[exim] Request for clarification of "multiple calls to dkim …

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-users
Subject: [exim] Request for clarification of "multiple calls to dkim acl"
I've just upgraded to 4.72 from 4.69, so I've switched from the
libdkim to the native dkim code. I know that the dkim acl can be
called multiple times on a single email, it's supposed to match the
number of signatures. Well I've got an email with one dkim signature
(and one domainkeys signature) from twitter that exim puts two
authentication results headers in the delivered email. Can somebody
tell me why this is? It doesn't do this for all signed email, just
some. Note that "twitter.com" is not one of the domains that I have
defined as a required signature. It does not do this for all emails,
but I've seen it on a few.

The signature section:
X-DKIM: Sendmail DKIM Filter v2.8.2 mx001.twitter.com 087539ADDEE
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
        t=1284125876; i=@twitter.com; bh=ROTt9O5Tq0diuri28T+f6lOZrK8=;
        h=Date:From:Reply-To:To:Message-Id:Subject:Mime-Version:
         Content-Type;
        b=qYS7xE14E+GBD7H5y5VyW+LU+kRb3dDV2MkkOQs7RtrrT0ssVtmbKF4J3rE5L7Ykh
         ztyN7BfMHVd+WkprSu6zUIOTUKanivFwrWpNpmbfGos05SdHMzfFyFMBZjXwyNvQ8q
         Aba8UB5ypsZZPn2JSUVUFDGA9kPBiHYYSRcNLzAE=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 mx001.twitter.com 087539ADDEE
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
        b=mdOdrvE/PdrddGMXrx6OGyqmOBqkVJgbFNhcTviq4fHZpdQL6Ko9KKKC40PUAvNvs
        T6ouoBYllkUoj4ookNqRA==


And the resulting headers:
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="@twitter.com"; header.i="@???"; header.s="dkim"
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="twitter.com"; header.i="@???"; header.s="dkim"

Here is a second email with the same issue:
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="eDeals@???"; header.i="eDeals@???";
header.s="global1"
Authentication-Results: m.ivenue.com; dkim=pass; header.d="1and1.com";
header.i="eDeals@???"; header.s="global1"
X-DKIM: Exim 4.72 on m.ivenue.com
Received: from mbulk.1and1.com ([212.227.126.222])
        by m.ivenue.com with esmtp (Exim 4.72)
        (envelope-from <bounce5+baABHWTYYAAAAAMAAAAWSINPQ@???>)
        id 1Ou44J-0003qm-Qd
        for sales@???; Fri, 10 Sep 2010 13:55:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.com; s=global1;
        t=1284126896; i=eDeals@???; bh=H/Z4rGfr1/9oSSUjA1fhlqFPiLko5d
        zETo08PcgE4Zk=; h=Date:From:Reply-To:Reply-To:To:Message-ID:Subject:
         MIME-Version:Content-Type; b=gjJymsVeycgdR5gkKyIE0PJe+tCqi89E0Pw6X
        zsDCo31rZ8uqpUUjldTeMi1YzxxYaao0U04XWP30TsCR3OMXjvKyEV16sLQgyMKDj0L
        JhgkMx7ibhNZ3kuZNLVWCxdQEkh0JxmRJuMvWKlIhaoDJk7/9pJX/rUyM6A8H88Yc7g
        =


So it kind of looks like it's breaking down the signing domain piece
by piece and hitting the ACL each time with it. Maybe I need to
detect if $dkim_cur_signer has an @ sign in it and skip it if it does?
Hmmm, it looks more like I should be using $dkim_domain instead of
$dkim_cur_signer when generating the auth results header, however it
still looks like I should only insert the header if $dkim_cur_signer
doesn't have an @ sign.

The entire dkim acl is shown below. The duplicated result headers are
generated by the stanza which has "dkim_status = pass" in it:

acl_check_dkim:
  accept  dkim_status    = none
          sender_domains = KNOWN_DKIM_SIGNERS
          dkim_signers   = KNOWN_DKIM_SIGNERS
          condition      = ${if
match_domain{$sender_address_domain}{$dkim_cur_signer} {yes}{no}}
          log_message    = Possible DKIM Forgery: Unsigned message
from $sender_address_domain
          add_header     = :at_start:X-DKIM: Exim $version_number on
$primary_hostname (no dkim signature for required domain:
$dkim_cur_signer)


  accept  dkim_status    = none
          !sender_domains = KNOWN_DKIM_SIGNERS
          !dkim_signers  = KNOWN_DKIM_SIGNERS
          set acl_m_dkim_hdr = 1
          add_header     = :at_start:X-DKIM: Exim $version_number on
$primary_hostname (no dkim signature for $dkim_cur_signer)


  warn    condition      = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}}
          set acl_m_dkim_hdr = 1
          add_header     = :at_start:X-DKIM: Exim $version_number on
$primary_hostname


  accept  dkim_status    = pass
          add_header     = :at_start:Authentication-Results:
$primary_hostname; dkim=$dkim_verify_status;
header.d="$dkim_cur_signer"; header.i="$dkim_identity";
header.s="$dkim_selector"


  warn    dkim_status    = invalid : fail
          add_header     = :at_start:Authentication-Results:
$primary_hostname; dkim=$dkim_verify_status;
header.d="$dkim_cur_signer"; header.i="$dkim_identity";
header.s="$dkim_selector"; reason="$dkim_verify_reason"


  deny    dkim_status    = fail
          sender_domains = KNOWN_DKIM_SIGNERS
          dkim_signers   = KNOWN_DKIM_SIGNERS
          condition      = ${if eq {$dkim_key_testing}{1} {no}{yes}}
          message        = Rejected: $dkim_verify_reason


accept

Any comments or recommended changes are much appreciated.

--
Regards...      Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius