Re: [exim] Unsigned messages from DKIM domains

Top Page
Delete this message
Reply to this message
Author: Ivo Truxa
Date:  
To: exim-users
Subject: Re: [exim] Unsigned messages from DKIM domains
> -----Original Message-----
> From: Jeremy Harris
>
> On 10/01/17 13:21, Ivo Truxa wrote:
> > I assume that such functionality will be added sooner or later to DKIM in Exim, but I needed it now, so I wrote a simple Perl
> > script, and call it from the DKIM ACL.
>
> The DKIM ACL is called once for each DKIM sig in the headers of a
> message. If there isn't one, it won't be called. You'd need to
> be making this check in your data ACL instead.


That's true only if you use the following assignment in the settings:
dkim_verify_signers = $dkim_signers

And that is exactly why I wrote I used the following assignment instead:
dkim_verify_signers = $sender_address_domain

With this setting Exim calls the DKIM ACL for every sender regardless whether there is a DKIM signature in the message or not. Trust me, I watch my logs, and also tested it meticulously, so I know it works exactly as I intended, and is being called also at emails without any DKIM signature at all. If you do not believe, have a look at my logs from just a few minutes ago (stripped of dates and ID's for briefness):

12:18:01 DKIM DEBUG 01: TEST RET=pass, D=seznam.cz, SG=seznam.cz, KT=1, SUB=0, S=beta, R=
12:23:24 DKIM DEBUG 10: RJCT ERR=fail, D=empowred.com, SG=empowred.com, KT=0, SUB=0, S=emkey3, R=bodyhash_mismatch
12:25:20 DKIM DEBUG 01: TEST RET=pass, D=seznam.cz, SG=seznam.cz, KT=1, SUB=0, S=beta, R=
12:34:26 DKIM DEBUG 14: ACPT P=some/undef , D=inetprint.cz
12:38:48 DKIM DEBUG 14: ACPT P=some/undef , D=volny.cz
12:38:57 DKIM DEBUG 14: ACPT P=some/undef , D=polytradece.cz
12:39:23 DKIM DEBUG 14: ACPT P=some/undef , D=smtp.dashofer.cz
12:39:30 DKIM DEBUG 14: ACPT P=some/undef , D=polytradece.cz

The records with "P=some/undef" at the bottom are exactly the results of the DKIM policy query done by the Perl script, and were called from within the DKIM ACL at messages with no DKIM signature.


> Also, you can very likely duplicate all the tests you wish to do
> using native Exim facilities; no need for perl.


Sounds interesting! Could you tell me how exactly? I searched the Exim documentation and checked also the C source code of respective Exim files (https://github.com/Exim/exim/blob/master/src/src/dkim.c and https://github.com/Exim/exim/tree/master/src/src/pdkim), but did not find any functions looking up the DKIM policy of the sender. Does Exim have some command for executing custom DNS lookups? If so, then I missed it, but so far I did not find any such possibility so am afraid the Perl solution was the simplest. Of course, it would be better implementing it directly in C into dkim.c or into pdkim.c, but that would take more time, and would require much longer testing before it could be released. I think the Perl script is a good intermittent solution before Exim's dkim code is completed with the policy lookup.

> --
> Cheers,
> Jeremy