On 2018-01-05 at 15:09 +0200, Max Kostikov via Exim-users wrote:
> Tried few times but received nothing in email.
This is a bug in Exim, exposed on our side. Sorry.
Logs show "DKIM: message could not be signed, and dkim_strict is set."
I'll include diagnostics here as "of interest to others in reporting
bugs".
Exim is 4.90
DKIM configuration on remote_smtp is:
dkim_domain = ${domain:$sender_address}
dkim_selector = ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
dkim_private_key = ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
dkim_strict = 1
bugs.exim.org does not have an entry in the domains-mapping, so is not
signed.
Running >> exim -d+all -t -f admin@??? << and entering an
email manually, to send to me, I see:
------------------------8< exim debug output >8-------------------------
00:36:25.069 5832 dkim signing direct-mode
00:36:25.069 5832 ┌considering: ${domain:$sender_address}
00:36:25.069 5832 ┌considering: $sender_address}
00:36:25.069 5832 ├──expanding: $sender_address
00:36:25.069 5832 └─────result: admin@???
00:36:25.069 5832 ├──expanding: ${domain:$sender_address}
00:36:25.069 5832 └─────result: bugs.exim.org
00:36:25.069 5832 ┌considering: ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ┌considering: $dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ├──expanding: $dkim_domain
00:36:25.069 5832 └─────result: bugs.exim.org
00:36:25.069 5832 ┌considering: /etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ├──expanding: /etc/exim/dkim/domains-mapping
00:36:25.069 5832 └─────result: /etc/exim/dkim/domains-mapping
00:36:25.069 5832 search_open: lsearch "/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 cached open
00:36:25.069 5832 search_find: file="/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 key="bugs.exim.org" partial=-1 affix=NULL starflags=0
00:36:25.069 5832 LRU list:
00:36:25.069 5832 6/etc/exim/dkim/domains-mapping
00:36:25.069 5832 End
00:36:25.069 5832 internal_search_find: file="/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 type=lsearch key="bugs.exim.org"
00:36:25.069 5832 cached data used for lookup of bugs.exim.org
00:36:25.069 5832 in /etc/exim/dkim/domains-mapping
00:36:25.069 5832 lookup failed
00:36:25.069 5832 ┌───scanning: $value}{SKIP}}
00:36:25.069 5832 ├──expanding: $value
00:36:25.070 5832 ├─────result:
00:36:25.070 5832 └───skipping: result is not used
00:36:25.070 5832 ┌considering: SKIP}}
00:36:25.070 5832 ├──expanding: SKIP
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ├──expanding: ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ┌considering: ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ┌considering: $dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: $dkim_selector
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ┌considering: SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: SKIP
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ├──condition: eq{$dkim_selector}{SKIP}
00:36:25.070 5832 ├─────result: true
00:36:25.070 5832 ┌considering: false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: false
00:36:25.070 5832 └─────result: false
00:36:25.070 5832 ┌───scanning: /etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: /etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain
00:36:25.070 5832 ├─────result: /etc/exim/dkim/rsa.private..
00:36:25.070 5832 └───skipping: result is not used
00:36:25.070 5832 ├──expanding: ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 └─────result: false
00:36:25.070 5832 PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>
00:36:25.070 5832 PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
00:36:25.070 5832 LOG: MAIN
00:36:25.070 5832 DKIM: message could not be signed, and dkim_strict is set. Deferring message delivery.
------------------------8< exim debug output >8-------------------------
Per
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html#SECDKIMSIGN
we see this (here from spec.txt because formatted for mail):
-------------------------8< dkim_private_key >8-------------------------
+-------------------------------------------------------+
|dkim_private_key|Use: smtp|Type: string*|Default: unset|
+-------------------------------------------------------+
This sets the private key to use. You can use the $dkim_domain and
$dkim_selector expansion variables to determine the private key to use. The
result can either
* be a valid RSA private key in ASCII armor, including line breaks.
* start with a slash, in which case it is treated as a file that contains the
private key.
* be "0", "false" or the empty string, in which case the message will not be
signed. This case will not result in an error, even if dkim_strict is set.
If the option is empty after expansion, DKIM signing is not done.
-------------------------8< dkim_private_key >8-------------------------
So clearly a false result from dkim_private_key is not overriding
dkim_strict any more.
This is a regression in Exim.
-Phil