[exim] DKIM returning "pass" with body hash mismatch

Fri, 20 Nov 2009 16:54:13 -0800 

I just upgraded to the new Exim 4.70 and am experimenting with the new DKIM 
support, I've found something that appears odd to me but maybe there's just a 
misconfiguration on my part that would explain it somehow.

I have the following ACL setu to check the status and then put in a header 
(little redundant at the moment, I realize, eventually I may change it to deny 
messages with a "fail" status, but I just wanted to see how it treated things 
for now).


acl_check_dkim:
  warn          dkim_status     = none:invalid:fail
                add_header      = Authentication-Results: $primary_hostname; 
dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; 
reason="$dkim_verify_reason"
  accept        dkim_status     = pass
                add_header      = Authentication-Results: $primary_hostname; 
dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; 
reason="$dkim_verify_reason"

I sent myself a message from gmail (DKIM signed) and then I took the received 
message on my server side and copy and pasted it into a text editor and 
modified the body content so that the hash would be not match, and then sent it 
via telnet to myself.

The following header line is what gets inserted:
Authentication-Results:         mail.denetron.com; dkim=pass; 
signing_identity="gmail.com"; reason="bodyhash_mismatch"

Reading the documentation 
(http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html) it sounds 
like that reason should only be present in the event of a "fail" $dkim_status.

The log file also shows that verification succeeded without any errors:
2009-11-21 00:39:46 1NBe0t-000Llb-7I DKIM: d=gmail.com s=gamma 
c=relaxed/relaxed a=rsa-sha256 [verification succeeded]


It does appear that the verification does indicate a failure in some cases 
though as I have found the following line in the log file:
2009-11-21 00:36:31 1NBdxn-000Lku-P4 DKIM: d=yahoo.com s=s1024 
c=relaxed/relaxed a=rsa-sha256 t=1258763782 [verification failed - signature 
did not verify (headers probably modified in transit)]

Is this a configuration issue or is something else going on here?

-Daniel
-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to