https://bugs.exim.org/show_bug.cgi?id=2014
Bug ID: 2014
Summary: DKIM test fails at signed signatures (multi-DKIM)
Product: Exim
Version: 4.88
Hardware: x86
OS: FreeBSD
Status: NEW
Severity: bug
Priority: medium
Component: DKIM
Assignee: tom@???
Reporter: truxa@???
CC: exim-dev@???
I tracked down a problem I experienced with one specific sender. Most of their
mail passed the DKIM checks all right, but as soon as there are two DKIM
signatures in a message (at internal forwards), the top DKIM (the one added the
last) fails Exim's DKIM test with "signature_incorrect" (header modified in
transit). On the other hand, the DKIM aligns just fine with DMARC, and the
message passes a check by dkimverify.pl, too (it uses Perl
Mail::DKIM::Verifier).
I've run the concerned message through Exim with "exim -d-all+acl -bhc <IP>",
and found out that although the top signature's h tag includes also the first
(bottom) signature (h=DKIM-Signature:...), Exim's PDKIM incorrectly fails to
include the bottom signature into the header hash of the top signature.
Below, there are the "h" tags of both signatures (full signatures attached at
the end of the message):
h=
DKIM-Signature:Received:From:Content-Type:Mime-Version:Subject:Message-Id:Date:To:X-Mailer;
h=Received:From:Content-Type:Mime-Version:Subject:Message-Id:Date:To:X-Mailer;
And here comes the PDKIM output for the upper signature (shortened for
briefness and because of privacy reasons, but I can provide the full version to
the developers if necessary):
DKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
received:from{SP}[192.168.1.11]{SP}(46.157....
from:Dan{SP}H...
content-type:multipart/alternative;{SP}...
mime-version:1.0{SP}(Mac{SP}...
subject:=?utf-8?B?TmVqbG...
message-id:<AC48C5A5-24FF-...
date:Fri,{SP}13{SP}Jan{SP}2017{SP}17:18:37{SP}+0100{CR}{LF}
to:Libor{SP}P...
x-mailer:Apple{SP}Mail{SP}(2.3259){CR}{LF}
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
As you can see, the first DKIM is not included. In fact the header hash data is
identical to the header data of the bottom signature, although it should have
the other DKIM included at the beginning.
The hash of the header then fails with the following error:
headers verify: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
PDKIM [seznam.cz] signature status: PDKIM_VERIFY_FAIL
(PDKIM_VERIFY_FAIL_MESSAGE)
Although I was persuaded the problem was with Exim's PDKIM (both DMARC and Perl
worked fine), I checked the DKIM standard RFC6376, to verify how exactly such
cases should be processed. In the chapter 4.2, it tells:
"Note that Signers should be cognizant that signing DKIM-Signature
header fields may result in signature failures with intermediaries
that do not recognize that DKIM-Signature header fields are trace
header fields and unwittingly reorder them, thus breaking such
signatures. For this reason, signing existing DKIM-Signature header
fields is unadvised, albeit legal."
So, although the singing of another DKIM is not recommended, it is not
forbidden, hence Exim must be really adding it to the header hash, when
declared.
Regards,
Ivo Truxa
Full signatures:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seznam.cz; s=beta;
t=1484324327; bh=0cKQZA3974kPpHVku7d2ygQjue5EGjWi9kzuNj8Qs9o=;
h=DKIM-Signature:Received:From:Content-Type:Mime-Version:Subject:
Message-Id:Date:To:X-Mailer;
b=eieG+FOECPFsiBuyiQDdJ8YN8WvTCt2OYh2SDoOtVKnZEx6dzGiZQmq6es1KBAEav
XgK6fTUGftxkVc+GOVeQ3xEPXgUhgbqifaNo12ZKsYoYtWWJkvEN7PfyN2M5B6utHm
d53m+zTY/+XSVYINKyKJiraes6noV9h83zZsHBbs=
DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=seznam.cz; s=beta;
t=1484324319; bh=0cKQZA3974kPpHVku7d2ygQjue5EGjWi9kzuNj8Qs9o=;
h=Received:From:Content-Type:Mime-Version:Subject:Message-Id:Date:
To:X-Mailer;
b=ZaF4KCCPl4aMC6U+sjFcEuG5z9XHYEHi2u68U1zE0He6SBpTp1jze0iw2Pke/RODA
5KmtKQp/it6hPnNWu1xdsb8m0BXzLVnspExreYZ3jJfn9mBdgO0BHl9c8urOgi6vXo
y1IMs492tD6uoytRxmmJMqNvcWey/krKTtgFCc7k=
--
You are receiving this mail because:
You are on the CC list for the bug.