[exim] Setting dkim_verify_minimal to true, does not terminate validation after first success

Mon, 08 Jul 2024 08:34:32 -0700 

Hi,

I had 'dkim_verify_minimal = true' in my Exim config and according to
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
"If set to true, verification of signatures will terminate after the first 
success.".

But this does not seem to be what is happening and that in turn breaks DMARC 
checks.

Exim 4.96, libopendmarc2 1.4.2

I put this acl_smtp_dkim in:

| acl_smtp_dkim = acl_check_dkim
| 
| acl_check_dkim:
|     warn
|         logwrite = 
DKIM--$dkim_verify_status--$dkim_cur_signer--$dkim_verify_reason--$dkim_domain--$dkim_identity--
| 
|     accept

And with a message that has multiple DKIM sigs i get:

| LOG: 1sQq1q-00BKvo-0I 
dkim--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.ne...@bf02x.hubspotemail.net--
| LOG: 1sQq1q-00BKvo-0I 
dkim--pas...@bf02x.hubspotemail.net----bf02x.hubspotemail.net-...@bf02x.hubspotemail.net--
| LOG: 1sQq1q-00BKvo-0I 
dkim--none--lease-a-bike.nl----lease-a-bike.n...@lease-a-bike.nl--
| LOG: 1sQq1q-00BKvo-0I 
dkim--non...@lease-a-bike.nl----lease-a-bike.nl-...@lease-a-bike.nl--
| LOG: 1sQq1q-00BKvo-0I DMARC results: spf_domain=bf02x.hubspotemail.net 
dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=no enforcement='Reject'

Notice the 'none' result in $dkim_verify_status. I am almost certain
this is what breaks DMARC because when i set 'dkim_verify_minimal' to
'false', i get:

| LOG: 1sQq2w-00BKyE-0A 
dkim--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.ne...@bf02x.hubspotemail.net--
| LOG: 1sQq2w-00BKyE-0A 
dkim--pas...@bf02x.hubspotemail.net----bf02x.hubspotemail.net-...@bf02x.hubspotemail.net--
| LOG: 1sQq2w-00BKyE-0A 
dkim--pass--lease-a-bike.nl----lease-a-bike.n...@lease-a-bike.nl--
| LOG: 1sQq2w-00BKyE-0A 
dkim--pas...@lease-a-bike.nl----lease-a-bike.nl-...@lease-a-bike.nl--
| LOG: 1sQq2w-00BKyE-0A DMARC results: spf_domain=bf02x.hubspotemail.net 
dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'

And DMARC passes too.

Is the 'none' result expected? The fine manual seems to suggest it is
not. There was a pass so no more validation should be attempted?

Did i hit a bug here?  My assumption of the verify_minimal option was
some sort of 'satisfy any' instead of 'statisfy all' functionality.

Kind regards,
-Sander Smeenk.
-- 
| Artificial intelligence is no match for natural stupidity.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to