Re: [exim] DKIM signing with the i= (Identity) tag/header

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M+\MPhil Pennock at <-
MMMMJeremy Harris at ->
Delete this message
Reply to this message
Author: Christian Balzer
Date:  
To: exim-users
CC: Jeremy Harris
Subject: Re: [exim] DKIM signing with the i= (Identity) tag/header

Hello Phil,

On Mon, 21 Nov 2016 23:00:47 +0000 Phil Pennock wrote:

> On 2016-11-21 at 17:44 +0900, Christian Balzer wrote:
> > To wit, the record had "v=DKIM1\\\; k=rsa\\\; ..." in it, instead of a
> > single backslash.
> > The people responsible are being taken out to the backyard for creative
> > lead catching courses.
> >
> > Again, I might have spotted this earlier if Exim itself wouldn't have been
> > totally happy to ignore the extra garbage and concentrate on the actual
> > yummy contents.
>
> Are you sure that Exim ever saw this?
>
Yup.

> The MTA which _signs_ the message doesn't look in DNS to do so; it just
> uses the keyfile (with private key) on disk, and configuration.
>
> The MTA which _receives_ a message looks in DNS for the public keys.
>
Quite aware of this, 20+ years Exim user and large scale operator. ^_^

> Unless you've looked in the logs for MTAs for other domains receiving
> email from yours, your own MTA's logs won't tell you much because they
> never really look at that record in DNS.
>
MUAs and MXs are totally separate entities here, with distinct
configurations.

So yes, I did send a test mail from the domain in question to my main
address above and the MX did log this with a happy
"[verification succeeded]" entry.


> If you have signs of Exim doing this, please file a bug-report: a
> `v=DKIM1\` value (after de-escaping) should be ignored.
>
Will do, sure as hell will have to reset my bugzilla PW, my last Exim bug
report was 7 years ago.

> While there's no need to have Exim check DNS needlessly for outbound
> messages, and stuff like selectors makes it hard to statically check, I
> wonder if it's worth a `-d+dns` debug output on the SMTP transport when
> signing with DKIM, to do the DNS lookup and check for a match (and WARN
> LOUDLY if it doesn't match). That seems fair to me.
>

Sounds fine for testing purposes, wouldn't have saved my bacon in this
particular case of course.

Christian

> Jeremy?
>
> -Phil
> 


-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Global OnLine Japan/Rakuten Communications
http://www.gol.com/


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] DKIM signing with the i= (Identity) tag/headerRe: [exim] dkim_domain with empty value cancels cutthrough->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)