Re: [exim] DKIM returning "pass" with body hash mismatch

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Todd Lyons
Datum:  
To: Daniel Ballenger, exim-users
Betreff: Re: [exim] DKIM returning "pass" with body hash mismatch
On Fri, Nov 20, 2009 at 4:51 PM, Daniel Ballenger
<dballenger@???> wrote:
> I just upgraded to the new Exim 4.70 and am experimenting with the new DKIM support, I've found something that appears odd to me but maybe there's just a misconfiguration on my part that would explain it somehow.
>
> I have the following ACL setu to check the status and then put in a header (little redundant at the moment, I realize, eventually I may change it to deny messages with a "fail" status, but I just wanted to see how it treated things for now).
>
>
> acl_check_dkim:
>  warn          dkim_status     = none:invalid:fail
>                add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"
>  accept        dkim_status     = pass
>                add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"


I've been working a lot with dkim over the past few days, so I've got
some comments to make. You don't mention the global setting
dkim_verify_signers, so if you didn't set it, it runs this ACL once
for each DKIM signature it encounters while parsing the headers.

> I sent myself a message from gmail (DKIM signed) and then I took the received message on my server side and copy and pasted it into a text editor and modified the body content so that the hash would be not match, and then sent it via telnet to myself.
>
> The following header line is what gets inserted:
> Authentication-Results:         mail.denetron.com; dkim=pass; signing_identity="gmail.com"; reason="bodyhash_mismatch"
>
> Reading the documentation (http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html) it sounds like that reason should only be present in the event of a "fail" $dkim_status.


It will generate a reason for either fail or invalid status. However,
the log message above is a bit of an oddity. It's saying "pass", but
there is a failure message. Was that a paste error or is that really
in your logs? Can you tell if two messages were sent in one session?

> The log file also shows that verification succeeded without any errors:
> 2009-11-21 00:39:46 1NBe0t-000Llb-7I DKIM: d=gmail.com s=gamma c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
>
> It does appear that the verification does indicate a failure in some cases though as I have found the following line in the log file:
> 2009-11-21 00:36:31 1NBdxn-000Lku-P4 DKIM: d=yahoo.com s=s1024 c=relaxed/relaxed a=rsa-sha256 t=1258763782 [verification failed - signature did not verify (headers probably modified in transit)]
>
> Is this a configuration issue or is something else going on here?


Your config is essentially adding the same line for all results.
However (according to the docs) "At the end of each ACL there is an
implicit unconditional deny." That means you are rejecting any signed
message unless _every_ signature passes. You're probably still just
testing, but I wanted to point that fact out to you.

-- 
Regards...      Todd
The best thing about pair programming is that you have the perfect
audience for your genius.  -- Kent Beck