Re: [exim] acl_smtp_dkim called twice
Jeremy, thank you for your answer. Please see below On 06-01-22 15:38, Jeremy Harris via Exim-users wrote: On 05/01/2022 14:49, Anton via Exim-users wrote: is it an intended behavior and why? Does the dkim header have both d= and i= ? Yes, both are set d=paypal.fr i=@paypal.fr in each e-mail from Paypal. Assuming yes, it's up for argument whether de "domains" and "identities" should be deduplicated together or as separate classes. I does seem pointless for someone to set both to the same value. can one check fail when other success? I'm having trouble parsing that. Could you clarify? I meant, can identity check fail when domain check succeeded and vice versa? Since the signature is the same, selector is the same, etc. Thanks! A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] acl_smtp_dkim called twice
On 06-01-22 16:54, Jeremy Harris via Exim-users wrote: On 06/01/2022 15:38, Anton via Exim-users wrote: can identity check fail when domain check succeeded and vice versa? Since the signature is the same, selector is the same, etc. If the values are different in the header, the result can be different. I don't understand the reason to make two separate validations: one for domain and one for identity. (In other words, the reason to put identities in $dkim_signers list). And what to expect from them. Imagine, the received DKIM signature contains d=example.com and i=b...@example.com If example.com's DNS domainkey entry contains g=alice field, then "domain" validation will succeed and "identity" validation will fail? I would say that just the "domain" validation should be enough and it must fail if the i= field in signature does not match the g= field in DNS record. In my understanding they can't be dissociated, and the "whole thing" should validate (or not) depending on d=, i= and g= values. Or I'm missing something? [Jeremy, this discussion is not very important, I just try to understand. So if you don't have time, please feel free to skip it.] Thanks! A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] acl_smtp_dkim called twice
On 06/01/2022 15:38, Anton via Exim-users wrote: can identity check fail when domain check succeeded and vice versa? Since the signature is the same, selector is the same, etc. If the values are different in the header, the result can be different. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] acl_smtp_dkim called twice
Jeremy, thank you for your answer. Please see below On 06-01-22 15:38, Jeremy Harris via Exim-users wrote: On 05/01/2022 14:49, Anton via Exim-users wrote: is it an intended behavior and why? Does the dkim header have both d= and i= ? Yes, both are set d=paypal.fr i=@paypal.fr in each e-mail from Paypal. Assuming yes, it's up for argument whether de "domains" and "identities" should be deduplicated together or as separate classes. I does seem pointless for someone to set both to the same value. can one check fail when other success? I'm having trouble parsing that. Could you clarify? I meant, can identity check fail when domain check succeeded and vice versa? Since the signature is the same, selector is the same, etc. Thanks! A. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] acl_smtp_dkim called twice
On 05/01/2022 14:49, Anton via Exim-users wrote: is it an intended behavior and why? Does the dkim header have both d= and i= ? Assuming yes, it's up for argument whether de "domains" and "identities" should be deduplicated together or as separate classes. I does seem pointless for someone to set both to the same value. can one check fail when other success? I'm having trouble parsing that. Could you clarify? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] acl_smtp_dkim called twice
Dear All, All the e-mails I get from Paypal triggers acl_smtp_dkim twice. The only signature in the mail is: DKIM-Signature: v=1; a=rsa-sha256; d=paypal.fr; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.fr; t=1641384740; <...> ACL is triggered with dkim=pass header.d=paypal.fr header.i=@paypal.fr header.s=pp-dkim1 and with dkim=pass header.d=@paypal.fr header.i=@paypal.fr header.s=pp-dkim1 where dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector is it an intended behavior and why? can one check fail when other success? Thank you. A. (Exim ver 4.94.2) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
