Re: [exim] SMTP Data termination in test mode

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ivo Truxa
Date:  
À: exim-users
Sujet: Re: [exim] SMTP Data termination in test mode
> -----Original Message-----
> From: Heiko Schlittermann
> How did you test it?


I tested it with saved messages coming from external addresses. They included both failed and passed DKIM signatures. When using the "-bh" mode, none of them passed, and the calculated hashes were indeed incorrectly those of the message body plus the dot (verified with sha256). When then debugging real email in daemon mode, the hashes passed all right (no terminating dot), unlike in the "-bh" test mode.

When testing, you have to enable the debug mode (exim -d-all+acl -bh 8.8.8.8 >& file), to actually see the canonalized body that gets hashed. Only so you can see whether the terminating dot is being hashed or not. Without the debug output you won't see what is being hashed, and what not. Also, testing it without DKIM is irrelevant. And testing with DKIM configured, but from a local address (that typically is not being checked) is useless too.

See below my example:

#> exim -d-all+acl -bh 74.125.82.65 > & dkim-gmail-ok-debug.txt
HELO mail-wm0-f65.google.com
MAIL FROM: xxxxxx@???
RCPT TO: xxxx@???
DATA

The trimmed output in dkim-gmail-ok-debug.txt:
...
PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>
--001a113cf1a8a69f30054624e78c{LF}
Content-Type:{SP}text/plain;{SP}charset=UTF-8{LF}
{LF}
123456789012345678901234567890123456789012345678901234567890{LF}
...
--94eb2c1244feb957850545f8cf2e--{LF}
.{LF}
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [gmail.com] Body bytes hashed: 9559
PDKIM [gmail.com] bh computed: 4372ba2a514f9d853896d4769e9a93a0eac28bd9eefe186b89a97691b60ca0a2
PDKIM [gmail.com] bh signature: d0301500c1bfbcd41371be55cfdd5dd070d9696f287cefed88005932884be71b
PDKIM [gmail.com] Body hash did NOT verify

At the bottom of the example output above, you can see that the computed DKIM body hash does not match the one from the signature, although they matched perfectly when receiving the same message live.

Greetings,
Ivo Truxa