is anyone using DKIM on the Sophos UTM - and has anybody else problems with it after the update to 9.706-9? We had reports that after the update multiple customers were blocking us due to spam detection. We then checked the headersin mxtoolbox, and we get a DKIM error: "Body Hash did not Verify". When we implemented DKIM and DMARC we tested both, and it was working for several months now. We also checked the headers, there were no porblems before. I did not find anything relating to this, but I know that exim was updated in the last versions, and I saw that exim has a bug with DKIM (https://help.atmail.com/hc/en-us/articles/900007082823-Exim-v-4-94-2-and-DKIM). But I do not want to change any mailserver config files on the sophos, so the fix in this website is nothing I want to try...Anyone with a similar problem?
Thanks in Advance
I now have a response from Sophos Support - they sent me the manual for DKIM configuration. So I just reconfigured it with a new key created on the Sophos directly (before I did it on some debian server) - now it works. I cannot say what it was, but now the DKIM hashes are okay.
Alexander BuschI also checked mxtoolbox again - if I try the "header analyzer" I will still get a hash error. But before I also had errors in multiple other dkim test tools. A test that is now working for example is this: https://mxtoolbox.com/deliverability - You just send an email to the mxtoolbox address, and you then get the report if your mails are okay. This report shows me that everything is okay with my DKIM now. It wasn't before, but now it looks good.
Now we have get us removed from the bad reputation list from our customers - 4 days with broken DKIM seem to have a bad impact...
After my upgrade to 9.706 I checked DKIM today. It's working, so no problem related to that version. Btw. another site to check DKIM is https://dkimvalidator.com/
i am not sure what system I used, but I tested it with different mail-in systems - mxtoolbox was one of it. They all told me that DKIM was faulty until I completly reset it with the new key.
What is still strange: we have the aggregate DMARC reports enabled. And I need to check it again to be sure, but I would say that there are more failed DKIM Alignments after the reconfiguration than there were before.. But just a feeling, I need to check that again. For now we have DMARC and DKIM in testing mode, until we can be sure that it works fine...
We are using keys that were generated long before the exim patch to the UTM, and the keys were generated not via UTM. All DKIM checks work out, so I would say the patch is not the issue.