Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2019
Views
0
Helpful
5
Replies

No DKIM verification on incoming, forwarded emails

DavidWestlund01884
Level 1
Level 1

‎11-17-2020 09:49 PM

Hi

 

We use DKIM to sign outgoing emails and to verify incoming emails using DMARC. It works well, except when we get emails that are correctly signed by the ESA servers themselves. The flow is like this:

Cisco ESA signs a mail with DKIM, and sends the email to server X.

Server X forwards the email without any modification back to Cisco ESA.

Cisco ESA claims that DMARC fails, and there is no indication in the log that DKIM is checked at all.

 

I have verified that emails forwarded to some other server than our Cisco ESA is identified as correctly signed according to DKIM. I have also checked that DKIM Verification is on for the used mail flow policy (DKIM verification is on for all mail flow policies except RELAYED).

 

The message tracking says nothing at all about DKIM and DKIM is not mentioned in the authentication-results header.

 

This issue might be related to:

https://community.cisco.com/t5/email-security/esa-brakes-dkim/td-p/3062923

 

Are there any ideas on how to solve this issue?

 

BR,

David Westlund

Labels:
0 Helpful
5 Replies 5

Libin Varghese
Cisco Employee
Cisco Employee

‎11-17-2020 11:43 PM

Would it be possible to share the authentication results of the email that failed DMARC checks?

 

The body hash did not verify error specifically suggests the email was modified after it was signed, is there a reason the email is being passed through the ESA twice if there was no action needed on Server X?

 

Regards,

Libin

 

 

0 Helpful

DavidWestlund01884
Level 1
Level 1
In response to Libin Varghese

‎11-19-2020 11:07 PM - edited ‎11-19-2020 11:08 PM

Hi

 

The authenication results looks like this (with some anonymization)

Authentication-Results: smtp2<our_domain>; spf=Neutral smtp.pra=<my email>; spf=None smtp.mailfrom=SRS0=7qFlc0=E2=<xxxx>; spf=None smtp.helo=postmaster@<mailserver>; dmarc=fail (p=none dis=none) d=<our domain>

 

The mail still contains the DKIM signature. The employee has created two aliases for me, one that forwards into our ESA, and one that sends emails to another external address. When I send an email that gets forwarded to another external address, it is correctly verified using DKIM. Because of this I am sure that the email is not modified in some way that breaks DKIM.

 

In this case it is an employee that has an extra address that is sometimes used from within our company. But this could happen with any service that forwards an email without any modification.

 

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎11-20-2020 07:07 AM

an idea.... do you have any firewalls in the route which perform SMTP packet inspection or TLS decryption ?

 

This would cause such a behavior.

 

Check the mail and smtp logs on both ESA for a given message. if this still fails perform a injection log on the 2nd ESA so record the traffic and analyze the packet stream.

 

I hope that helps

 

-Marc

 

0 Helpful

DavidWestlund01884
Level 1
Level 1

‎12-06-2020 11:25 PM - edited ‎12-07-2020 01:11 AM

We have no firewall that does SMTP packet inspections or TLS decryption.

 

I have sent a mail to two different addresses on the same server. One of the addresses forwards the mail back to our ESA. Another forward the email to an outlook.com address. The flow looks like this:

Cisco ESA -> Forwarding server -> Cisco ESA

Cisco ESA -> Forwarding server -> Outlook.com

 

I have checked that the DKIM signature is identical on the two emails, once they have been delivered. Outlook.com verifies the email as correctly signed. Cisco ESA does not check the DKIM signature at all.

 

I have also made sure to remove all Ironport/ESA specific headers from outgoing emails. It does not make a difference.

 

The only explanation I can find is that it does not process DKIM signatures signed with its own key. Could this be the case?

0 Helpful

DavidWestlund01884
Level 1
Level 1
In response to DavidWestlund01884

‎12-07-2020 01:25 AM

This is the Authentication results from Outlook.com:

Authentication-Results: spf=none (sender IP is XXXXX)

smtp.mailfrom=<forwarding_domain>; <recipient_domain>; dkim=test (signature was

verified) header.d=<our_company>;<recipient_domain>; dmarc=pass action=none

header.from=<our_company>;compauth=pass reason=100

 

This is the Authentication results from ESA:

Authentication-Results: <our ESA>; spf=Neutral smtp.pra=<sending_address>; spf=None smtp.mailfrom=<envelope_from>; spf=None smtp.helo=<smtp_helo>; dmarc=fail (p=none dis=none) d=<out_company>

 

This is the DKIM signature that is identical both on the mail sent to our ESA and the mail sent to outlook.com:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=<our_company>; q=dns/txt; s=<domainkey_name>; t=1607329276;
x=1638865276;
h=from:to:subject:date:message-id:mime-version;
bh=va/ztl/GvDgB3lMtcg4Q19MS/L9oy1U+rUlkiMQOCvA=;
b=UR4/1D4lM6awox45iXTLA7ZyEm6TLTsktk6C1FoTC+K++BeCSMRwT2oI
Wogv5zsv1i95Yg0JcjPJ+PI1CmePmSvPX1dMF3f7PqJ17k8yAbfHi4Sxy
1/3BMQ8FKme1W77bF5aRZZanL9V2cW1s27HjH/Xq58iTjJLvaNdfCG/s8
aU51KpLFNSG0Uau5u+zkRkJXgVgUgr1pSvEpBf4jfATq/xzyWCZwFopjP
pXsLMrVyrvRbQj/7hfFJ3Y/14bhEpqGnhRkWapG8IFf9kyuE8Dxh/YB66
OB21E0gga0IIBi4RWxrcmkxlXUp1PM//ErLf86VtJGnq56P7xH45tUYNY
g==;

0 Helpful
Customers Also Viewed These Support Documents