Re: [exim] Dkim check failures problem.

Top Page
Delete this message
Reply to this message
Author: Nigel Robson
Date:  
To: exim-users@exim.org
Subject: Re: [exim] Dkim check failures problem.
Jeremy,

Exim version 4.92.2

Yes it works when the transport filter is used, but without an attachment.

Looking at the debug log where it sends the message with an attachment and the transport filter its using "dkim signing via file". As far as I can tell from my limited understanding of the debug log its trying to dkim sign the whole thing (body text, attachment and the signature/disclaimer added by the filter, here are what I think are the relevant lines:

8945 PDKIM (finished checking verify key)<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 8945 PDKIM: new bodyhash 1/1/-1
 8945 PDKIM >> Body data for hash, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>
 8945 {CR}{LF}
 8945 ----boundary_3_3a99f866-6844-42b9-a317-988f0ed3a195{CR}{LF}
 8945 Content-Type:{SP}text/plain;{SP}charset=us-ascii{CR}{LF}
 8945 Content-Transfer-Encoding:{SP}quoted-printable{CR}{LF}
 8945 {CR}{LF}
 8945 Test{SP}sending{SP}dkim{SP}messages{SP}via{SP}mta-test.open.ac.uk{CR}{LF}
 8945 --{SP}The{SP}Open{SP}University{SP}is{SP}incorporated{SP}by{SP}Royal{SP}Charter{SP}(RC{SP}000391),{SP}an{SP}exempt{SP}charity{SP}in{SP}England{SP}&{SP}Wales{SP}and{SP}a{SP}charity{SP}registered{SP}in{SP}Scotland{SP}(SC{SP}038302).{SP}The{SP}Open{SP}University{SP}is{SP}authorised{SP}and{SP}regulated{SP}by{SP}the{SP}Financial{SP}Conduct{SP}Authority.=0A{CR}{CR}{LF}
 8945 {CR}{LF}
 8945 ----boundary_3_3a99f866-6844-42b9-a317-988f0ed3a195{CR}{LF}
 8945 Content-Type:{SP}application/octet-stream;{SP}name=test.zip{CR}{LF}
 8945 Content-Transfer-Encoding:{SP}base64{CR}{LF}
 8945 Content-Disposition:{SP}attachment{CR}{LF}
 8945 {CR}{LF}
 8945 UEsDBBQAAAAIAG1wdkrB/1fBjQIAAFoFAAAIABwAdGVzdC50eHRVVAkAAy6E0lg0hNJY{CR}{LF}
 8945 dXgLAAEEAQAAAQQCAAABVVRLrhNBDNxzCh9gNHdAwAIJEAiJvdPj5Bn1Z153O+en3D2T{CR}{LF}
 8945 hMXTSyZ2uVxVnm+lSiLdmyXaSiyVmnbiJH2hUHKT0KWbVOJNd21B840kal/po2ThjKKU{CR}{LF}
 8945 ylYo6s0ik9ykT6BHReLWeKVPmNBKUG2UuZd3E9oFn/RijdCU+Jbx24a/nWu3qpLxtOQu{CR}{LF}
 8945 bUFLCyBSqeqmwSJ6krWVPpcsgd6NE13BC5UWe9WggjESFsyIURzDB4rhQZWu4PJuXt0k{CR}{LF}
 8945 rfTDIqiPdYHUJ+NRQJI1nVN22YT+WutloWuFEuptd4kLcVTg9znybnG3zl2GGvixBlvp{CR}{LF}
 8945 ax5gJ0B9KzlgC0OBpl3qpuhndEM1l6XRXTvLMhsOkjBJQ7djWewzSaUS/euxms/qGF2p{CR}{LF}
 8945 aw66WYZdnypDXN5d7pX+6J2T6x4lQR23RpwEwQJ9OPeySBS9St6oQ04HOCqinM5D2FJ7{CR}{LF}
 8945 144IucxPNY81HhAMiaasH1017BRHCBmkl5MiaYYUepda+bDqKnZTHhqdLH6+cRsfH6V5{CR}{LF}
 8945 WGnwEGnBY66Kf5ExQaDCLyB5EKr16kIdazwMWOlLVzB6CREEcY+J7WbiMa58UU/i8COU{CR}{LF}
 8945 6rL9Xw+zgDFPwfTEPBxf6TtLgMUNa6Td2rnObIBumx6eHB0jpTPjh0tRL1IRovNWX6/T{CR}{LF}
 8945 a7P4kk22edmTzwDIliH/JTKm9JndaMGl2i3eNXNd6A0uVan4XbdlmvNC2i+hbFr8Zt2y{CR}{LF}
 8945 Z8iOfc5zGb5Tg5+S3ZFJ+iXfV7Yw43hke1ycY56SPfYrNejUBxDPzteAf/Zm5HGl39j7{CR}{LF}
 8945 eZ+J8SppT6isl7eTYisbR5jW+KbdKflLiCfCI8DLSPkYfsEKeRsvstG4zFS4joAPVhs4{CR}{LF}
 8945 TYk//ANQSwECHgMUAAAACABtcHZKwf9XwY0CAABaBQAACAAYAAAAAAABAAAAtIEAAAAA{CR}{LF}
 8945 dGVzdC50eHRVVAUAAy6E0lh1eAsAAQQBAAABBAIAAAFQSwUGAAAAAAEAAQBOAAAAzwIA{CR}{LF}
 8945 AAAA{CR}{LF}
 8945 ----boundary_3_3a99f866-6844-42b9-a317-988f0ed3a195--{CR}{LF}
 8945 PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 8945 PDKIM: finish bodyhash 1/1/-1 len 1804
 8945 PDKIM [open.ac.uk] Body bytes (relaxed) hashed: 1804
 8945 PDKIM [open.ac.uk] Body sha256 computed: 7e6c6ae4ca9a067a12acb6d9681bb75bbb1448bf164f843fdabba9ce3502e539
 8945 PDKIM >> Headers to be signed:                            >>>>>>>>>>>>
 8945  From:Date:Subject:Sender:Reply-To:Message-ID:MIME-Version
 8945 PDKIM >> Header data for hash, canonicalized (relaxed), in sequence >>
 8945 message-id:<E1iMXXi-0002KE-Go@???>{CR}{LF}
 8945 subject:PS:{SP}Test{SP}dkim{SP}signature{CR}{LF}
 8945 date:21{SP}Oct{SP}2019{SP}14:16:14{SP}+0100{CR}{LF}
 8945 from:noreply@???{CR}{LF}
 8945 mime-version:1.0{CR}{LF}
 8945 PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 8945 PDKIM >> Signed DKIM-Signature header, pre-canonicalized >>>>>>>>>>>>>


