Re: [exim] DKIM returning "pass" with body hash mismatch

Pàgina inicial
Delete this message
Reply to this message
Autor: Todd Lyons
Data:  
A: Daniel Ballenger
CC: exim-users
Assumpte: Re: [exim] DKIM returning "pass" with body hash mismatch
On Fri, Nov 20, 2009 at 9:26 PM, Daniel Ballenger
<dballenger@???> wrote:
>> some comments to make.  You don't mention the global setting
>> dkim_verify_signers, so if you didn't set it, it runs this ACL once
>> for each DKIM signature it encounters while parsing the headers.
> I didn't specify it (going with the default value then), is there a setting you recommend or have found works better?


This is one of those cases where "it depends what you want".
1. If you want to only verify signatures that exist in an email, what
you have (nothing)is fine.
2. If you also want to check that some known domains (example,
paypal.com, gmail.com) that require dkim signatures aren't being
spoofed, you can override the default. But then you have to add some
additional logic to do that properly.

Read, reread, and then read again section 54.2 in the spec.txt,
specifically near the beginning.

Also look to an email thread from earlier this week where I asked a
lot of questions, got some good answers, and posted the config as I
was running it, which based on your header_add seems like you used it.
Read through the answers from the developers to me, they have a lot
of good little bits of info that cleared away the fog of my
understanding.


>> in your logs?  Can you tell if two messages were sent in one session?
> That's the header inserted into the message by the acl, copy and pasted.  I only sent one mail by hand in my testing SMTP sessions.


Sean's answer seems to indicate that there could be a bug where state
is crossing between different invocations. It is beyond me, and if I
am paraphrasing incorrectly, someone will correct me.

>> Your config is essentially adding the same line for all results.
>> However (according to the docs) "At the end of each ACL there is an
>> implicit unconditional deny."  That means you are rejecting any signed
>> message unless _every_ signature passes.  You're probably still just
>> testing, but I wanted to point that fact out to you.
>
> Good point, I remember reading about that.
>
> I tried modifying the ACL to be:
> acl_check_dkim:
>  accept      dkim_status       = pass:none:invalid:fail
>                    add_header      = Authentication-Results: $primary_hostname; dkim=$dkim_verify_status; signing_identity="$dkim_cur_signer"; reason="$dkim_verify_reason"


Reason will be "" for both pass and none.

> Which seems like it should accept the message then regardless of DKIM signature status in the message.  I'm noticing though that while signed messages do get through fine, unsigned messages do not.


That would seem to indicate that it's hitting the dkim acl even if
there is no signature. My experience is that is not the way it works.
However, I would add at the end of the acl:
accept log_message "DEBUG: accepting $dkim_cur_signer"
or
accept log_message "DEBUG: list is $dkim_signers"

See if the domain of the unsigned email appears in that. It should
not according to the docs. See if something unexpected comes up.

> If I remove the acl_check_dkim though, the mail sends fine via TLS.


I assume that adding the default accept also makes it work fine during TLS.

-- 
Regards...      Todd
The best thing about pair programming is that you have the perfect
audience for your genius.  -- Kent Beck