[exim] Help sought with fairly complex DKIM set up and Faceb…

Exim fans,

I run some mail relays for a few hundred domains that I look after and
want to perform fairly complex DKIM checking - I want to:

    * enforce DKIM tests domains that are 'known signers' (google,
facebook, etc) and explicitly accept or deny mail based on the result of
the DKIM checks - to avoid faked email
    * allow through mail with no signatures (obvious)
    * support a 'DKIM whitelist' for domains that send with DKIM but
have a known fault/problem
    * skip checks on hosts/domains we relay for
    * skip checks on authenticated connections from MUAs (clients)
    * defer if a message that has a signature is not testable, eg.
cannot retrieve their DKIM key, key has syntax error, etc.

Systems are: Ubuntu 10.04 LTS 32-bit + Exim 4.82 built from source



here's my DKIM ACL:

###
### ack_check_dkim: this ACL is used for checking DKIM
###

#
# acl_m2 set to zero on start for normal/full checks, set to 1 if
white-listed
#

acl_check_dkim:

        #
        # start of DKIM debug message and clear macro
        #
        warn    set acl_m2 = 0
                logwrite = DKIM START: domain=$sender_address_domain
possible_signer=$dkim_cur_signer status=$dkim_verify_status ${if
def:dkim_verify_reason {(reason=$dkim_verify_reason) }}

        #
        # strict checking on known signers...
        #
        deny    sender_domains = +dkim_known_signers
#               dkim_signers = +dkim_known_signers
                dkim_status = none:invalid:fail
                message = Message from $sender_address_domain (known
signer) with invalid or missing signature
                logwrite = DKIM DENY: Rejected $sender_address_domain is
known signer (in database) but has invalid/missing signature

        accept  sender_domains = +dkim_known_signers
#               dkim_signers = +dkim_known_signers
                dkim_status = pass
                logwrite = DKIM PASS: Accepted $sender_address_domain is
known signer and has good signature
                add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good and Known Domain

        #
        # ignore noise where we have no signature
        #
        accept  dkim_status = none
#               logwrite = DKIM SKIP: Skipping DKIM checks - no
signature for: $dkim_cur_signer

        #
        # skip DKIM if domain whitelisted for DKIM, i.e. known good
domain that has broken DKIM
        #
        accept  sender_domains = +dkim_whitelist_domains
                logwrite = DKIM SKIP: Skipping DKIM checks for
whitelisted domain: $sender_address_domain
                set acl_m2 = 1

        #
        # skip DKIM checks on hosts we relay for
        #
        accept  hosts = +relay_from_hosts
                logwrite = DKIM SKIP: Skipping DKIM checks for relay
host: $sender_fullhost

        #
        # skip DKIM checks on authenticated hosts (that we also relay for)
        #
        accept  authenticated = *
                logwrite = DKIM SKIP: Skipping DKIM checks for
authenticated host: $sender_fullhost

        #
        # defer when message not testable, e.g. can't get public key, etc.
        #
        defer   dkim_status = invalid
                message = Message from $sender_address_domain cannot be
verified
                logwrite = DKIM DEFER: domain=$sender_address_domain

        #
        # accept the message (correctly signed)
        #
        accept  dkim_status = pass
                sender_domains = $sender_address_domain
                dkim_signers = $sender_address_domain
                logwrite = DKIM PASS: domain=$sender_address_domain
signer=$dkim_cur_signer status=$dkim_verify_status
                add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Signature OK

        #
        # accept the message EVEN IF the signature FAILS! due to white
listing
        #
        accept  condition = ${if eq {$acl_m2}{1}}
                dkim_status = fail
                sender_domains = $sender_address_domain
                dkim_signers = $sender_address_domain
                logwrite = DKIM FAIL (WHITELISTED):
domain=$sender_address_domain status=$dkim_verify_status - DKIM failed
but message accepted
                add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=FAIL (but whitelisted)

        #
        # deny (strict) when message fails signature test *and* acl_m2 =
0 (not whitelisted)
        #
        deny    condition = ${if eq {$acl_m2}{0}}
                dkim_status = fail
                sender_domains = $sender_address_domain
                dkim_signers = $sender_address_domain
                message = Message from has invalid DKIM signature
                logwrite = DKIM FAIL (DENY):
domain=$sender_address_domain - message rejected!

