I just upgraded to the new Exim 4.70 and am experimenting with the new DKIM support, I've found something that appears odd to me but maybe there's just a misconfiguration on my part that would explain it somehow.
I have the following ACL setu to check the status and then put in a header (little redundant at the moment, I realize, eventually I may change it to deny messages with a "fail" status, but I just wanted to see how it treated things for now).
acl_check_dkim:
warn dkim_status = none:invalid:fail
add_header = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"
accept dkim_status = pass
add_header = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"
I sent myself a message from gmail (DKIM signed) and then I took the received message on my server side and copy and pasted it into a text editor and modified the body content so that the hash would be not match, and then sent it via telnet to myself.
The following header line is what gets inserted:
Authentication-Results: mail.denetron.com; dkim=pass; signing_identity="gmail.com"; reason="bodyhash_mismatch"
Reading the documentation (
http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html) it sounds like that reason should only be present in the event of a "fail" $dkim_status.
The log file also shows that verification succeeded without any errors:
2009-11-21 00:39:46 1NBe0t-000Llb-7I DKIM: d=gmail.com s=gamma c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
It does appear that the verification does indicate a failure in some cases though as I have found the following line in the log file:
2009-11-21 00:36:31 1NBdxn-000Lku-P4 DKIM: d=yahoo.com s=s1024 c=relaxed/relaxed a=rsa-sha256 t=1258763782 [verification failed - signature did not verify (headers probably modified in transit)]
Is this a configuration issue or is something else going on here?
-Daniel