[exim-cvs] DKIM: support list-version of $dkim_verify_status…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Exim Git Commits Mailing List
日付:  
To: exim-cvs
題目: [exim-cvs] DKIM: support list-version of $dkim_verify_status, and data ACL
Gitweb: https://git.exim.org/exim.git/commitdiff/e2b4dedbcd1c17398c98342f250f0c44fd1984f3
Commit:     e2b4dedbcd1c17398c98342f250f0c44fd1984f3
Parent:     67cc3ad2fe09fa6197c54a18fa9eb8f1375a87ec
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Sep 25 09:48:00 2023 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Sep 27 00:11:13 2023 +0100


    DKIM: support list-version of $dkim_verify_status, and data ACL
---
 doc/doc-docbook/spec.xfpt   | 41 +++++++++++++++++++++++++++++++----------
 doc/doc-txt/ChangeLog       |  3 +++
 doc/doc-txt/NewStuff        |  4 ++++
 src/src/acl.c               | 19 ++++++++++++++++---
 src/src/pdkim/pdkim.c       |  4 ++--
 test/confs/4500             |  5 ++++-
 test/log/4500               | 13 +++++++++++++
 test/log/4501               |  2 ++
 test/log/4502               |  4 ++++
 test/log/4503               |  1 +
 test/log/4504               |  1 +
 test/log/4506               |  7 +++++++
 test/log/4540               |  4 ++++
 test/scripts/4500-DKIM/4500 | 42 ++++++++++++++++++++++++++++++++++++++++++
 test/stderr/4507            | 12 ++++++++++--
 15 files changed, 144 insertions(+), 18 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1f5e29511..70988384d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -41791,8 +41791,9 @@ RFC 6376 lists these tags as RECOMMENDED.

Verification of DKIM signatures in SMTP incoming email is done for all
messages for which an ACL control &%dkim_disable_verify%& has not been set.
+
.cindex DKIM "selecting signature algorithms"
-Individual classes of signature algorithm can be ignored by changing
+Individual classes of DKIM signature algorithm can be ignored by changing
the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&.
The &%dkim_verify_minimal%& option can be set to cease verification
processing for a message once the first passing signature is found.
@@ -41805,7 +41806,7 @@ For most purposes the default option settings suffice and the remainder
of this section can be ignored.

The results of verification are made available to the
-&%acl_smtp_dkim%& ACL, which can examine and modify them.
+&%acl_smtp_dkim%& ACL, which (for complex needs) can examine and modify them.
A missing ACL definition defaults to accept.
By default, the ACL is called once for each
syntactically(!) correct signature in the incoming message.
@@ -41870,6 +41871,12 @@ an identity. This is one of the list items from the expanded main option
&%dkim_verify_signers%& (see above).

 .vitem &%$dkim_verify_status%&
+So long as a DKIM ACL is defined
+(it need do no more than accept, which is the default),
+after all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
+The value is maintained for the MIME, PRDR and DATA ACLs.
+
 Within the DKIM ACL,
 a string describing the general status of the signature. One of
 .ilist
@@ -41898,11 +41905,6 @@ hash-method or key-size:
        set dkim_verify_reason = hash too weak or key too short
 .endd


-So long as a DKIM ACL is defined (it need do no more than accept),
-after all the DKIM ACL runs have completed, the value becomes a
-colon-separated list of the values after each run.
-This is maintained for the mime, prdr and data ACLs.
-
.vitem &%$dkim_verify_reason%&
A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
@@ -42027,13 +42029,15 @@ option.

.endlist

-In addition, two ACL conditions are provided, usable only in a DKIM ACL:
+In addition, two ACL conditions are provided:

.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
for a match against the domain or identity that the ACL is currently verifying
-(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+(reflected by &%$dkim_cur_signer%&).
+This condition is only usable in a DKIM ACL.
+This is typically used to restrict an ACL
verb to a group of domains or identities. For example:

.code
@@ -42049,7 +42053,18 @@ for that check for empty &$h_DKIM-Signature:$& in the data ACL.

.vitem &%dkim_status%&
ACL condition that checks a colon-separated list of possible DKIM verification
-results against the actual result of verification. This is typically used
+results against the actual result of verification,
+given by &$dkim_verify_status$& if that is non-empty or "none" if empty.
+.new
+This condition may be used in DKIM, MIME, PRDR and DATA ACLs.
+.wen
+
+A basic verification might be:
+.code
+deny !dkim_status = pass:none:invalid
+.endd
+
+A more complex use could be
to restrict an ACL verb to a list of verification outcomes, for example:

.code
@@ -42062,6 +42077,12 @@ deny sender_domains = paypal.com:paypal.de
The possible status keywords are: 'none','invalid','fail' and 'pass'. Please
see the documentation of the &%$dkim_verify_status%& expansion variable above
for more information of what they mean.
+
+The condition is true if the status
+.new
+(or any of the list of status values)
+.wen
+is any one of the supplied list.
.endlist


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5fcc8ab11..4c22f649f 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -193,6 +193,9 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation
 JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
       and ${tr...}.  Found and diagnosed by Heiko Schlichting.


