[exim] DKIM signing with empty headers

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Tony Meyer
Date:  
À: exim users
Sujet: [exim] DKIM signing with empty headers
Hi,

When I send a message through Exim that has an empty subject (i.e. the
subject header is there but has no value), the DKIM signature is
invalid. If the subject is present or is not in the message at all,
then the signature is valid. I'm using the default (i.e. unset) value
of dkim_sign_headers.

Is this a bug? Something I'm doing wrong? The way it's meant to
work? (I've read the RFC, which discusses including headers in the
signature that aren't present in the message, but as far as I can
tell, an empty header should still be included).

To verify the signature, I'm lazily using gmail, which adds an
authentication header like this for success:

mx.google.com; spf=neutral (google.com: 31.25.103.16 is neither
permitted nor denied by best guess record for domain of
tony@???) smtp.mail=tony@???; dkim=pass
header.i=@dkimtest.simplyspamfree.com

And an authentication header like this when the subject is present but empty:

mx.google.com; spf=pass (google.com: domain of
tony@??? designates 188.40.178.54 as permitted
sender) smtp.mail=tony@???; dkim=hardfail
header.i=@dkimtest.simplyspamfree.com

(Exim 4.76 also considers the signature bad; I haven't tried with 4.80).

Thanks,
Tony

Full Exim configuration (minimal and created specifically to test
this, obviously):

"""
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
  accept
    domains = spamexperts.com
  deny
begin routers
dnslookup:
  driver = dnslookup
  transport = remote_smtp
  same_domain_copy_routing = yes
begin transports
remote_smtp:
  driver = smtp
  dkim_domain = dkimtest.simplyspamfree.com
  dkim_selector = testing
  dkim_private_key = /tmp/key
"""


Exim build information:

"""
$ exim -bV
Exim version 4.80 #2 built 07-Jun-2012 04:33:34
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 4.6.21: (June 10, 2009)
Support for: iconv() DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm
dbmjz dbmnz dnsdb
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/exim/configure
"""

Message sending (Python):

"""
>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>> s.ehlo()

(250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
[60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>> s.mail("tony@???")

(250, 'OK')
>>> s.rcpt("tony@???")

(250, 'Accepted')
>>> s.data("Subject: 1\nFrom:tony@???\n\nWith subject (good signature).")

(250, 'OK id=1ScSjb-0000uT-J7')
>>> s.quit()

(221, 'dkimtest.simplyspamfree.com closing connection')
>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>> s.ehlo()

(250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
[60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>> s.mail("tony@???")

(250, 'OK')
>>> s.rcpt("tony@???")

(250, 'Accepted')
>>> s.data("From:tony@???\n\nWithout subject (good signature).")

(250, 'OK id=1ScSkI-0000wP-3P')
>>> s.quit()

(221, 'dkimtest.simplyspamfree.com closing connection')
>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>> s.ehlo()

(250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
[60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>> s.mail("tony@???")

(250, 'OK')
>>> s.rcpt("tony@???")

(250, 'Accepted')
>>> s.data("Subject:\nFrom:tony@???\n\nWith empty subject (bad signature).")

(250, 'OK id=1ScSkn-0000wc-U0')
>>> s.quit()

(221, 'dkimtest.simplyspamfree.com closing connection')
"""