Gitweb:
https://git.exim.org/exim.git/commitdiff/e2b4dedbcd1c17398c98342f250f0c44fd1984f3
Commit: e2b4dedbcd1c17398c98342f250f0c44fd1984f3
Parent: 67cc3ad2fe09fa6197c54a18fa9eb8f1375a87ec
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Sep 25 09:48:00 2023 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed Sep 27 00:11:13 2023 +0100
DKIM: support list-version of $dkim_verify_status, and data ACL
---
doc/doc-docbook/spec.xfpt | 41 +++++++++++++++++++++++++++++++----------
doc/doc-txt/ChangeLog | 3 +++
doc/doc-txt/NewStuff | 4 ++++
src/src/acl.c | 19 ++++++++++++++++---
src/src/pdkim/pdkim.c | 4 ++--
test/confs/4500 | 5 ++++-
test/log/4500 | 13 +++++++++++++
test/log/4501 | 2 ++
test/log/4502 | 4 ++++
test/log/4503 | 1 +
test/log/4504 | 1 +
test/log/4506 | 7 +++++++
test/log/4540 | 4 ++++
test/scripts/4500-DKIM/4500 | 42 ++++++++++++++++++++++++++++++++++++++++++
test/stderr/4507 | 12 ++++++++++--
15 files changed, 144 insertions(+), 18 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1f5e29511..70988384d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -41791,8 +41791,9 @@ RFC 6376 lists these tags as RECOMMENDED.
Verification of DKIM signatures in SMTP incoming email is done for all
messages for which an ACL control &%dkim_disable_verify%& has not been set.
+
.cindex DKIM "selecting signature algorithms"
-Individual classes of signature algorithm can be ignored by changing
+Individual classes of DKIM signature algorithm can be ignored by changing
the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&.
The &%dkim_verify_minimal%& option can be set to cease verification
processing for a message once the first passing signature is found.
@@ -41805,7 +41806,7 @@ For most purposes the default option settings suffice and the remainder
of this section can be ignored.
The results of verification are made available to the
-&%acl_smtp_dkim%& ACL, which can examine and modify them.
+&%acl_smtp_dkim%& ACL, which (for complex needs) can examine and modify them.
A missing ACL definition defaults to accept.
By default, the ACL is called once for each
syntactically(!) correct signature in the incoming message.
@@ -41870,6 +41871,12 @@ an identity. This is one of the list items from the expanded main option
&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
+So long as a DKIM ACL is defined
+(it need do no more than accept, which is the default),
+after all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
+The value is maintained for the MIME, PRDR and DATA ACLs.
+
Within the DKIM ACL,
a string describing the general status of the signature. One of
.ilist
@@ -41898,11 +41905,6 @@ hash-method or key-size:
set dkim_verify_reason = hash too weak or key too short
.endd
-So long as a DKIM ACL is defined (it need do no more than accept),
-after all the DKIM ACL runs have completed, the value becomes a
-colon-separated list of the values after each run.
-This is maintained for the mime, prdr and data ACLs.
-
.vitem &%$dkim_verify_reason%&
A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
@@ -42027,13 +42029,15 @@ option.
.endlist
-In addition, two ACL conditions are provided, usable only in a DKIM ACL:
+In addition, two ACL conditions are provided:
.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
for a match against the domain or identity that the ACL is currently verifying
-(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+(reflected by &%$dkim_cur_signer%&).
+This condition is only usable in a DKIM ACL.
+This is typically used to restrict an ACL
verb to a group of domains or identities. For example:
.code
@@ -42049,7 +42053,18 @@ for that check for empty &$h_DKIM-Signature:$& in the data ACL.
.vitem &%dkim_status%&
ACL condition that checks a colon-separated list of possible DKIM verification
-results against the actual result of verification. This is typically used
+results against the actual result of verification,
+given by &$dkim_verify_status$& if that is non-empty or "none" if empty.
+.new
+This condition may be used in DKIM, MIME, PRDR and DATA ACLs.
+.wen
+
+A basic verification might be:
+.code
+deny !dkim_status = pass:none:invalid
+.endd
+
+A more complex use could be
to restrict an ACL verb to a list of verification outcomes, for example:
.code
@@ -42062,6 +42077,12 @@ deny sender_domains = paypal.com:paypal.de
The possible status keywords are: 'none','invalid','fail' and 'pass'. Please
see the documentation of the &%$dkim_verify_status%& expansion variable above
for more information of what they mean.
