Exim fans,
I run some mail relays for a few hundred domains that I look after and
want to perform fairly complex DKIM checking - I want to:
* enforce DKIM tests domains that are 'known signers' (google,
facebook, etc) and explicitly accept or deny mail based on the result of
the DKIM checks - to avoid faked email
* allow through mail with no signatures (obvious)
* support a 'DKIM whitelist' for domains that send with DKIM but
have a known fault/problem
* skip checks on hosts/domains we relay for
* skip checks on authenticated connections from MUAs (clients)
* defer if a message that has a signature is not testable, eg.
cannot retrieve their DKIM key, key has syntax error, etc.
Systems are: Ubuntu 10.04 LTS 32-bit + Exim 4.82 built from source
here's my DKIM ACL:
###
### ack_check_dkim: this ACL is used for checking DKIM
###
#
# acl_m2 set to zero on start for normal/full checks, set to 1 if
white-listed
#
acl_check_dkim:
#
# start of DKIM debug message and clear macro
#
warn set acl_m2 = 0
logwrite = DKIM START: domain=$sender_address_domain
possible_signer=$dkim_cur_signer status=$dkim_verify_status ${if
def:dkim_verify_reason {(reason=$dkim_verify_reason) }}
#
# strict checking on known signers...
#
deny sender_domains = +dkim_known_signers
# dkim_signers = +dkim_known_signers
dkim_status = none:invalid:fail
message = Message from $sender_address_domain (known
signer) with invalid or missing signature
logwrite = DKIM DENY: Rejected $sender_address_domain is
known signer (in database) but has invalid/missing signature
accept sender_domains = +dkim_known_signers
# dkim_signers = +dkim_known_signers
dkim_status = pass
logwrite = DKIM PASS: Accepted $sender_address_domain is
known signer and has good signature
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good and Known Domain
#
# ignore noise where we have no signature
#
accept dkim_status = none
# logwrite = DKIM SKIP: Skipping DKIM checks - no
signature for: $dkim_cur_signer
#
# skip DKIM if domain whitelisted for DKIM, i.e. known good
domain that has broken DKIM
#
accept sender_domains = +dkim_whitelist_domains
logwrite = DKIM SKIP: Skipping DKIM checks for
whitelisted domain: $sender_address_domain
set acl_m2 = 1
#
# skip DKIM checks on hosts we relay for
#
accept hosts = +relay_from_hosts
logwrite = DKIM SKIP: Skipping DKIM checks for relay
host: $sender_fullhost
#
# skip DKIM checks on authenticated hosts (that we also relay for)
#
accept authenticated = *
logwrite = DKIM SKIP: Skipping DKIM checks for
authenticated host: $sender_fullhost
#
# defer when message not testable, e.g. can't get public key, etc.
#
defer dkim_status = invalid
message = Message from $sender_address_domain cannot be
verified
logwrite = DKIM DEFER: domain=$sender_address_domain
#
# accept the message (correctly signed)
#
accept dkim_status = pass
sender_domains = $sender_address_domain
dkim_signers = $sender_address_domain
logwrite = DKIM PASS: domain=$sender_address_domain
signer=$dkim_cur_signer status=$dkim_verify_status
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Signature OK
#
# accept the message EVEN IF the signature FAILS! due to white
listing
#
accept condition = ${if eq {$acl_m2}{1}}
dkim_status = fail
sender_domains = $sender_address_domain
dkim_signers = $sender_address_domain
logwrite = DKIM FAIL (WHITELISTED):
domain=$sender_address_domain status=$dkim_verify_status - DKIM failed
but message accepted
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=FAIL (but whitelisted)
#
# deny (strict) when message fails signature test *and* acl_m2 =
0 (not whitelisted)
#
deny condition = ${if eq {$acl_m2}{0}}
dkim_status = fail
sender_domains = $sender_address_domain
dkim_signers = $sender_address_domain
message = Message from has invalid DKIM signature
logwrite = DKIM FAIL (DENY):
domain=$sender_address_domain - message rejected!
