Re: [exim] Help sought with fairly complex DKIM set up and F…

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: Michael J. Tubby B.Sc. MBCS G8TIC
CC: Exim User List
Temat: Re: [exim] Help sought with fairly complex DKIM set up and Facebook
On 2014-02-28 at 00:40 +0000, Michael J. Tubby B.Sc. MBCS G8TIC wrote:
> I run some mail relays for a few hundred domains that I look after and
> want to perform fairly complex DKIM checking - I want to:
>
>     * enforce DKIM tests domains that are 'known signers' (google,
> facebook, etc) and explicitly accept or deny mail based on the result of
> the DKIM checks - to avoid faked email


> And the killer one... Facebook... they are in my "known signers" but
> appear to be broken:
>
> 2014-02-27 10:30:16 MAIL: SPF Result=pass (facebookmail.com /
> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
> 2014-02-27 10:30:16 MAIL: Accept from:
> notification+kjdmd_m7uvpd@??? host:
> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]
> 2014-02-27 10:30:16 RCPT: SPF Result2=pass (facebookmail.com /
> outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150])
> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM: d=facebookmail.com
> s=s1024-2013-q3 c=relaxed/simple a=rsa-sha256 t=1393497014 [verification
> failed - signature did not verify (headers probably modified in transit)]
> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM START: domain=facebookmail.com
> possible_signer=facebookmail.com status=fail (reason=signature_incorrect)
> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM DENY: Rejected
> facebookmail.com is known signer (in database) but has invalid/missing
> signature
> 2014-02-27 10:30:16 1WIyEK-0006vE-Fw H=outmail016.ash2.facebook.com
> (mx-out.facebook.com) [66.220.155.150] rejected DKIM : Message from
> facebookmail.com (known signer) with invalid or missing signature
>
> am I the only person having problems with Facebook?


So far as I've heard, yes. That doesn't mean that there's not a
problem, but we need more details to debug.

May I suggest a setup where, if a mail from one of these domains passes
SPF (by explicit match, rather than falling into a default of
not-reject) but then fails DKIM, then you accept the mail but tee off a
copy with an "unseen" router for analysis and debugging?

Then, if you find more such mail with a non-validating signature, you
have mail for which which you might contact the recipient for permission
to use the mail for debugging, and if they agree, then there are a few
diagnosis tools around.

If you encounter another such message and it looks good to you, and you
have permission to forward it for analysis, I have some contacts at FB
who may be able to assist, but not on the limited data so far.

Thanks,
-Phil