DKIM Failures with Backup MX
Problem reported by kevind - January 31 at 4:09 PM
Resolved
Just upgraded backup MX server to latest version: 15.7.6600.
Still running a late 2017 version of v15 on primary server.
 
Now messages that come in via backup MX have 2 false positives:
X-SmarterMail-Spam: Reverse DNS Lookup, DKIM_Fail
I saw that there were some DKIM fixes in the latest version.  So is this a bug in latest version, or will the situation be resolved by upgrading primary server to latest version?  TIA!

8 Replies

Reply to Thread
2
Scott Forsythe Replied
I tested sending from gmail.com directly to our SM 15.7.6508 server and DKIM passed. I sent another gmail.com message to our backup SM 15.7.6600 gateway and DKIM failed when the message was delivered to our primary SM 15.7.6508 server.
 
I downgraded our gateway to SM 15.7.6508 and tested again. DKIM now passes for messages routed through our gateway.
2
kevind Replied
Hoping someone from ST could weigh in on this. Do you think the DKIM issues are with older versions of 15, like 15.7.6508, and it doesn't know how to handle 'correct' messages from the gateway which is running 15.7.6600?
 
Or does 15.7.6600 still have DKIM issues (3 fixes in last two version) and it doesn't know how to process messages in gateway mode?
 
I realize we could probably tests all the combinations, but it's a pain upgrading & downgrading in a production environment. Normally we upgrade the backup MX first as that's the safe bet, and that's when the problem started.
 
Thanks!
0
David Fisher Replied
Hi Scott,

Why are you still running v15.7.6508 on the primary server? Upgrade them all to v15.7.6607 or (6600), as you are 4 versions behind. I always recommend using the latest build, seems to work most of the time in my case.

If you are running the built in clamav you need to upgrade to v15.7.6607 for security reasons anyways.

-dave
0
David Fisher Replied
Hi Kevin,

I noticed DKIM fail in the logs until I upgraded to 15.7.6600 and no more errors of that in the logs :
DKIM Fail: The DKIM key has expired as of 1/1/0001 12:00:00 AM

I would suspect we should be on the latest v15.7.6607 for clamav security issue reasons and also there has been bug fixes past few builds.. Both gateway MX and primary MX should be on that build, IMHO.

FYI - I am pretty sure v15.7.6572 broke DKIM when they fixed the following :
Fixed: DKIM signature field expiration is not being taken into account.

Cheers,
-dave
0
Scott Forsythe Replied
Hey Dave,

Thanks for the reply. I upgraded our gateway today to v15.7.6607 and tested sending to our SM servers again. This time messages sent directly to our primary SM server and through our gateway passed DKIM. It appears the DKIM problem was correctly with v15.7.6607. Good news.

We'll upgrade our primary SM server if things continue to test out OK.

Thanks,
Scott
0
kevind Replied
Dave, thanks for sharing your experiences and suggestions. Will do more thorough testing and probably upgrade everything to latest version.

Just hesitant because with SM's track record, it's a good idea to wait a week or 2 after each new build to make sure no new problems are introduced. Your remark about 15.7.6572 breaking DKIM is a perfect example.
2
Scott Forsythe Replied
I found another possible problem after upgrading the primary SM server to 15.7.6607. SPF is failing when a message is routed through the gateway. I'm going to start a new thread for this.
 
 
 
2
kevind Replied
Just reporting that this issue appears to be fixed when running the latest version (15.7.6614) on the gateway.
 
But didn't see any mention of this fix in the release notes???  Would be nice if someone from ST replied to this thread.
 
But now there's an SPF problem when running 15.7.6614 on both the primary and gateway:
 

Reply to Thread