#
# accept anything else (should never get here)
#
accept logwrite = DKIM DEFAULT: domain=$sender_address_domain -
message accepted (at end of ACL)
NB. hostlists and domainlists are read from MySQL tables and are in
standard exim form
My setup works for the most of the time including Google/Gmail - they
are in my "known signers" list:
2014-02-27 23:52:09 CONNECT: Accepting connection from: 209.85.215.196 -
not blocked by any RBL
2014-02-27 23:52:09 HELO: Accepted HELO/EHLO mail-ea0-f196.google.com
from remote host: 209.85.215.196 (mail-ea0-f196.google.com)
2014-02-27 23:52:09 HELO: Accepted HELO/EHLO mail-ea0-f196.google.com
from remote host: 209.85.215.196 (mail-ea0-f196.google.com)
2014-02-27 23:52:09 MAIL: SPF Result=pass (gmail.com /
mail-ea0-f196.google.com [209.85.215.196])
2014-02-27 23:52:09 MAIL: Accept from: mike.tubby80@??? host:
mail-ea0-f196.google.com [209.85.215.196]
2014-02-27 23:52:09 RCPT: SPF Result2=pass (gmail.com /
mail-ea0-f196.google.com [209.85.215.196])
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM: d=gmail.com s=20120113
c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM START: domain=gmail.com
possible_signer=gmail.com status=pass
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep DKIM PASS: Accepted gmail.com is
known signer and has good signature
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=multipart/alternative Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=text/plain Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep MIME: Type=text/html Size=1
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Start ACL with scan profile: 2
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Couldn't verify HELO/EHLO
greeting (mail-ea0-f196.google.com) from remote host: 209.85.215.196
(mail-ea0-f196.google.com)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: SPAM: Enabled in scan
profile (will test, reject at 5.0)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: SPAM Score: -0.4 (/)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: ClamAV: Enabled in scan
profile (will test)
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Added custom header:
X-Scan-Signature: aee9e5eeb35c86f052d502ac97832558
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep CONTENT: Checks completed, content
accepted
2014-02-27 23:52:09 1WJAkL-0002Ld-Ep <= mike.tubby80@???
H=mail-ea0-f196.google.com [209.85.215.196] P=esmtps X=TLSv1:RC4-SHA:128
S=3105
id=CAAnpCNJqpST7cjTLyw3m6gR2mhTZWjx_wdGsQu=UBCUD6pDmtA@???
T="gmail testing"
Google are good guys!
Site mrredonline.com are not in my "known signers" and appear to be broken:
2014-02-27 23:55:41 CONNECT: Accepting connection from: 178.33.94.52 -
not blocked by any RBL
2014-02-27 23:55:41 HELO: Accepted HELO/EHLO ukb8mx4.mrredonline.com
from remote host: 178.33.94.52 (ukb8mx4.mrredonline.com)
2014-02-27 23:55:41 MAIL: SPF Result=neutral (ukb8mx6.mrredonline.com /
ukb8mx4.mrredonline.com [178.33.94.52])
2014-02-27 23:55:41 MAIL: Accept from: bounce@???
host: ukb8mx4.mrredonline.com [178.33.94.52]
2014-02-27 23:55:41 RCPT: SPF Result2=neutral (ukb8mx6.mrredonline.com /
ukb8mx4.mrredonline.com [178.33.94.52])
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM: d=ukb8mx6.mrredonline.com
s=dkim c=relaxed/relaxed a=rsa-sha1 i=info@???
[invalid - public key record (currently?) unavailable]
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM START:
domain=ukb8mx6.mrredonline.com possible_signer=ukb8mx6.mrredonline.com
status=invalid (reason=pubkey_unavailable)
2014-02-27 23:55:41 1WJAnl-0002M4-4x DKIM DEFER:
domain=ukb8mx6.mrredonline.com
2014-02-27 23:55:41 1WJAnl-0002M4-4x H=ukb8mx4.mrredonline.com
[178.33.94.52] temporarily rejected DKIM : Message from
ukb8mx6.mrredonline.com cannot be verified
which appears correct - they are a gambling site and appear to be
sending our a DKIM header, but probing them with ProtoDave's checker tool:
http://www.protodave.com/tools/dkim-key-checker/
they don't have a public key under that selector... so I defer them...
seems appropriate to me... I will keep deferring them until they fix
their public key and then I might accept them!
