Re: [exim] dkim=fail (body hash mismatch; body probably mod…

Pàgina inicial
Delete this message
Reply to this message
Autor: Victor Sudakov
Data:  
A: exim-users
Assumpte: Re: [exim] dkim=fail (body hash mismatch; body probably modified in transit)
Jeremy Harris via Exim-users wrote:
> On 04/12/2022 06:33, Victor Sudakov via Exim-users wrote:
> > I have sent 10 short messages from the library.tomsk.ru host:
> >
> > echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY
> >
> > and its 10 times dkim=pass on FreeBSD and 10 times dkim=fail on Debian
> > so I guess it's consistent.
> >
> > However, I've noticed that when I send a larger mail, like
> >
> > uuencode /usr/bin/vi vi | mail -s "test test" vas@XXXXXX vas@YYYYYY
> >
> > then 10 of the 10 mails on Debian have dkim=pass. So the message size
> > or encoding is envolved somehow? What gives?
>
> So. Size-dependent, rx-end dependent, and seems consistently reproducible.


Correct.

>
> Could be the library used for hashing the body, or the way it's being
> driven, or the exact sizes of chunks of body being handed it.


[dd]

>
> A test here does not fail:


Can you give me an address to send a test mail to on one of your
Debian receivers? And we will look at what it says about the body.

>
>
> The body-hash differing implies, I think, that the signature algorithm isn't
> involved. I was using sha256; what's yours?


Hmm, how do I figure out? Below is the complete sender configuration,
without hiding anything:

remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
dkim_domain = library.tomsk.ru
dkim_selector = 20221203
dkim_private_key = /usr/local/etc/exim/dkim/library.tomsk.ru-private.pem
dkim_canon = relaxed
dkim_sign_headers = Date:From:To:Subject:Message-Id:In-Reply-To

I think it's using some exim default algorithm.

>
> I guess there's also the dkim canonicalisation. Mine was relaxed/relaxed. Yours?


dkim_canon = relaxed

>
> Can you set up the receiver exim with debug enabled? Either commandline option
> or ACL modifier can be used to enable that, the latter having the benefit of
> being able to only trace certain classes of connection. The interesting part
> would be the DKIM receive processing, which is in the debug "acl" channel.


What should I add to acl_smtp_dkim to enable debugging?

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet