[exim] Setting dkim_verify_minimal to true, does not termina…

Top Page
Delete this message
Reply to this message
Author: Sander Smeenk
Date:  
To: exim-users
Subject: [exim] Setting dkim_verify_minimal to true, does not terminate validation after first success
Hi,

I had 'dkim_verify_minimal = true' in my Exim config and according to
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
"If set to true, verification of signatures will terminate after the first success.".

But this does not seem to be what is happening and that in turn breaks DMARC checks.

Exim 4.96, libopendmarc2 1.4.2

I put this acl_smtp_dkim in:

| acl_smtp_dkim = acl_check_dkim
| 
| acl_check_dkim:
|     warn
|         logwrite = DKIM--$dkim_verify_status--$dkim_cur_signer--$dkim_verify_reason--$dkim_domain--$dkim_identity--
| 
|     accept


And with a message that has multiple DKIM sigs i get:

| LOG: 1sQq1q-00BKvo-0I DKIM--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.net--@???--
| LOG: 1sQq1q-00BKvo-0I DKIM--pass--@???--@bf02x.hubspotemail.net--
| LOG: 1sQq1q-00BKvo-0I DKIM--none--lease-a-bike.nl----lease-a-bike.nl--@???--
| LOG: 1sQq1q-00BKvo-0I DKIM--none--@???--@lease-a-bike.nl--
| LOG: 1sQq1q-00BKvo-0I DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=no enforcement='Reject'


Notice the 'none' result in $dkim_verify_status. I am almost certain
this is what breaks DMARC because when i set 'dkim_verify_minimal' to
'false', i get:

| LOG: 1sQq2w-00BKyE-0A DKIM--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.net--@???--
| LOG: 1sQq2w-00BKyE-0A DKIM--pass--@???--@bf02x.hubspotemail.net--
| LOG: 1sQq2w-00BKyE-0A DKIM--pass--lease-a-bike.nl----lease-a-bike.nl--@???--
| LOG: 1sQq2w-00BKyE-0A DKIM--pass--@???--@lease-a-bike.nl--
| LOG: 1sQq2w-00BKyE-0A DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'


And DMARC passes too.

Is the 'none' result expected? The fine manual seems to suggest it is
not. There was a pass so no more validation should be attempted?

Did i hit a bug here? My assumption of the verify_minimal option was
some sort of 'satisfy any' instead of 'statisfy all' functionality.

Kind regards,
-Sander Smeenk.
--
| Artificial intelligence is no match for natural stupidity.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/