[exim-dev] [Bug 1309] New: Headers included in dkim_sign_headers are not in the signature when not in the message

Author: Tony Meyer
Date:
To: exim-dev
New-Topics: [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message, [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message, [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message, [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message, [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message, [exim-dev] [Bug 1309] Headers included in dkim_sign_headers are not in the signature when not in the message
Subject: [exim-dev] [Bug 1309] New: Headers included in dkim_sign_headers are not in the signature when not in the message

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1309
           Summary: Headers included in dkim_sign_headers are not in the
                    signature when not in the message
           Product: Exim
           Version: 4.80
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: DKIM
        AssignedTo: tom@???
        ReportedBy: tony@???
                CC: exim-dev@???

The documentation for the dkim_sign_headers option says:

OPTIONAL: When set, this option must expand to (or be specified as) a
colon-separated list of header names. Headers with these names will be included
in the message signature. When unspecified, the header names recommended in
RFC4871 will be used.

It sounds to me like this is intended to expose the "signed header fields" part
of DKIM (i.e. the h= tag), although it doesn't say that explicitly.

The behaviour, as far as I can determine (see debugging process below), is not
that, however. What happens is that the headers with those names will be
included in the message signature *iff* they are present in the message being
signed.

For example, in the message below I have dkim_sign_headers set to
subject:to:from, and a message that has Subject: and From: headers, but no To:
header, and the h= tag in the DKIM signature is From:Subject (i.e. "To" is
missing).

Exim version:

$ /usr/exim/bin/exim -bV
Exim version 4.80 #5 built 20-Sep-2012 04:58:22
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 4.6.21: (June 10, 2009)
Support for: iconv() DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz
dnsdb
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/exim/configure

Data part of Exim debug output:

23922 SMTP>> DATA
23922 waiting for data on socket
23922 read response data: size=56
23922 SMTP<< 354 Enter message, ending with "." on a line by itself
23922 SMTP>> writing message and terminating "."
23922 writing data block fd=8 size=310 timeout=300
PDKIM >> Hashed body data, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DKIM{SP}signing{SP}test.{CR}{LF}PDKIM
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [dkimtest.simplyspamfree.com] Body bytes hashed: 20
PDKIM [dkimtest.simplyspamfree.com] bh computed:
6f9649e04ec67550c6ad9c05d6f3fe0ddec2e47a019062147a1d8b2d1eef2347
PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
from:tony@???{CR}{LF}
subject:Hello{SP}world!{CR}{LF}
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>
dkim-signature:v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}d=dkimtest.simplyspamfree.com;{SP}s=testing;{SP}h=From:Subject;{SP}bh=b5ZJ4E7GdVDGrZwF1vP+Dd7C5HoBkGIUeh2LLR7vI0c=;{SP}b=;
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [dkimtest.simplyspamfree.com] hh computed:
a3b31fa092e45a6c5bf67fabd124c8984f446afe3628586f1b0f1fc177d6ba25
PDKIM [dkimtest.simplyspamfree.com] b computed:
c8bc27d6387835fbf9b35e5d1cfad023f143a21c4d138993dcfc1ac65d3a3bf0034b17452892ba94bf207084738dc3afaef22ca9f3c300a81fbfecd4911726715f6fc62d01871cac4cf8da07716ee6f622c0390d72cb24867246caaeb2f1df523947c8219a54e7c90042077127f2247e99d5031e407f2d03e9620f1becf83660
23922 waiting for data on socket
23916 SMTP<< quit
23916 SMTP>> 221 server1.test8.simplyspamfree.com closing connection
23916 LOG: smtp_connection MAIN
23916 SMTP connection from (fyx.co.nz) [124.198.208.183] closed by QUIT
23916 search_tidyup called
23915 child 23916 ended: status=0x0
23915 normal exit, 0
23915 0 SMTP accept processes now running

Exim configuration:

$ cat /usr/exim/configure
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
accept
domains = spamexperts.com
deny
begin routers
dnslookup:
driver = dnslookup
transport = remote_smtp
same_domain_copy_routing = yes
begin transports
remote_smtp:
driver = smtp
dkim_domain = dkimtest.simplyspamfree.com
dkim_selector = testing
dkim_private_key = /tmp/key
dkim_sign_headers = subject:to:from

Message sending:

220 server1.test8.simplyspamfree.com ESMTP Exim 4.80 Thu, 20 Sep 2012 09:27:52
+0200
helo fyx.co.nz
250 server1.test8.simplyspamfree.com Hello fyx.co.nz [124.198.208.183]
mail from:tony@???
250 OK
rcpt to:tony@???
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: Hello world!
From: tony@???

DKIM signing test.
.
250 OK id=1TEbB5-0006Dk-ER
quit
221 server1.test8.simplyspamfree.com closing connection

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

This message is part of the following thread:
	the complete thread tree sorted by date

	Tom Kistner at

[exim-dev] [Bug 1309] New: Headers included in dkim_sign_hea…