Re: [exim] Can't register in bugs.exim.org

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: Max Kostikov
CC: Exim Users
Temat: Re: [exim] Can't register in bugs.exim.org
On 2018-01-05 at 15:09 +0200, Max Kostikov via Exim-users wrote:
> Tried few times but received nothing in email.


This is a bug in Exim, exposed on our side. Sorry.

Logs show "DKIM: message could not be signed, and dkim_strict is set."

I'll include diagnostics here as "of interest to others in reporting
bugs".

Exim is 4.90

DKIM configuration on remote_smtp is:

dkim_domain = ${domain:$sender_address}
dkim_selector = ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
dkim_private_key = ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
dkim_strict = 1

bugs.exim.org does not have an entry in the domains-mapping, so is not
signed.

Running >> exim -d+all -t -f admin@??? << and entering an
email manually, to send to me, I see:

------------------------8< exim debug output >8-------------------------
00:36:25.069 5832 dkim signing direct-mode
00:36:25.069 5832 ┌considering: ${domain:$sender_address}
00:36:25.069 5832 ┌considering: $sender_address}
00:36:25.069 5832 ├──expanding: $sender_address
00:36:25.069 5832 └─────result: admin@???
00:36:25.069 5832 ├──expanding: ${domain:$sender_address}
00:36:25.069 5832 └─────result: bugs.exim.org
00:36:25.069 5832 ┌considering: ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ┌considering: $dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ├──expanding: $dkim_domain
00:36:25.069 5832 └─────result: bugs.exim.org
00:36:25.069 5832 ┌considering: /etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.069 5832 ├──expanding: /etc/exim/dkim/domains-mapping
00:36:25.069 5832 └─────result: /etc/exim/dkim/domains-mapping
00:36:25.069 5832 search_open: lsearch "/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 cached open
00:36:25.069 5832 search_find: file="/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 key="bugs.exim.org" partial=-1 affix=NULL starflags=0
00:36:25.069 5832 LRU list:
00:36:25.069 5832 6/etc/exim/dkim/domains-mapping
00:36:25.069 5832 End
00:36:25.069 5832 internal_search_find: file="/etc/exim/dkim/domains-mapping"
00:36:25.069 5832 type=lsearch key="bugs.exim.org"
00:36:25.069 5832 cached data used for lookup of bugs.exim.org
00:36:25.069 5832 in /etc/exim/dkim/domains-mapping
00:36:25.069 5832 lookup failed
00:36:25.069 5832 ┌───scanning: $value}{SKIP}}
00:36:25.069 5832 ├──expanding: $value
00:36:25.070 5832 ├─────result:
00:36:25.070 5832 └───skipping: result is not used
00:36:25.070 5832 ┌considering: SKIP}}
00:36:25.070 5832 ├──expanding: SKIP
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ├──expanding: ${lookup {$dkim_domain}lsearch{/etc/exim/dkim/domains-mapping} {$value}{SKIP}}
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ┌considering: ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ┌considering: $dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: $dkim_selector
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ┌considering: SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: SKIP
00:36:25.070 5832 └─────result: SKIP
00:36:25.070 5832 ├──condition: eq{$dkim_selector}{SKIP}
00:36:25.070 5832 ├─────result: true
00:36:25.070 5832 ┌considering: false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: false
00:36:25.070 5832 └─────result: false
00:36:25.070 5832 ┌───scanning: /etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 ├──expanding: /etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain
00:36:25.070 5832 ├─────result: /etc/exim/dkim/rsa.private..
00:36:25.070 5832 └───skipping: result is not used
00:36:25.070 5832 ├──expanding: ${if eq{$dkim_selector}{SKIP}{false}{/etc/exim/dkim/rsa.private.$dkim_selector.$dkim_domain}}
00:36:25.070 5832 └─────result: false
00:36:25.070 5832 PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>
00:36:25.070 5832 PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
00:36:25.070 5832 LOG: MAIN
00:36:25.070 5832 DKIM: message could not be signed, and dkim_strict is set. Deferring message delivery.
------------------------8< exim debug output >8-------------------------

Per https://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html#SECDKIMSIGN
we see this (here from spec.txt because formatted for mail):

-------------------------8< dkim_private_key >8-------------------------
+-------------------------------------------------------+
|dkim_private_key|Use: smtp|Type: string*|Default: unset|
+-------------------------------------------------------+

This sets the private key to use. You can use the $dkim_domain and
$dkim_selector expansion variables to determine the private key to use. The
result can either

* be a valid RSA private key in ASCII armor, including line breaks.

  * start with a slash, in which case it is treated as a file that contains the
    private key.


  * be "0", "false" or the empty string, in which case the message will not be
    signed. This case will not result in an error, even if dkim_strict is set.


If the option is empty after expansion, DKIM signing is not done.
-------------------------8< dkim_private_key >8-------------------------

So clearly a false result from dkim_private_key is not overriding
dkim_strict any more.

This is a regression in Exim.

-Phil