+JH/40 Support list of dkim results in the dkim_status ACL condition, making
+      it more usable in the data ACL.
+


Exim version 4.96
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 89df66ba2..beca9748c 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -6,6 +6,10 @@ Before a formal release, there may be quite a lot of detail so that people can
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.

+Since 4.97
+------------
+ 1. The dkim_status ACL condition may not be used in data ACLs
+
Version 4.97
------------

diff --git a/src/src/acl.c b/src/src/acl.c
index 118e4b35d..8431efc84 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -203,7 +203,14 @@ static condition_def conditions[] = {
   [ACLC_DELAY] =        { US"delay",        TRUE, TRUE, ACL_BIT_NOTQUIT },
 #ifndef DISABLE_DKIM
   [ACLC_DKIM_SIGNER] =        { US"dkim_signers",    TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
-  [ACLC_DKIM_STATUS] =        { US"dkim_status",    TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
+  [ACLC_DKIM_STATUS] =        { US"dkim_status",    TRUE, FALSE,
+                  (unsigned int)
+                  ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
+# ifndef DISABLE_PRDR
+                  | ACL_BIT_PRDR
+# endif
+      ),
+  },
 #endif
 #ifdef SUPPORT_DMARC
   [ACLC_DMARC_STATUS] =        { US"dmarc_status",    TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
@@ -3763,8 +3770,14 @@ for (; cb; cb = cb->next)
       break;


     case ACLC_DKIM_STATUS:
-      rc = match_isinlist(dkim_verify_status,
-              &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+      {        /* return good for any match */
+      const uschar * s = dkim_verify_status ? dkim_verify_status : US"none";
+      int sep = 0;
+      for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
+    if (   (rc = match_isinlist(ss, &arg,
+                    0, NULL, NULL, MCL_STRING, TRUE, NULL))
+        == OK) break;
+      }
       break;
 #endif


diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 30cb0437c..22b850242 100644
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -1868,9 +1868,9 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
     if (*dkim_verify_min_keysizes)
       {
       unsigned minbits;
-      uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
+      const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
                     dkim_verify_min_keysizes);
-      if (ss &&  (minbits = atoi(CS ss)) > sig->keybits)
+      if (ss &&  (minbits = atoi(CCS ss)) > sig->keybits)
     {
     DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u  Minima '%s'\n",
       pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
diff --git a/test/confs/4500 b/test/confs/4500
index 9f0829c1a..46cffa39a 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -42,6 +42,9 @@ check_dkim:
 .endif


 check_data:
-  accept logwrite = ${authresults {$primary_hostname}}
+  warn        logwrite =    ${authresults {$primary_hostname}}
+  accept    dkim_status =    pass
+          logwrite =    dkim_status includes pass
+  accept    logwrite =    dkim_state DOES NOT include pass


