Re: [exim] Exim4 vs Gmail - DKIM algorithms incompatibility

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Marcin Mirosław
CC: exim-users
Subject: Re: [exim] Exim4 vs Gmail - DKIM algorithms incompatibility
On 2013-11-04 at 20:23 +0100, Marcin Mirosław wrote:
> Again I've attached too little. You can find complete xml report
> attached to email.
> This one email wasn't sent to maling list, it was sent to gmail user.


Okay, I just sent a test mail to my Gmail account; this is a fairly
regular occurrence, but lets me confirm that things are still working
(with a 4.82RC3 build).

----------------------------8< cut here >8------------------------------
Received: from mx.spodhuis.org (smtp.spodhuis.org. [2a02:898:31:0:48:4558:736d:7470])
        by mx.google.com with ESMTPS id r3si12105343eep.328.2013.11.04.14.40.59
        for <[a-personal-address]@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 04 Nov 2013 14:40:59 -0800 (PST)
Received-SPF: pass (google.com: domain of prvs=002035ac8a=phil.pennock@??? designates 2a02:898:31:0:48:4558:736d:7470 as permitted sender) client-ip=2a02:898:31:0:48:4558:736d:7470;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of prvs=002035ac8a=phil.pennock@??? designates 2a02:898:31:0:48:4558:736d:7470 as permitted sender) smtp.mail=prvs=002035ac8a=phil.pennock@???;
       dkim=pass header.i=@spodhuis.org;
       dmarc=pass (p=NONE dis=NONE) header.from=spodhuis.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201210;
    h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=v4dMfdOoPPNw/cF+SW40HeBs1Za1xm2/PJu39sE54+4=;
    b=mB76+dQIaK26jchJnzFiQHPeIX+BD5RVFadbp1oRt7pIqsZO0mgCgydLN3JUV8/6izk5lcBoXN9gIsH3sewCZUvQgnn7k5YHfiZrfpAzCmcQ2kq/wIY9YUzdfPWxL4LczHt38sPnIev8wLd1j5Twk8aTWyEeTLjRSLOw1Qtu2DU=;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    id 1VdSpO-000MRk-Uq; Mon, 04 Nov 2013 22:40:59 +0000
----------------------------8< cut here >8------------------------------


Here we can clearly see a few things:

* Google have improved the ciphersuite selections for inbound email!
Nicely done, Google. An ECDHE session, GCM, decent bit-sizes.
All with modern TLS. Okay, the weak point is _definitely_ the SMTP
limitations right now.
* IPv6 is working fine into Google
* DKIM signature was verified
* In the signature itself, relaxed/relaxed, which worked fine.
* It's been over a year since I rolled keys signing keys, I should get
around to doing that today and figure out what monitoring I should
have on this to prevent recurrence.

-Phil