Re: [exim] *Suspect* Re: dkim error in paniclog

Page principale
Supprimer ce message
Répondre à ce message
Auteur: W B Hacker
Date:  
À: exim users
Anciens-sujets: Re: [exim] dkim error in paniclog
Sujet: Re: [exim] *Suspect* Re: dkim error in paniclog
Jethro R Binks wrote:
> On Thu, 17 Dec 2009, Kerstin Espey wrote:
>
>>> after upgrading to exim 4.71 we get the following error in paniclog:
>>>
>>> 2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
>>> through validation, disabling signature verification.
>>> 2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
>>> through validation, disabling signature verification.
>>> 2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
>>> through validation, disabling signature verification.
>>>
>> Still no one else with this error?
>
> Sorry, yes, I get it too, but I don't have anything much to offer.
>
> That's not strictly true, I did start to write something about this and
> other issues but not sent it. Made some documentation comments in
> bugzilla.
>
>> We now have a list of 17 IP addresses, which do often trigger the error.
>> It looks like it depends on the sender address, if we get the error or
>> not. I have done a tcpdump for some of these ip, and passed the data to
>> exim with debugging mode enabled. No error occurs.
>>
>> The mails I have seen so far, are sent from qmail-servers. But I'm not
>> sure if this is always the case. They don't have any dkim-header, but a
>> header "DomainKey-Status: no signature". All of them seem to be
>> newsletters.
>


Can anyone confirm that all/most are coming off Qmail ELSE an MTA that is
attempting parallel delivery?

Givens:

When there is more than one recipient at your <domain>.<tld>, Qmail *trys* to do
multiple, simultaneous (or close to it) 'parallel' deliveries, eg one per
recipient-per-message instead of one per-message wherein YOUR MTA does the
expansion.

That should not matter to the DKIM vetting process - but maybe, just maybe there
is a point or circumstance at which it does?

I don't allow the multiple simultaneous connections per source in the first
place, a feature easily setup for test to see if it mitigates the DKIM vetting
issue.

Bill

> I had added to data acl:
>
>   warn
>          condition = ${if def:h_dkim-signature:}
>        log_message = Recording DKIM-Signature: $h_dkim-signature

>
> but it didn't record anything for these failing messages. I hadn't got
> any further, so your comment about "DomainKey-Status: no signature" was
> news to me, and maybe explains why I get nothing logged.
>
> Here are the hosts I see:
>
> H=(mail.vgpharma.com) [61.129.51.38]
> H=(smtp.outsourcingprofessional.org) [216.139.217.166]
> H=(xbadon.info) [86.104.195.114]
> H=(xbutcher.info) [86.104.195.85]
> H=(xcarland.info) [86.104.195.81]
> H=(xcostello.info) [86.104.195.90]
> H=(xelizondo.info) [86.104.195.64]
> H=(xforcier.info) [86.104.195.108]
> H=(xheloise.info) [86.104.195.91]
> H=(xhendrich.info) [86.104.195.109]
> H=(xhoaglin.info) [86.104.195.117]
> H=(xhuberty.info) [86.104.195.94]
> H=(xjanet.info) [86.104.195.103]
> H=(xlemley.info) [86.104.195.68]
> H=(xmazzarella.info) [86.104.195.92]
> H=(xrueth.info) [86.104.195.69]
> H=(xshubin.info) [86.104.195.118]
> H=(xspeigner.info) [86.104.195.97]
> H=(xspruill.info) [86.104.195.106]
> H=(xtingler.info) [86.104.195.80]
> H=(xtwist.info) [86.104.195.84]
> H=(xwhorton.info) [86.104.195.93]
> H=81-179-28-156.dsl.pipex.com (office.scotwebshops.com)
> H=ausc60ps301.us.dell.com [143.166.148.206]
> H=chrome-onfofo.cccampaigns.net [81.92.121.144]
> H=healthorbit.ca (server5131.internal.developersnetwork.com)
> H=lv3-4.domainxyz.de [87.119.205.37]
> H=mercure-ei.ccemails.net [81.92.123.8]
> H=mercure-onei.ccemails.net [81.92.123.18]
> H=mercure-sitw.ccemails.net [81.92.123.62]
> H=n1-vm2.bullet.mail.sp2.yahoo.com [67.195.134.222]
> H=n73b.bullet.mail.sp1.yahoo.com [98.136.45.46]
> H=ns6618.ovh.net [87.98.222.132]
> H=raspberry.hosteurope.com (raspberry.webfusion.co.uk)
> H=snt0-omc2-s7.snt0.hotmail.com [65.55.90.82]
> H=snt0-omc4-s35.snt0.hotmail.com [65.55.90.238]
> H=theadventuristsmail.bucklehosting.com (mail.bucklehosting.com)
>
> Hmm. Looking more closely at them, the yahoo ones are more suspicious.
> Seemingly the validation error occurred but I also did record the
> signature header, which I will send to Tom direct to take a look at.
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
>