Re: [exim] Signing messages with DKIM in SMTP transport

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mike Brudenell
Dátum:  
Címzett: Exim Users
Tárgy: Re: [exim] Signing messages with DKIM in SMTP transport
Dear all,

I'm almost there with DKIM signing (Yay!)…

The last step is to remove any "Authentication-Results:" headers from
incoming messages arriving from untrusted sources when the header's
AuthservId matches ours (york.ac.uk)

In my ACLs I have a *warn* verb that:

1. triggers for sending hosts not in our +relay_from_hosts list,
2. extracts the AuthservId from the Authentication-Results header,
3. checks this value in a file holding AuthServIds we use when signing,
and
4. if it's found removes the header.

It looks like this:

warn    message       = Removing Authentication-Results header from
incoming message via [$sender_host_address]
        ! hosts       = +relay_from_hosts
        set acl_m_authserv_id = ${if match {$h_Authentication-Results:} \
                                           {\N^\s*([^"][^
;]*|".*?(?<!\\)")\N} \
                                           {${sg {$1} {\N^"(.*)"$\N}
{\$1}}} }
        logwrite      = Found Authentication-Results header with
authserv_id "$acl_m_authserv_id"
        condition     = ${if bool_lax {${lookup {$acl_m_authserv_id}
lsearch {/etc/exim4/cfg.d/dkim-signing-selectors}}}}
        logwrite      = Matched authserv_id "$acl_m_authserv_id" in
dkim-signing-selectors list! -- Removing header
        remove_header = Authentication-Results


This seems to be working, but I'm a little unsure of the rexexp that
extracts the AuthservId from the header and would really appreciate someone
seeing if they think it's right!

\N^\s*([^"][^ ;]*|".*?(?<!\\)")\N


I reckon this should match:

   - A run of zero or more whitespace characters at the start of the
   header's value (I'm not sure whether this is necessary: I have a feeling
   Exim trims these?), followed by *either*
      - A *token*: A character that isn't a ", zero or more characters that
      aren't either whitespace or a semi-colon *OR*
      - A *quoted-string*: A " character followed by a minimal run of
      characters up to a " character not preceded by a \ escape.


Basically I'm trying to match and remember the *authserv-id* of the
Authentication-Results header as defined in section 2.2 of RFC 7001
<https://tools.ietf.org/html/rfc7001#section-2.2>.

Does what I have look right?
Do you have a better pattern in your DKIM setup?
Or a better way of removing the Authentication-Results header *if and only
if* it's from an untrusted source *and* is using one of your AuthservIDs?

Cheers,
Mike B-)

On 19 January 2016 at 17:48, Mike Brudenell <mike.brudenell@???>
wrote:

> AARGHH!!!!
>
> Looks like it was a horrible combination of:
>
>    - a typo in the name of the key file (so Exim couldn't find it so
>    wasn't signing), and

>
>    - it appears the debug_print gets actioned before the dkim_domain and
>    dkim_selector options, meaning it's before the variables get their values
>    assigned.

>
> Groan! At least I can go home happy now though.
>
> Cheers,
> Mike B-)
>
> PS: Jeremy… I'm guessing the "should" should be a "can"?
> (But not a can-can, of course. 💃💃💃)
>
>
> On 19 January 2016 at 17:25, Mike Brudenell <mike.brudenell@???>
> wrote:
>
>> Hi, all -
>>
>> I'm sure I must be missing something obvious, but it's defeating me…
>>
>> I'm experimenting on a test server, trying to add DKIM signing to
>> messages going out through a transport named remote_smtp_dkim. That
>> transport looks like this:
>>
>> remote_smtp_dkim:
>>   driver = smtp
>>   dkim_domain       = york.ac.uk
>>   dkim_selector     = 20160118
>>   debug_print       = remote_smtp_dkim : '$dkim_domain' :
>> '$dkim_selector' : '/etc/exim4/dkim/$dkim_domain-$dkim_selector.pem'
>>   dkim_private_key  = ${if
>> exists{/etc/exim4/dkim/$dkim_domain-$dkim_selector.pem} \

>>
>>  {/etc/exim4/dkim/$dkim_domain-$dkim_selector.pem}}
>>   dkim_canon        = relaxed
>>   dkim_strict       = false

>>
>> (It'll get fancier over time; I'm just trying to get even one message
>> signed to start with!)
>>
>> Sending a message through does not sign it. (And yes, my routers call
>> this transport! :-)
>>
>> Running Exim in Debug mode (with "-d -bd" on the command line) and using
>> telnet to construct a message through it shows this logging, which includes
>> the output from the debug_print directive…
>>
>> 25638 >>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>
>> 25638 --------> testaddress@??? <--------
>> 25638 search_tidyup called
>> 25638 set_process_info: 25638 delivering 1aLZr4-0006fR-7X: waiting for a
>> remote delivery subprocess to finish
>> 25638 selecting on subprocess pipes
>> 25640 changed uid/gid: remote delivery to testaddress@??? with
>> transport=remote_smtp_dkim
>> 25640 uid=110 gid=118 pid=25640
>> 25640 auxiliary group list: <none>
>> 25640 set_process_info: 25640 delivering 1aLZr4-0006fR-7X using
>> remote_smtp_dkim
>> 25640 remote_smtp_dkim : '' : '' : '/etc/exim4/dkim/-.pem'
>> 25640 remote_smtp_dkim transport entered
>> …
>>
>> Note that where I use debug_print to output the values of $dkim_domain
>> and $dkim_selector I'm getting empty strings which, coupled with the
>> resulting non-existent filename, leads to the message not being signed.
>>
>> But the Exim Specification says for the dkim_domain and dkim_selector
>> directives…
>>
>> Signing is implemented by setting private options on the SMTP transport.
>> These options take (expandable) strings as arguments.
>>
>> dkim_domain
>>
>> MANDATORY: The domain you want to sign with. The result of this expanded
>> option is put into the $dkim_domain expansion variable.
>>
>> dkim_selector
>>
>> MANDATORY: This sets the key selector string. You can use the $dkim_domain
>> expansion variable to look up a matching selector. The result is put in
>> the expansion variable $dkim_selector which should be used in the dkim_private_key
>> option along with $dkim_domain.
>>
>> From which I'm expecting the values I set using the options within the
>> remote_smtp_dkim transport to be available within the matching variables.
>> But they're not!
>>
>> What am I missing?
>>
>> Cheers,
>> Mike B-)
>>
>> --
>> Systems Administrator & Change Manager
>> IT Services, University of York, Heslington, York YO10 5DD, UK
>> Tel: +44-(0)1904-323811
>>
>> Web: www.york.ac.uk/it-services
>> Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
>>
>
>
>
> --
> Systems Administrator & Change Manager
> IT Services, University of York, Heslington, York YO10 5DD, UK
> Tel: +44-(0)1904-323811
>
> Web: www.york.ac.uk/it-services
> Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm