Author: Tony Meyer Date: To: exim users Subject: Re: [exim] DKIM signing with empty headers
Sorry - my bad. I found a mistake in my testing. The problem occurs
if the signature is generated by Exim 4.76 (and verified by anyone) or
if it is verified by Exim 4.76 (and generated by 4.80), but not
otherwise. So I should just hurry up and move to 4.80.
Thanks,
Tony
On Thu, Jun 7, 2012 at 3:09 PM, Tony Meyer <tony@???> wrote: > Hi,
>
> When I send a message through Exim that has an empty subject (i.e. the
> subject header is there but has no value), the DKIM signature is
> invalid. If the subject is present or is not in the message at all,
> then the signature is valid. I'm using the default (i.e. unset) value
> of dkim_sign_headers.
>
> Is this a bug? Something I'm doing wrong? The way it's meant to
> work? (I've read the RFC, which discusses including headers in the
> signature that aren't present in the message, but as far as I can
> tell, an empty header should still be included).
>
> To verify the signature, I'm lazily using gmail, which adds an
> authentication header like this for success:
>
> mx.google.com; spf=neutral (google.com: 31.25.103.16 is neither
> permitted nor denied by best guess record for domain of
> tony@???) smtp.mail=tony@???; dkim=pass
> header.i=@dkimtest.simplyspamfree.com
>
> And an authentication header like this when the subject is present but empty:
>
> mx.google.com; spf=pass (google.com: domain of
> tony@??? designates 188.40.178.54 as permitted
> sender) smtp.mail=tony@???; dkim=hardfail
> header.i=@dkimtest.simplyspamfree.com
>
> (Exim 4.76 also considers the signature bad; I haven't tried with 4.80).
>
> Thanks,
> Tony
>
> Full Exim configuration (minimal and created specifically to test
> this, obviously):
>
> """
> acl_smtp_rcpt = acl_check_rcpt
> begin acl
> acl_check_rcpt:
> accept
> domains = spamexperts.com
> deny
> begin routers
> dnslookup:
> driver = dnslookup
> transport = remote_smtp
> same_domain_copy_routing = yes
> begin transports
> remote_smtp:
> driver = smtp
> dkim_domain = dkimtest.simplyspamfree.com
> dkim_selector = testing
> dkim_private_key = /tmp/key
> """
>
> Exim build information:
>
> """
> $ exim -bV
> Exim version 4.80 #2 built 07-Jun-2012 04:33:34
> Copyright (c) University of Cambridge, 1995 - 2012
> (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
> Berkeley DB: Berkeley DB 4.6.21: (June 10, 2009)
> Support for: iconv() DKIM
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm
> dbmjz dbmnz dnsdb
> Authenticators:
> Routers: accept dnslookup ipliteral manualroute queryprogram redirect
> Transports: appendfile autoreply pipe smtp
> Fixed never_users: 0
> Size of off_t: 8
> Configuration file is /usr/exim/configure
> """
>
> Message sending (Python):
>
> """
>>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>>> s.ehlo()
> (250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
> [60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>>> s.mail("tony@???")
> (250, 'OK')
>>>> s.rcpt("tony@???")
> (250, 'Accepted')
>>>> s.data("Subject: 1\nFrom:tony@???\n\nWith subject (good signature).")
> (250, 'OK id=1ScSjb-0000uT-J7')
>>>> s.quit()
> (221, 'dkimtest.simplyspamfree.com closing connection')
>>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>>> s.ehlo()
> (250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
> [60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>>> s.mail("tony@???")
> (250, 'OK')
>>>> s.rcpt("tony@???")
> (250, 'Accepted')
>>>> s.data("From:tony@???\n\nWithout subject (good signature).")
> (250, 'OK id=1ScSkI-0000wP-3P')
>>>> s.quit()
> (221, 'dkimtest.simplyspamfree.com closing connection')
>>>> s = smtplib.SMTP("dkimtest.simplyspamfree.com")
>>>> s.ehlo()
> (250, 'dkimtest.simplyspamfree.com Hello tonyandrewmeyer.homeip.net
> [60.234.179.13]\nSIZE 52428800\n8BITMIME\nPIPELINING\nHELP')
>>>> s.mail("tony@???")
> (250, 'OK')
>>>> s.rcpt("tony@???")
> (250, 'Accepted')
>>>> s.data("Subject:\nFrom:tony@???\n\nWith empty subject (bad signature).")
> (250, 'OK id=1ScSkn-0000wc-U0')
>>>> s.quit()
> (221, 'dkimtest.simplyspamfree.com closing connection')
> """
