[exim] DKIM strict signing failing when dkim_private_key is …

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Tony Meyer
日付:  
To: exim users
題目: [exim] DKIM strict signing failing when dkim_private_key is false
Hi,

I'm having some trouble getting DKIM signing to work (Exim 4.72). The
DKIM documentation says:

dkim_private_key    Use: smtp    Type: string†    Default: unset
[...] The result can [...] be "0", "false" or the empty string, in
which case the message will not be signed. This case will not result
in an error, even if dkim_strict is set.


My transport configuration looks like this:

remote_smtp_batv:
  debug_print = "T: remote_smtp_batv for $local_part@$domain"
  driver = smtp
  dkim_domain = spamexperts.com
  dkim_selector = default
  dkim_private_key = ${lookup mysql{SELECT \
                      certificate FROM dkim WHERE \
                      domain='spamexperts.com'}{$value}{false}}
  dkim_strict = true
  return_path = ${prvs {$return_path} \
                  {${lookup mysql{SELECT \
                                  batv_secret FROM batv WHERE \
                                  batv_enabled=1 AND \
                                  domain='spamexperts.com' AND \
                                  '${quote_mysql:$return_path}' <> ''} \
                     {$value}fail}}}



Basically, if the MySQL query for dkim_private_key can't find a
matching row, then it should turn DKIM signing off (by setting
dkim_private_key to false). I think my expansion is ok:

$ exim -be
> ${lookup mysql{SELECT certificate FROM dkim WHERE domain='spamexperts.com'}{$value}{false}}

false

However, when this is the case, when delivery is attempted, the debug
output includes this:

LOG: MAIN
DKIM: message could not be signed, and dkim_strict is set. Deferring
message delivery.
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is NULL
LOG: MAIN
alt2.gmail-smtp-in.l.google.com [74.125.157.27]: Permission denied
set_process_info: 30128 delivering 1OlzYy-0007Bo-Ui: just tried
alt2.gmail-smtp-in.l.google.com [74.125.157.27] for
tony.meyer@???: result DEFER

My understanding of the Exim internals is limited, so I am likely
wrong here, but I see this in transport.c:

  if (!( ((dkim_private_key != NULL) && (dkim_domain != NULL) &&
(dkim_selector != NULL)) )) {
    /* If we can't sign, just call the original function. */


It looks like this is doing the "if there is no private key don't sign
but send anyway" logic. It looks like it is only checking if
dkim_private_key is unset, rather than 0/false/"" (maybe that check is
elsewhere? I couldn't figure that out). Is that the case? If so, is
there a way I can say "unset" instead of "false" in the
dkim_private_key expansion? (I also tried the empty string, i.e. {}
instead of {false}, and had the same result).

Any advice about how to fix this would be appreciated, thanks!

Cheers,
Tony