        #
        # accept anything else (should never get here)
        #
        accept  logwrite = DKIM DEFAULT: domain=$sender_address_domain -
message accepted (at end of ACL)

NB. hostlists and domainlists are read from MySQL tables and are in
standard exim form





My setup works for the most of the time including Google/Gmail - they
are in my "known signers" list:

2014-02-27 23:52:09 CONNECT: Accepting connection from: 209.85.215.196 -
not blocked by any RBL
2014-02-27 23:52:09 HELO: Accepted HELO/EHLO mail-ea0-f196.google.com
from remote host: 209.85.215.196 (mail-ea0-f196.google.com)
2014-02-27 23:52:09 HELO: Accepted HELO/EHLO mail-ea0-f196.google.com
from remote host: 209.85.215.196 (mail-ea0-f196.google.com)
2014-02-27 23:52:09 MAIL: SPF Result=pass (gmail.com /
mail-ea0-f196.google.com [209.85.215.196])
2014-02-27 23:52:09 MAIL: Accept from: mike.tubby80@??? host:
mail-ea0-f196.google.com [209.85.215.196]
2014-02-27 23:52:09 RCPT: SPF Result2=pass (gmail.com /
mail-ea0-f196.google.com [209.85.215.196])
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM: d=gmail.com s=20120113
c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM START: domain=gmail.com
possible_signer=gmail.com status=pass
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM PASS: Accepted gmail.com is
known signer and has good signature
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=multipart/alternative Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=text/plain Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=text/html Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Start ACL with scan profile: 2
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Couldn't verify HELO/EHLO
greeting (mail-ea0-f196.google.com) from remote host: 209.85.215.196
(mail-ea0-f196.google.com)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: SPAM: Enabled in scan
profile (will test, reject at 5.0)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: SPAM Score: -0.4 (/)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: ClamAV: Enabled in scan
profile (will test)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Added custom header:
X-Scan-Signature: aee9e5eeb35c86f052d502ac97832558
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Checks completed, content
accepted
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep <= mike.tubby80@???
H=mail-ea0-f196.google.com [209.85.215.196] P=esmtps X=TLSv1:RC4-SHA:128
S=3105
id=CAAnpCNJqpST7cjTLyw3m6gR2mhTZWjx_wdGsQu=UBCUD6pDmtA@???
T="gmail testing"

Google are good guys!



Site mrredonline.com are not in my "known signers" and appear to be broken:

2014-02-27 23:55:41 CONNECT: Accepting connection from: 178.33.94.52 -
not blocked by any RBL
2014-02-27 23:55:41 HELO: Accepted HELO/EHLO ukb8mx4.mrredonline.com
from remote host: 178.33.94.52 (ukb8mx4.mrredonline.com)
2014-02-27 23:55:41 MAIL: SPF Result=neutral (ukb8mx6.mrredonline.com /
ukb8mx4.mrredonline.com [178.33.94.52])
2014-02-27 23:55:41 MAIL: Accept from: bounce@???
host: ukb8mx4.mrredonline.com [178.33.94.52]
2014-02-27 23:55:41 RCPT: SPF Result2=neutral (ukb8mx6.mrredonline.com /
ukb8mx4.mrredonline.com [178.33.94.52])
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM: d=ukb8mx6.mrredonline.com
s=dkim c=relaxed/relaxed a=rsa-sha1 i=info@???
[invalid - public key record (currently?) unavailable]
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM START:
domain=ukb8mx6.mrredonline.com possible_signer=ukb8mx6.mrredonline.com
status=invalid (reason=pubkey_unavailable)
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM DEFER:
domain=ukb8mx6.mrredonline.com
2014-02-27 23:55:41 1WJAnl-0002M4-4x H=ukb8mx4.mrredonline.com
[178.33.94.52] temporarily rejected DKIM : Message from
ukb8mx6.mrredonline.com cannot be verified

which appears correct - they are a gambling site and appear to be
sending our a DKIM header, but probing them with ProtoDave's checker tool:

    http://www.protodave.com/tools/dkim-key-checker/

they don't have a public key under that selector... so I defer them...
seems appropriate to me... I will keep deferring them until they fix
their public key and then I might accept them!



