Transaction failed: Duplicate header 'DKIM-Signature'
I am observing the following error message in the logs for one specific list:
= = = relay=email-smtp.us-east-1.amazonaws.com[35.168.84.210]:587, delay=0.27, delays=0.05/0.04/0.12/0.06, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[35.168.84.210] said: 554 Transaction failed: Duplicate header 'DKIM-Signature'. (in reply to end of DATA command)) = = =
As I mentioned, this happens for one single list only and this list has not been able to send any email for a week now. After checking mailman-users, I came across the following setting, which seems kind of related to my issue:
= = = To distribute messages with valid DKIM signatures, I set remove_dkim_headers: yes in /etc/mailman3/mailman.cf = = =
Here are my questions: 1 - I have around 100 lists and this happens for this one list only, so, I am not sure, if the issue might be solved with this change. 2 - Because this happens for this one list only, I would rather change it for this one list only, is there any option available changing it for one list only and not for the whole server?
Thanks M
On 4/13/23 07:25, Mohsen Masoudfar wrote:
I am observing the following error message in the logs for one specific list:
= = = relay=email-smtp.us-east-1.amazonaws.com[35.168.84.210]:587, delay=0.27, delays=0.05/0.04/0.12/0.06, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[35.168.84.210] said: 554 Transaction failed: Duplicate header 'DKIM-Signature'. (in reply to end of DATA command)) = = =
This is non-compliant. Various parts of RFC6376, e.g. sections 5.6 and 6.1 clearly anticipate that a message can contain multiple DKIM-Signature: headers.
As I mentioned, this happens for one single list only and this list has not been able to send any email for a week now. After checking mailman-users, I came across the following setting, which seems kind of related to my issue:
Is email-smtp.us-east-1.amazonaws.com the outgoing MTA for Mailman. I.e
the value reported by mailman conf -k smtp_host or perhaps smtp_host
is a local MTA which is configured to relay via
email-smtp.us-east-1.amazonaws.com?
In what log is that message?
Presumably this error occurs on Mailman's attempt to deliver the mail to
smtp_host. Otherwise, I don't see how it affects all mail from this
list, but I also don't understand why this list's delivery would be
different from other lists.
= = = To distribute messages with valid DKIM signatures, I set remove_dkim_headers: yes in /etc/mailman3/mailman.cf = = =
Here are my questions: 1 - I have around 100 lists and this happens for this one list only, so, I am not sure, if the issue might be solved with this change.
This setting will remove all DKIM headers from the message as Mailman receives it. Then, it depends on how and how many DKIM signatures are added to the outgoing mail.
2 - Because this happens for this one list only, I would rather change it for this one list only, is there any option available changing it for one list only and not for the whole server?
No, there is no such option.
The fact that this happens for only one list is very strange. I would
need more information to understand why. Do these messages get queued in
Mailman's retry queue? If so, if you examine one such message with
mailman qfile, what are the complete headers from that message.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
From: Mark Sapiro <mark@msapiro.net> Sent: Thursday, April 13, 2023 1:11 PM To: mailman-users@mailman3.org <mailman-users@mailman3.org> Subject: [MM3-users] Re: Transaction failed: Duplicate header 'DKIM-Signature'
Thank you Mark,
please see below the responses to your questions.
On 4/13/23 07:25, Mohsen Masoudfar wrote:
I am observing the following error message in the logs for one specific list:
= = = relay=email-smtp.us-east-1.amazonaws.com[35.168.84.210]:587, delay=0.27, delays=0.05/0.04/0.12/0.06, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[35.168.84.210] said: 554 Transaction failed: Duplicate header 'DKIM-Signature'. (in reply to end of DATA command)) = = =
This is non-compliant. Various parts of RFC6376, e.g. sections 5.6 and 6.1 clearly anticipate that a message can contain multiple DKIM-Signature: headers.
