Re: [exim] DKIM returning "pass" with body hash mismatch

Top Page
Delete this message
Reply to this message
Author: Daniel Ballenger
Date:  
To: Todd Lyons
CC: exim-users
Subject: Re: [exim] DKIM returning "pass" with body hash mismatch

On Nov 20, 2009, at 8:56 PM, Todd Lyons wrote:

> On Fri, Nov 20, 2009 at 4:51 PM, Daniel Ballenger
> <dballenger@???> wrote:
>>
>> [snip]
>> acl_check_dkim:
>>  warn          dkim_status     = none:invalid:fail
>>                add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"
>>  accept        dkim_status     = pass
>>                add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"

>
> I've been working a lot with dkim over the past few days, so I've got
> some comments to make. You don't mention the global setting
> dkim_verify_signers, so if you didn't set it, it runs this ACL once
> for each DKIM signature it encounters while parsing the headers.

I didn't specify it (going with the default value then), is there a setting you recommend or have found works better?

>> [snip]
>> The following header line is what gets inserted:
>> Authentication-Results:         mail.denetron.com; dkim=pass; signing_identity="gmail.com"; reason="bodyhash_mismatch"

>
> It will generate a reason for either fail or invalid status. However,
> the log message above is a bit of an oddity. It's saying "pass", but
> there is a failure message. Was that a paste error or is that really
> in your logs? Can you tell if two messages were sent in one session?

That's the header inserted into the message by the acl, copy and pasted. I only sent one mail by hand in my testing SMTP sessions.

> Your config is essentially adding the same line for all results.
> However (according to the docs) "At the end of each ACL there is an
> implicit unconditional deny." That means you are rejecting any signed
> message unless _every_ signature passes. You're probably still just
> testing, but I wanted to point that fact out to you.


Good point, I remember reading about that.

I tried modifying the ACL to be:
acl_check_dkim:
  accept      dkim_status       = pass:none:invalid:fail
                    add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"


Which seems like it should accept the message then regardless of DKIM signature status in the message. I'm noticing though that while signed messages do get through fine, unsigned messages do not.

From another mail server (postfix) I can send from which does not sign messages I get the following error in the logs (on the postfix mail server):
Nov 20 20:44:31 mail postfix/smtp[7957]: 6812A3CF0C1: lost connection with mail.denetron.com[38.108.185.146] while sending end of data -- message may be sent more than once
Nov 20 20:44:31 mail postfix/smtp[7957]: SSL_connect error to mail2.denetron.com: -1
Nov 20 20:44:31 mail postfix/smtp[7957]: warning: TLS library problem: 7957:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:578:
Nov 20 20:44:31 mail postfix/smtp[7957]: 6812A3CF0C1: Cannot start TLS: handshake failure

If I remove the acl_check_dkim though, the mail sends fine via TLS.

Thanks for your help.
-Daniel