Hello.
I have an informational message for developers. In some rare cases Exim
considers correct DKIM signature as invalid. My estimate of fault rate
is less than 1 event for 10,000 imcoming mails.
In my environment it can be traced by headers, because each incoming
mail passes the chain
(1) Exim MTA -> (2) Amavis -> (3) Exim MTA,
where receiving relay (1) and anti-spam filter (2) save result of
DKIM verification in headers. On the failure, headers are like:
Authentication-Results: passat.rdtex.ru (amavisd-new);
dkim=pass (1024-bit key) header.d=netology.ru header.b=OXxIl1Hh;
dkim=pass (1024-bit key) header.d=mta.mindbox.ru header.b=I5B1tR/y
Received: from passat.rdtex.ru ([127.0.0.1])
by localhost (passat.rdtex.ru [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UjeSDm4hSaiL for <xxxxxxx.xxxxxxx@???>;
Mon, 5 Jul 2021 19:06:34 +0300 (MSK)
X-Authentication-Results: passat.rdtex.ru Exim-4.94.2;
iprev=pass (mta.mindbox.ru) smtp.remote-ip=185.99.9.135;
dkim=fail (body hash mismatch; body probably modified in transit)
header.d=netology.ru header.s=mindbox header.a=rsa-sha256;
dkim=fail (body hash mismatch; body probably modified in transit)
header.d=mta.mindbox.ru header.s=mindbox header.a=rsa-sha256
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received-SPF: pass client-ip=185.99.9.135; envelope-from=bounce.b46b070004000000607c60a5@???; helo=mta.mindbox.ru
Received: from mta.mindbox.ru ([185.99.9.135]:29146)
by passat.rdtex.ru with esmtps (TLS1.2:ECDHE_X25519__RSA_SHA256__AES_256_GCM:256)
(Exim 4.94.2)
(envelope-from <bounce.b46b070004000000607c60a5@???>)
id 1m0R7C-00HEVp-GA size 24034 maxlen 175
...
Mainlog for frontend Exim (1) contains:
2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=netology.ru s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=mta.mindbox.ru s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
Manual test of the received mail with perl module Mail::DKIM::Verifier
gives "pass" result for both signatures. If sample mail is re-injected
by SMTP from other host, it passes verification on frontend Exim.
I have 4 frontend relays with almost identical configuration, failures
happen on each of them, randomly. There are no evidence for hardware
problems (segfaults, etc). No evidence of "inherited" memory corruption:
after failure of DKIM verificaion subsequent mails are verified correctly.
So it seems as rarely manifested bug.
I have no ideas how such bug can be located. However, I can share this
sample mail with developers (in private).
--
Eugene Berdnikov