Amazon are not in my "known signers" and appear to be ok:

2014-02-28 00:01:02 CONNECT: Accepting connection from: 54.240.0.151 -
not blocked by any RBL
2014-02-28 00:01:02 HELO: Accepted HELO/EHLO
a0-151.smtp-out.eu-west-1.amazonses.com from remote host: 54.240.0.151
(a0-151.smtp-out.eu-west-1.amazonses.com)
2014-02-28 00:01:02 MAIL: SPF Result=pass (bounces.amazon.com /
a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151])
2014-02-28 00:01:02 MAIL: Accept from:
20140228000100daea22bcd6364808b4c0b369d29f3840-C19ZNAY18YA6WZ@???
host: a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151]
2014-02-28 00:01:02 RCPT: SPF Result2=pass (bounces.amazon.com /
a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151])
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM: d=amazon.co.uk
s=kfypa4gzdotgdqwujmwyfqhv7hoigmat c=relaxed/simple a=rsa-sha256
t=1393545660 [verification succeeded]
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM START:
domain=bounces.amazon.com possible_signer=amazon.co.uk status=pass
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM DEFAULT:
domain=bounces.amazon.com - message accepted (at end of ACL)
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=multipart/mixed Size=47
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=multipart/alternative
Size=47
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=text/plain Size=2
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=text/html Size=42
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Start ACL with scan profile: 1
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Couldn't verify HELO/EHLO
greeting (a0-151.smtp-out.eu-west-1.amazonses.com) from remote host:
54.240.0.151 (a0-151.smtp-out.eu-west-1.amazonses.com)
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Checks skipped: SPF
Whitelisted
2014-02-28 00:01:12 1WJAt6-0002NM-C8 <=
20140228000100daea22bcd6364808b4c0b369d29f3840-C19ZNAY18YA6WZ@???
H=a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151] P=esmtp S=49226
id=0000014475cb4934-183da1b1-d8b2-4c51-9d5c-70409cd1b646-000000@???
T="Feb 28: Today's Deal of the Day"

if they are know DKIM signing everything then - perhaps I should
elevate them to "known signer" status?



Paddy Power are not in my "known signers", but the DKIM header is found:

2014-02-27 23:45:28 CONNECT: Accepting connection from: 89.21.232.58 -
not blocked by any RBL
2014-02-27 23:45:28 HELO: Accepted HELO/EHLO
mail232-58.send.smartfocusdigital.net from remote host: 89.21.232.58
(mail232-58.send.smartfocusdigital.net)
2014-02-27 23:45:28 MAIL: Accept from: sports@???
host: mail232-58.send.smartfocusdigital.net [89.21.232.58]
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM: d=ppmail.paddypower.com
s=shared_key c=relaxed/relaxed a=rsa-sha1 i=sports@???
[invalid - public key record (currently?) unavailable]
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM START:
domain=ppmail.paddypower.com possible_signer=ppmail.paddypower.com
status=invalid (reason=pubkey_unavailable)
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM DEFER:
domain=ppmail.paddypower.com
2014-02-27 23:45:28 1WJAds-0002J9-84
H=mail232-58.send.smartfocusdigital.net [89.21.232.58] temporarily
rejected DKIM : Message from ppmail.paddypower.com cannot be verified

but they appear to have no public key?



And the killer one... Facebook... they are in my "known signers" but
appear to be broken:

2014-02-27 10:30:16 MAIL: SPF Result=pass (facebookmail.com /
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
2014-02-27 10:30:16 MAIL: Accept from:
notification+kjdmd_m7uvpd@??? host:
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]
2014-02-27 10:30:16 RCPT: SPF Result2=pass (facebookmail.com /
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM: d=facebookmail.com
s=s1024-2013-q3 c=relaxed/simple a=rsa-sha256 t=1393497014 [verification
failed - signature did not verify (headers probably modified in transit)]
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM START: domain=facebookmail.com
possible_signer=facebookmail.com status=fail (reason=signature_incorrect)
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM DENY: Rejected
facebookmail.com is known signer (in database) but has invalid/missing
signature
2014-02-27 10:30:16 1WIyEK-0006vE-Fw H=outmail016.ash2.facebook.com
(mx-out.facebook.com) [66.220.155.150] rejected DKIM : Message from
facebookmail.com (known signer) with invalid or missing signature

am I the only person having problems with Facebook?




Questions:

* is there anything wrong with my design or implementation?

* are there any suggestions for improvements?

* specifically in the case of faceboomail.com do I have something broken
or is it them?

* do I really need to whitelist facebook as a broken DKIM sender to get
their mail in?



Regards


Mike Tubby