Nigel


-----Original Message-----
From: Exim-users <exim-users-bounces+n.s.robson=open.ac.uk@???> On Behalf Of Jeremy Harris via Exim-users
Sent: 30 October 2019 10:57
To: exim-users@???
Subject: Re: [exim] Dkim check failures problem.

WARNING: This message comes from an external organisation. Be careful of embedded links

On 29/10/2019 11:38, Nigel.Robson via Exim-users wrote:
> We are trying to set up DKIM in EXIM. Whilst it works in most cases I have a use case where the message that is received fails the DKIM check with "body hash did not verify"
>
> This happens where the outgoing message (to an external domain) has an attachment and a 'signature/disclaimer' is appended to it with a transport filter using altermime.


What version of Exim?

To clarify: is it ok when the transport_filter is used, but there was no attachment?



It's always possible we have a bug there... on a quick look I don't see a testcase in the regression testsuite covering
dkim-with-transport_filter. There's certainly special coding in
the source for the case; running under debug you should see

"dkim signing via file"         and _not_ see
"dkim signing direct-mode"


--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
-- The Open University is incorporated by Royal Charter (RC 000391), an exempt charity in England & Wales and a charity registered in Scotland (SC 038302). The Open University is authorised and regulated by the Financial Conduct Authority in relation to its secondary activity of credit broking.