Autor: Tom Crane Data: Dla: Jeremy Harris via Exim-users CC: Tom Crane Temat: Re: [exim] ARC signing and verification
On Fri, 24 Apr 2020, Jeremy Harris via Exim-users wrote:
> On 24/04/2020 19:52, Tom Crane via Exim-users wrote:
>> Done but I am not much the wiser. I get (slightly obfuscated) eg.,
>> 16:56:30 16565 using ACL "acl_check_data"
>> [cut]
>> 16:56:30 16565 arc=none
>
> [the above best viewed with a UTF-8 - capable terminal]
>
> OK. There would have been a big wadge of DKIM messages earlier on,
> when the verification was actually being done - but you see the
> results here.
Yes. There were but I assumed they were not relevant and that only the
fact that verification had failed was...
>
>
>> The DKIM verification failure is due to meddling by an upstream MTA (a
>> Microsoft O365 protection service) which filters email to my exim server
>> via its domain's DNS mx record, and prepends "[EXT] " onto Subject:
>> header lines.
>
> How nice of them. Perhaps, some time in the future they'll be nice
> enough to do ARC themselves...
Actually, I am hoping that the Campus O365 system does already do ARC
verification such that email that has come through my exim server will
verify on O365 where our staff mostly have their accounts. This is my
main motivation.
>
>> Two question arise;
>>
>> (1) Is the DKIM verification failure going to cause ARC to refuse to ARC
>> -sign the message?
>
> It won't stop you signing it, but all you'll be able to do is sign
> the fact that DKIM was not-verifiable at the point you got your
> hands on the message.
>
>> (2) A wrote System Filter script to strip out the "[EXT] ". It works in
>> that if I extract the delivered message from my mailbox the "[EXT] " is
>> duly gone from the Subject: field and the dkimverify.pl tool
>> successfully verifies the message.
>
> So the modifications made by that inerloper are predictable? OK.
The manipulation of the Subject: field is but looking more closely at the
messages bodies it is interfering there also. Maybe I am wasting my time
on this whole project...
>
> You could have done the same edit using native Exim factilities,
> and not needing the system-filter, but no matter.
Out of interest how? The address rewriter only acts on header fields
with addresses in. Likewise with the header_rewrite option, no?
>
>> Exim however, still gets a DKIM
>> verify failure. I call the system filter with a "system_filter ="
>> statement in main/global/top section of the exim.conf file. My question
>> is; Is Exim's DKIM verification check for the Authentication-Results:
>> header carried out before the System Filter runs and if so, if there
>> anything I can do to make it run before?
>
> It is, and no there is not. It would be an interesting RFE to raise,
> a way of re-verifying DKIM after applying some such edits, though.
> I see no technical obstacles.
>
> Or you could get O365 to stop messing with your messages.
It is a campus-wide 'cyber security' measure, so not much hope of that :-{