 # End
diff --git a/test/log/4500 b/test/log/4500
index 322c5a5be..be7ab89f0 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -4,27 +4,40 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=ses_sha1 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 NOTE: forcing dkim verify fail (was pass)
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (public key too short: 512 bits)\n         header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256;\n    dkim=fail (public key too short: 512 bits)\n         header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_status includes pass
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
diff --git a/test/log/4501 b/test/log/4501
index 2a1934c05..ed8bb3d82 100644
--- a/test/log/4501
+++ b/test/log/4501
@@ -4,8 +4,10 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= pass@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (body hash mismatch; body probably modified in transit)\n         header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= fail@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
diff --git a/test/log/4502 b/test/log/4502
index de5fbd478..4a1e86588 100644
--- a/test/log/4502
+++ b/test/log/4502
@@ -4,17 +4,21 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=564CFC9B.1040905@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad [failed key import]
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=neutral (public key record import problem)\n         header.d=test.ex header.s=sel_bad header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@???
diff --git a/test/log/4503 b/test/log/4503
index ea4791a91..2d5d8c42b 100644
--- a/test/log/4503
+++ b/test/log/4503
@@ -4,4 +4,5 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
diff --git a/test/log/4504 b/test/log/4504
index ea4791a91..2d5d8c42b 100644
--- a/test/log/4504
+++ b/test/log/4504
@@ -4,4 +4,5 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
diff --git a/test/log/4506 b/test/log/4506
index adace8e4a..00139412f 100644
--- a/test/log/4506
+++ b/test/log/4506
@@ -4,32 +4,39 @@
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=neutral (signature tag missing or invalid)\n         header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (body hash mismatch; body probably modified in transit)\n         header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (body hash mismatch; body probably modified in transit)\n         header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: validation error: LONG_LINE
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: Error during validation, disabling signature verification: LONG_LINE
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (unspecified reason)\n         header.d=test.ex header.s=ses_sha256 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 DKIM: validation error: EXCESS_SIGS
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: Error during validation, disabling signature verification: EXCESS_SIGS
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=20180418125440.Horde.vVKB6E7UvpLfJsPzv2ZPs6z@???
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 unknown
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 signer: test.ex bits: 0
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=neutral (signature tag missing or invalid)\n         header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 0
diff --git a/test/log/4540 b/test/log/4540
index 80aa4ca28..e283729ed 100644
--- a/test/log/4540
+++ b/test/log/4540
@@ -4,19 +4,23 @@
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 253
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 253
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sedw c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sedw header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: kitterman.org bits: 253
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: @kitterman.org bits: 253
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=kitterman.org header.i=@kitterman.org header.s=ed25519 header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
 1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=kitterman.org id=example@???
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 253
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification failed - signature invalid (key too short)]
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=fail (public key too short: 253 bits)\n         header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
 1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500
index d1cc646f9..112fda506 100644
--- a/test/scripts/4500-DKIM/4500
+++ b/test/scripts/4500-DKIM/4500
@@ -3,6 +3,7 @@
 exim -DSERVER=server -DMSIZE='rsa=512 ed25519=250' -bd -oX PORT_D
 ****
 #
+# (A)
 # This should pass.
 #  - sha1, 1024b
 # Mail original in aux-fixed/4500.msg1.txt
@@ -37,6 +38,7 @@ QUIT
 ??? 221
 ****
 #
+# (B)
 # This should pass.
 #  - sha1, 512b
 # Mail original in aux-fixed/4500.msg1.txt
@@ -69,6 +71,7 @@ QUIT
 ??? 221
 ****
 #
+# (C)
 # This should pass.
 #  - sha256, 1024b
 # Mail original in aux-fixed/4500.msg1.txt
@@ -103,6 +106,7 @@ QUIT
 ****
 #
 #
+# (D)
 # This should pass.  The pubkey dns decord has a additional sha1-only h= field
 #
 #  - sha1, 512b
@@ -143,6 +147,7 @@ killdaemon
 exim -DSERVER=server -DOPTION -DMSIZE='rsa=512 ed25519c=32' -bd -oX PORT_D
 ****
 #
+# (E)
 # This should fail despite being a passing submission above (with the unlimited verifier).
 #  - sha1, 1024b
 # Mail original in aux-fixed/4500.msg1.txt
@@ -181,6 +186,7 @@ killdaemon
 #
 #
 #
+# (F)
 # With the default keysize minima, a 512b key should fail
 exim -DSERVER=server -bd -oX PORT_D
 ****
@@ -208,6 +214,42 @@ Date: Thu, 19 Nov 2015 17:00:07 -0700
 Message-ID: <qwerty1234@???>
 Subject: simple test


+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+#
+#
+# (G)
+# Two signature, one pass one fail.  Checking for "at least one pass".
+# Sigs from (F) and (C) above
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=ses; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+    cIErF1eueIT9AU4qG54FyT3yrlVDDM7RZnuU6fWTevZpAuMqhYcRO8tU3U4vtKWB
+    +I2vd+F1gzqCzBcRtfLhZg==
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+    :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+    6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+    Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+    +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
 This is a simple test.
 .
 ??? 250
diff --git a/test/stderr/4507 b/test/stderr/4507
index 6fcd8bd8d..d82f5d95e 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -12,7 +12,7 @@

>>> list element: @
>>> list element: @[]
>>> xxx in helo_lookup_domains? no (end of list)

->>> processing "accept" (TESTSUITE/test-config 47)
+>>> processing "accept" (TESTSUITE/test-config 50)
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)

@@ -27,11 +27,19 @@ LOG: 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
>>> end of ACL "check_dkim": ACCEPT

LOG: 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
>>> using ACL "check_data"

->>> processing "accept" (TESTSUITE/test-config 45)
+>>> processing "warn" (TESTSUITE/test-config 45)
 >>> check logwrite = ${authresults {$primary_hostname}}
 >>>                = Authentication-Results: myhost.test.ex;
 >>>     dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1

 LOG: 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n    dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+>>> warn: condition test succeeded in ACL "check_data"
+>>> processing "accept" (TESTSUITE/test-config 46)
+>>> check dkim_status = pass
+>>> pass in "pass"?
+>>>  list element: pass
+>>>  pass in "pass"? yes (matched "pass")
+>>> check logwrite = dkim_status includes pass
+LOG: 10HmaX-000000005vi-0000 dkim_status includes pass

>>> accept: condition test succeeded in ACL "check_data"
>>> end of ACL "check_data": ACCEPT

LOG: 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/