I've just upgraded to 4.72 from 4.69, so I've switched from the
libdkim to the native dkim code. I know that the dkim acl can be
called multiple times on a single email, it's supposed to match the
number of signatures. Well I've got an email with one dkim signature
(and one domainkeys signature) from twitter that exim puts two
authentication results headers in the delivered email. Can somebody
tell me why this is? It doesn't do this for all signed email, just
some. Note that "twitter.com" is not one of the domains that I have
defined as a required signature. It does not do this for all emails,
but I've seen it on a few.
The signature section:
X-DKIM: Sendmail DKIM Filter v2.8.2 mx001.twitter.com 087539ADDEE
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=twitter.com; s=dkim;
t=1284125876; i=@twitter.com; bh=ROTt9O5Tq0diuri28T+f6lOZrK8=;
h=Date:From:Reply-To:To:Message-Id:Subject:Mime-Version:
Content-Type;
b=qYS7xE14E+GBD7H5y5VyW+LU+kRb3dDV2MkkOQs7RtrrT0ssVtmbKF4J3rE5L7Ykh
ztyN7BfMHVd+WkprSu6zUIOTUKanivFwrWpNpmbfGos05SdHMzfFyFMBZjXwyNvQ8q
Aba8UB5ypsZZPn2JSUVUFDGA9kPBiHYYSRcNLzAE=
X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 mx001.twitter.com 087539ADDEE
DomainKey-Signature: a=rsa-sha1; s=default; d=twitter.com; c=simple; q=dns;
b=mdOdrvE/PdrddGMXrx6OGyqmOBqkVJgbFNhcTviq4fHZpdQL6Ko9KKKC40PUAvNvs
T6ouoBYllkUoj4ookNqRA==
And the resulting headers:
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="@twitter.com"; header.i="@???"; header.s="dkim"
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="twitter.com"; header.i="@???"; header.s="dkim"
Here is a second email with the same issue:
Authentication-Results: m.ivenue.com; dkim=pass;
header.d="eDeals@???"; header.i="eDeals@???";
header.s="global1"
Authentication-Results: m.ivenue.com; dkim=pass; header.d="1and1.com";
header.i="eDeals@???"; header.s="global1"
X-DKIM: Exim 4.72 on m.ivenue.com
Received: from mbulk.1and1.com ([212.227.126.222])
by m.ivenue.com with esmtp (Exim 4.72)
(envelope-from <bounce5+baABHWTYYAAAAAMAAAAWSINPQ@???>)
id 1Ou44J-0003qm-Qd
for sales@???; Fri, 10 Sep 2010 13:55:11 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.com; s=global1;
t=1284126896; i=eDeals@???; bh=H/Z4rGfr1/9oSSUjA1fhlqFPiLko5d
zETo08PcgE4Zk=; h=Date:From:Reply-To:Reply-To:To:Message-ID:Subject:
MIME-Version:Content-Type; b=gjJymsVeycgdR5gkKyIE0PJe+tCqi89E0Pw6X
zsDCo31rZ8uqpUUjldTeMi1YzxxYaao0U04XWP30TsCR3OMXjvKyEV16sLQgyMKDj0L
JhgkMx7ibhNZ3kuZNLVWCxdQEkh0JxmRJuMvWKlIhaoDJk7/9pJX/rUyM6A8H88Yc7g
=
So it kind of looks like it's breaking down the signing domain piece
by piece and hitting the ACL each time with it. Maybe I need to
detect if $dkim_cur_signer has an @ sign in it and skip it if it does?
Hmmm, it looks more like I should be using $dkim_domain instead of
$dkim_cur_signer when generating the auth results header, however it
still looks like I should only insert the header if $dkim_cur_signer
doesn't have an @ sign.
The entire dkim acl is shown below. The duplicated result headers are
generated by the stanza which has "dkim_status = pass" in it:
acl_check_dkim:
accept dkim_status = none
sender_domains = KNOWN_DKIM_SIGNERS
dkim_signers = KNOWN_DKIM_SIGNERS
condition = ${if
match_domain{$sender_address_domain}{$dkim_cur_signer} {yes}{no}}
log_message = Possible DKIM Forgery: Unsigned message
from $sender_address_domain
add_header = :at_start:X-DKIM: Exim $version_number on
$primary_hostname (no dkim signature for required domain:
$dkim_cur_signer)
accept dkim_status = none
!sender_domains = KNOWN_DKIM_SIGNERS
!dkim_signers = KNOWN_DKIM_SIGNERS
set acl_m_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim $version_number on
$primary_hostname (no dkim signature for $dkim_cur_signer)
warn condition = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}}
set acl_m_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim $version_number on
$primary_hostname
accept dkim_status = pass
add_header = :at_start:Authentication-Results:
$primary_hostname; dkim=$dkim_verify_status;
header.d="$dkim_cur_signer"; header.i="$dkim_identity";
header.s="$dkim_selector"
warn dkim_status = invalid : fail
add_header = :at_start:Authentication-Results:
$primary_hostname; dkim=$dkim_verify_status;
header.d="$dkim_cur_signer"; header.i="$dkim_identity";
header.s="$dkim_selector"; reason="$dkim_verify_reason"
deny dkim_status = fail
sender_domains = KNOWN_DKIM_SIGNERS
dkim_signers = KNOWN_DKIM_SIGNERS
condition = ${if eq {$dkim_key_testing}{1} {no}{yes}}
message = Rejected: $dkim_verify_reason
accept
Any comments or recommended changes are much appreciated.
--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius