Anyone with a similar problem?

Thanks in Advance



This thread was automatically locked due to age.
  • We're on 9.507 and using DKIM. But we get a lot of trouble with false positives too . But our trouble is more inbound false positive, but outbound too. I give it a try and can confirm your result: Body Hash Did Not Verify.
    So we are at least 2 with the same problem. DKIM seems broken in 9.705-7 too.

    Best regards

    Alex

    -

  • Hi Alex,

    at least I am not alone...

    Did you already install the update with the new exim version (9.705-7?)? And do you have the possibility to check if the Body Hash problem existed before this?
    By chance I had test emails in my external mailbox, and I could verity that the problem was not present at least a few weeks before the UTM update - headers were accepted in these messages.

  • I forgot to mention: Sophos support is already informed, but we did not get a response by now (for almost a week now...). The problem we have is that, even after we completly deleted all DKIM config (DNS entry, DKIM key in the sophos, DMARC DNS entry...), some customers still block us, I guess we have a bad reputation after sending obiously spoofed emails for 3 days - I hope that a functioning DKIM will resolve this...

  • Yes, that was the one with the exim patch. But can't confirm that the result of before the update now... still searching. I'll give an update later.

    -

  • Well, in my case mxtoolbox gives the same error on an older message. Maybe the test isn’t working or there is an other problem in my case. Nevertheless thanks for bringing this in my focus.

    -

  • From my point of view the test at mxtoolbox is broken or I missed something, because it gives the same error for other mails from third parties too. But to be fair, without a complete upload I can't test emails from another person.
    So maybe DKIM in UTM isn't broken. I just can't tell. Maybe someone else.

    -

  • I now have a response from Sophos Support - they sent me the manual for DKIM configuration. So I just reconfigured it with a new key created on the Sophos directly (before I did it on some debian server) - now it works. I cannot say what it was, but now the DKIM hashes are okay.

    I also checked mxtoolbox again - if I try the "header analyzer" I will still get a hash error. But before I also had errors in multiple other dkim test tools. A test that is now working for example is this: https://mxtoolbox.com/deliverability - You just send  an email to the mxtoolbox address, and you then get the report if your mails are okay. This report shows me that everything is okay with my DKIM now. It wasn't before, but now it looks good.

    Now we have get us removed from the bad reputation list from our customers - 4 days with broken DKIM seem to have a bad impact...

    Thanks!

  • After my upgrade to 9.706 I checked DKIM today. It's working, so no problem related to that version. Btw. another site to check DKIM is https://dkimvalidator.com/

    Best regards

    Alex

    -

  • Hi Alex,

    i am not sure what system I used, but I tested it with different mail-in systems - mxtoolbox was one of it. They all told me that DKIM was faulty until I completly reset it with the new key. 

    What is still strange: we have the aggregate DMARC reports enabled. And I need to check it again to be sure, but I would say that there are more failed DKIM Alignments after the reconfiguration than there were before.. But just a feeling, I need to check that again. For now we have DMARC and DKIM in testing mode, until we can be sure that it works fine...

  • We are using keys that were generated long before the exim patch to the UTM, and the keys were generated not via UTM. All DKIM checks work out, so I would say the patch is not the issue.