+
+The condition is true if the status
+.new
+(or any of the list of status values)
+.wen
+is any one of the supplied list.
.endlist
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5fcc8ab11..4c22f649f 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -193,6 +193,9 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation
JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
and ${tr...}. Found and diagnosed by Heiko Schlichting.
+JH/40 Support list of dkim results in the dkim_status ACL condition, making
+ it more usable in the data ACL.
+
Exim version 4.96
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 89df66ba2..beca9748c 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -6,6 +6,10 @@ Before a formal release, there may be quite a lot of detail so that people can
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Since 4.97
+------------
+ 1. The dkim_status ACL condition may not be used in data ACLs
+
Version 4.97
------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 118e4b35d..8431efc84 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -203,7 +203,14 @@ static condition_def conditions[] = {
[ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT },
#ifndef DISABLE_DKIM
[ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
- [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
+ [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE,
+ (unsigned int)
+ ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
+# ifndef DISABLE_PRDR
+ | ACL_BIT_PRDR
+# endif
+ ),
+ },
#endif
#ifdef SUPPORT_DMARC
[ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
@@ -3763,8 +3770,14 @@ for (; cb; cb = cb->next)
break;
case ACLC_DKIM_STATUS:
- rc = match_isinlist(dkim_verify_status,
- &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+ { /* return good for any match */
+ const uschar * s = dkim_verify_status ? dkim_verify_status : US"none";
+ int sep = 0;
+ for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
+ if ( (rc = match_isinlist(ss, &arg,
+ 0, NULL, NULL, MCL_STRING, TRUE, NULL))
+ == OK) break;
+ }
break;
#endif
diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 30cb0437c..22b850242 100644
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -1868,9 +1868,9 @@ for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
if (*dkim_verify_min_keysizes)
{
unsigned minbits;
- uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
+ const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
dkim_verify_min_keysizes);
- if (ss && (minbits = atoi(CS ss)) > sig->keybits)
+ if (ss && (minbits = atoi(CCS ss)) > sig->keybits)
{
DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
diff --git a/test/confs/4500 b/test/confs/4500
index 9f0829c1a..46cffa39a 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -42,6 +42,9 @@ check_dkim:
.endif
check_data:
- accept logwrite = ${authresults {$primary_hostname}}
+ warn logwrite = ${authresults {$primary_hostname}}
+ accept dkim_status = pass
+ logwrite = dkim_status includes pass
+ accept logwrite = dkim_state DOES NOT include pass
# End
diff --git a/test/log/4500 b/test/log/4500
index 322c5a5be..be7ab89f0 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -4,27 +4,40 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses_sha1 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbB-000000005vi-0000 NOTE: forcing dkim verify fail (was pass)
1999-03-02 09:44:33 10HmbB-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_status includes pass
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
diff --git a/test/log/4501 b/test/log/4501
index 2a1934c05..ed8bb3d82 100644
--- a/test/log/4501
+++ b/test/log/4501
@@ -4,8 +4,10 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= pass@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= fail@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
diff --git a/test/log/4502 b/test/log/4502
index de5fbd478..4a1e86588 100644
--- a/test/log/4502
+++ b/test/log/4502
@@ -4,17 +4,21 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=564CFC9B.1040905@???
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad [failed key import]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (public key record import problem)\n header.d=test.ex header.s=sel_bad header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@???
diff --git a/test/log/4503 b/test/log/4503
index ea4791a91..2d5d8c42b 100644
--- a/test/log/4503
+++ b/test/log/4503
@@ -4,4 +4,5 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
diff --git a/test/log/4504 b/test/log/4504
index ea4791a91..2d5d8c42b 100644
--- a/test/log/4504
+++ b/test/log/4504
@@ -4,4 +4,5 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
diff --git a/test/log/4506 b/test/log/4506
index adace8e4a..00139412f 100644
--- a/test/log/4506
+++ b/test/log/4506
@@ -4,32 +4,39 @@
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: validation error: LONG_LINE
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: Error during validation, disabling signature verification: LONG_LINE
1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (unspecified reason)\n header.d=test.ex header.s=ses_sha256 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 DKIM: validation error: EXCESS_SIGS
1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: Error during validation, disabling signature verification: EXCESS_SIGS
1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=20180418125440.Horde.vVKB6E7UvpLfJsPzv2ZPs6z@???
