Re: [exim] DKIM signing with the i= (Identity) tag/header

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M+\MChristian Balzer at <-
MMMMChristian Balzer at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Christian Balzer
CC: exim-users, Jeremy Harris
Subject: Re: [exim] DKIM signing with the i= (Identity) tag/header
On 2016-11-21 at 17:44 +0900, Christian Balzer wrote:
> To wit, the record had "v=DKIM1\\\; k=rsa\\\; ..." in it, instead of a
> single backslash.
> The people responsible are being taken out to the backyard for creative
> lead catching courses.
>
> Again, I might have spotted this earlier if Exim itself wouldn't have been
> totally happy to ignore the extra garbage and concentrate on the actual
> yummy contents.

Are you sure that Exim ever saw this?

The MTA which _signs_ the message doesn't look in DNS to do so; it just
uses the keyfile (with private key) on disk, and configuration.

The MTA which _receives_ a message looks in DNS for the public keys.

Unless you've looked in the logs for MTAs for other domains receiving
email from yours, your own MTA's logs won't tell you much because they
never really look at that record in DNS.

If you have signs of Exim doing this, please file a bug-report: a
`v=DKIM1\` value (after de-escaping) should be ignored.

While there's no need to have Exim check DNS needlessly for outbound
messages, and stuff like selectors makes it hard to statically check, I
wonder if it's worth a `-d+dns` debug output on the SMTP transport when
signing with DKIM, to do the DNS lookup and check for a match (and WARN
LOUDLY if it doesn't match). That seems fair to me.

Jeremy?

-Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] match_ip and IPv6Re: [exim] DKIM signing with the i= (Identity) tag/header->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)