On Fri, Nov 20, 2009 at 4:51 PM, Daniel Ballenger <[email protected]> wrote: > I just upgraded to the new Exim 4.70 and am experimenting with the new DKIM > support, I've found something that appears odd to me but maybe there's just a > misconfiguration on my part that would explain it somehow. > > I have the following ACL setu to check the status and then put in a header > (little redundant at the moment, I realize, eventually I may change it to > deny messages with a "fail" status, but I just wanted to see how it treated > things for now). > > > acl_check_dkim: > warn dkim_status = none:invalid:fail > add_header = Authentication-Results: $primary_hostname; > dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; > reason="$dkim_verify_reason" > accept dkim_status = pass > add_header = Authentication-Results: $primary_hostname; > dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; > reason="$dkim_verify_reason"
I've been working a lot with dkim over the past few days, so I've got some comments to make. You don't mention the global setting dkim_verify_signers, so if you didn't set it, it runs this ACL once for each DKIM signature it encounters while parsing the headers. > I sent myself a message from gmail (DKIM signed) and then I took the received > message on my server side and copy and pasted it into a text editor and > modified the body content so that the hash would be not match, and then sent > it via telnet to myself. > > The following header line is what gets inserted: > Authentication-Results: mail.denetron.com; dkim=pass; > signing_identity="gmail.com"; reason="bodyhash_mismatch" > > Reading the documentation > (http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html) it > sounds like that reason should only be present in the event of a "fail" > $dkim_status. It will generate a reason for either fail or invalid status. However, the log message above is a bit of an oddity. It's saying "pass", but there is a failure message. Was that a paste error or is that really in your logs? Can you tell if two messages were sent in one session? > The log file also shows that verification succeeded without any errors: > 2009-11-21 00:39:46 1NBe0t-000Llb-7I DKIM: d=gmail.com s=gamma > c=relaxed/relaxed a=rsa-sha256 [verification succeeded] > > It does appear that the verification does indicate a failure in some cases > though as I have found the following line in the log file: > 2009-11-21 00:36:31 1NBdxn-000Lku-P4 DKIM: d=yahoo.com s=s1024 > c=relaxed/relaxed a=rsa-sha256 t=1258763782 [verification failed - signature > did not verify (headers probably modified in transit)] > > Is this a configuration issue or is something else going on here? Your config is essentially adding the same line for all results. However (according to the docs) "At the end of each ACL there is an implicit unconditional deny." That means you are rejecting any signed message unless _every_ signature passes. You're probably still just testing, but I wanted to point that fact out to you. -- Regards... Todd The best thing about pair programming is that you have the perfect audience for your genius. -- Kent Beck -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