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbE-000000005vi-0000 unknown
1999-03-02 09:44:33 10HmbE-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbE-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmbE-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@???
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 0
diff --git a/test/log/4540 b/test/log/4540
index 80aa4ca28..e283729ed 100644
--- a/test/log/4540
+++ b/test/log/4540
@@ -4,19 +4,23 @@
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sedw c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sedw header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@???
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: kitterman.org bits: 253
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: @kitterman.org bits: 253
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=kitterman.org header.i=@kitterman.org header.s=ed25519 header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=kitterman.org id=example@???
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification failed - signature invalid (key too short)]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 253 bits)\n header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss id=E10HmaX-0005vi-00@???
diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500
index d1cc646f9..112fda506 100644
--- a/test/scripts/4500-DKIM/4500
+++ b/test/scripts/4500-DKIM/4500
@@ -3,6 +3,7 @@
exim -DSERVER=server -DMSIZE='rsa=512 ed25519=250' -bd -oX PORT_D
****
#
+# (A)
# This should pass.
# - sha1, 1024b
# Mail original in aux-fixed/4500.msg1.txt
@@ -37,6 +38,7 @@ QUIT
??? 221
****
#
+# (B)
# This should pass.
# - sha1, 512b
# Mail original in aux-fixed/4500.msg1.txt
@@ -69,6 +71,7 @@ QUIT
??? 221
****
#
+# (C)
# This should pass.
# - sha256, 1024b
# Mail original in aux-fixed/4500.msg1.txt
@@ -103,6 +106,7 @@ QUIT
****
#
#
+# (D)
# This should pass. The pubkey dns decord has a additional sha1-only h= field
#
# - sha1, 512b
@@ -143,6 +147,7 @@ killdaemon
exim -DSERVER=server -DOPTION -DMSIZE='rsa=512 ed25519c=32' -bd -oX PORT_D
****
#
+# (E)
# This should fail despite being a passing submission above (with the unlimited verifier).
# - sha1, 1024b
# Mail original in aux-fixed/4500.msg1.txt
@@ -181,6 +186,7 @@ killdaemon
#
#
#
+# (F)
# With the default keysize minima, a 512b key should fail
exim -DSERVER=server -bd -oX PORT_D
****
@@ -208,6 +214,42 @@ Date: Thu, 19 Nov 2015 17:00:07 -0700
Message-ID: <qwerty1234@???>
Subject: simple test
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+#
+#
+# (G)
+# Two signature, one pass one fail. Checking for "at least one pass".
+# Sigs from (F) and (C) above
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@???>
+??? 250
+RCPT TO:<a@???>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=ses; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+ cIErF1eueIT9AU4qG54FyT3yrlVDDM7RZnuU6fWTevZpAuMqhYcRO8tU3U4vtKWB
+ +I2vd+F1gzqCzBcRtfLhZg==
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+ 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+ Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+ +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@???
+To: bakawolf@???
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@???>
+Subject: simple test
+
This is a simple test.
.
??? 250
diff --git a/test/stderr/4507 b/test/stderr/4507
index 6fcd8bd8d..d82f5d95e 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -12,7 +12,7 @@
>>> list element: @
>>> list element: @[]
>>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 47)
+>>> processing "accept" (TESTSUITE/test-config 50)
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
@@ -27,11 +27,19 @@ LOG: 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
>>> end of ACL "check_dkim": ACCEPT
LOG: 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
>>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 45)
+>>> processing "warn" (TESTSUITE/test-config 45)
>>> check logwrite = ${authresults {$primary_hostname}}
>>> = Authentication-Results: myhost.test.ex;
>>> dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
LOG: 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+>>> warn: condition test succeeded in ACL "check_data"
+>>> processing "accept" (TESTSUITE/test-config 46)
+>>> check dkim_status = pass
+>>> pass in "pass"?
+>>> list element: pass
+>>> pass in "pass"? yes (matched "pass")
+>>> check logwrite = dkim_status includes pass
+LOG: 10HmaX-000000005vi-0000 dkim_status includes pass
>>> accept: condition test succeeded in ACL "check_data"
>>> end of ACL "check_data": ACCEPT
LOG: 10HmaX-000000005vi-0000 <= CALLER@??? H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