Amazon are not in my "known signers" and appear to be ok:
2014-02-28 00:01:02 CONNECT: Accepting connection from: 54.240.0.151 -
not blocked by any RBL
2014-02-28 00:01:02 HELO: Accepted HELO/EHLO
a0-151.smtp-out.eu-west-1.amazonses.com from remote host: 54.240.0.151
(a0-151.smtp-out.eu-west-1.amazonses.com)
2014-02-28 00:01:02 MAIL: SPF Result=pass (bounces.amazon.com /
a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151])
2014-02-28 00:01:02 MAIL: Accept from:
20140228000100daea22bcd6364808b4c0b369d29f3840-C19ZNAY18YA6WZ@???
host: a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151]
2014-02-28 00:01:02 RCPT: SPF Result2=pass (bounces.amazon.com /
a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151])
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM: d=amazon.co.uk
s=kfypa4gzdotgdqwujmwyfqhv7hoigmat c=relaxed/simple a=rsa-sha256
t=1393545660 [verification succeeded]
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM START:
domain=bounces.amazon.com possible_signer=amazon.co.uk status=pass
2014-02-28 00:01:12 1WJAt6-0002NM-C8 DKIM DEFAULT:
domain=bounces.amazon.com - message accepted (at end of ACL)
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=multipart/mixed Size=47
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=multipart/alternative
Size=47
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=text/plain Size=2
2014-02-28 00:01:12 1WJAt6-0002NM-C8 MIME: Type=text/html Size=42
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Start ACL with scan profile: 1
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Couldn't verify HELO/EHLO
greeting (a0-151.smtp-out.eu-west-1.amazonses.com) from remote host:
54.240.0.151 (a0-151.smtp-out.eu-west-1.amazonses.com)
2014-02-28 00:01:12 1WJAt6-0002NM-C8 CONTENT: Checks skipped: SPF
Whitelisted
2014-02-28 00:01:12 1WJAt6-0002NM-C8 <=
20140228000100daea22bcd6364808b4c0b369d29f3840-C19ZNAY18YA6WZ@???
H=a0-151.smtp-out.eu-west-1.amazonses.com [54.240.0.151] P=esmtp S=49226
id=0000014475cb4934-183da1b1-d8b2-4c51-9d5c-70409cd1b646-000000@???
T="Feb 28: Today's Deal of the Day"
if they are know DKIM signing everything then - perhaps I should
elevate them to "known signer" status?
Paddy Power are not in my "known signers", but the DKIM header is found:
2014-02-27 23:45:28 CONNECT: Accepting connection from: 89.21.232.58 -
not blocked by any RBL
2014-02-27 23:45:28 HELO: Accepted HELO/EHLO
mail232-58.send.smartfocusdigital.net from remote host: 89.21.232.58
(mail232-58.send.smartfocusdigital.net)
2014-02-27 23:45:28 MAIL: Accept from: sports@???
host: mail232-58.send.smartfocusdigital.net [89.21.232.58]
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM: d=ppmail.paddypower.com
s=shared_key c=relaxed/relaxed a=rsa-sha1 i=sports@???
[invalid - public key record (currently?) unavailable]
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM START:
domain=ppmail.paddypower.com possible_signer=ppmail.paddypower.com
status=invalid (reason=pubkey_unavailable)
2014-02-27 23:45:28 1WJAds-0002J9-84 DKIM DEFER:
domain=ppmail.paddypower.com
2014-02-27 23:45:28 1WJAds-0002J9-84
H=mail232-58.send.smartfocusdigital.net [89.21.232.58] temporarily
rejected DKIM : Message from ppmail.paddypower.com cannot be verified
but they appear to have no public key?
And the killer one... Facebook... they are in my "known signers" but
appear to be broken:
2014-02-27 10:30:16 MAIL: SPF Result=pass (facebookmail.com /
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
2014-02-27 10:30:16 MAIL: Accept from:
notification+kjdmd_m7uvpd@??? host:
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]
2014-02-27 10:30:16 RCPT: SPF Result2=pass (facebookmail.com /
outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM: d=facebookmail.com
s=s1024-2013-q3 c=relaxed/simple a=rsa-sha256 t=1393497014 [verification
failed - signature did not verify (headers probably modified in transit)]
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM START: domain=facebookmail.com
possible_signer=facebookmail.com status=fail (reason=signature_incorrect)
2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM DENY: Rejected
facebookmail.com is known signer (in database) but has invalid/missing
signature
2014-02-27 10:30:16 1WIyEK-0006vE-Fw H=outmail016.ash2.facebook.com
(mx-out.facebook.com) [66.220.155.150] rejected DKIM : Message from
facebookmail.com (known signer) with invalid or missing signature
am I the only person having problems with Facebook?
Questions:
* is there anything wrong with my design or implementation?
* are there any suggestions for improvements?
* specifically in the case of faceboomail.com do I have something broken
or is it them?
* do I really need to whitelist facebook as a broken DKIM sender to get
their mail in?
Regards
Mike Tubby