As I mentioned, this happens for one single list only and this list has not been able to send any email for a week now. After checking mailman-users, I came across the following setting, which seems kind of related to my issue:
Is email-smtp.us-east-1.amazonaws.com the outgoing MTA for Mailman. I.e the value reported by mailman conf -k smtp_host or perhaps smtp_host is a local MTA which is configured to relay via email-smtp.us-east-1.amazonaws.com?
# mailman conf -k smtp_host [mta] smtp_host: localhost
In what log is that message?
in /var/log/mail.log
Presumably this error occurs on Mailman's attempt to deliver the mail to smtp_host. Otherwise, I don't see how it affects all mail from this list, but I also don't understand why this list's delivery would be different from other lists.
Postfix is running on the local host and in /etc/postfix/main.cf, this is defined: relayhost = [email-smtp.us-east-1.amazonaws.com]:587
= = = To distribute messages with valid DKIM signatures, I set remove_dkim_headers: yes in /etc/mailman3/mailman.cf = = =
Here are my questions: 1 - I have around 100 lists and this happens for this one list only, so, I am not sure, if the issue might be solved with this change.
This setting will remove all DKIM headers from the message as Mailman receives it. Then, it depends on how and how many DKIM signatures are added to the outgoing mail.
could this have any side effects? Is there a reason that this is NOT set per default?
2 - Because this happens for this one list only, I would rather change it for this one list only, is there any option available changing it for one list only and not for the whole server?
No, there is no such option.
The fact that this happens for only one list is very strange. I would need more information to understand why. Do these messages get queued in Mailman's retry queue? If so, if you examine one such message with mailman qfile, what are the complete headers from that message.
/var/lib/mailman3/queue/retry is empty
Thanks again. M
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mailman3.org%2Fmailman3%2Flists%2Fmailman-users.mailman3.org%2F&data=05%7C01%7Cmmasoudf%40aaas.org%7Cb7f22d1adf5d43f7e32d08db3c4234ad%7C2eebd8ff9ed140f0a15638e5dfb3bc56%7C0%7C0%7C638170027299071975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nqE27oTxUGavuqykiktquP9kaICLTyk6TWH3EfJAywo%3D&reserved=0<https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/> Archived at: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mailman3.org%2Farchives%2Flist%2Fmailman-users%40mailman3.org%2Fmessage%2FO5DWEDENWSLCDWSAFBD4N3B3ZHE4N6EY%2F&data=05%7C01%7Cmmasoudf%40aaas.org%7Cb7f22d1adf5d43f7e32d08db3c4234ad%7C2eebd8ff9ed140f0a15638e5dfb3bc56%7C0%7C0%7C638170027299071975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GHVAeS6XouF3ot3kQZ1F4JEYLosdEtdGjL6oYQGygSc%3D&reserved=0<https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/O5DWEDENWSLCDWSAFBD4N3B3ZHE4N6EY/>
This message sent to mmasoudf@aaas.org
On 4/13/23 12:12, Mohsen Masoudfar wrote:
In what log is that message?
in /var/log/mail.log
Presumably this error occurs on Mailman's attempt to deliver the mail to
smtp_host. Otherwise, I don't see how it affects all mail from this list, but I also don't understand why this list's delivery would be different from other lists.Postfix is running on the local host and in /etc/postfix/main.cf, this is defined: relayhost = [email-smtp.us-east-1.amazonaws.com]:587
So Mailman is delivering to a local Postfix and that Postfix is relaying to amazonaws.com port 587.
This would appear to be related somehow to the Postfix configuration.
What does postconf -n show? Is the failing list's domain different
from other lists?
What happens if you set verp_delivery_interval: 1 in the [mta] section
in /etc/mailman3/mailman.cfg. This will cause Mailman to send a separate
message with a VERPed envelope from to each recipient. You should then
see separate mail.log messages for each recipient's delivery to
amazonaws.com with success or failure for each.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Mark Sapiro -
Mohsen Masoudfar