[exim] Re: Setting dkim_verify_minimal to true, does not ter…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Sander Smeenk
Datum:  
To: exim-users
Betreff: [exim] Re: Setting dkim_verify_minimal to true, does not terminate validation after first success
Quoting Jeremy Harris via Exim-users (exim-users@???):

> Thanks. a5e7a642059e is an initial go; I'd appreciate your
> evaluation. I've not looked into any effect it has on DMARC,
> only that it seems to be doing the right thing for one DKIM test.


Awesome. This does exactly what i would expect, setting
dkim_verify_minimal to true.

| Exim version 4.97-a5e7a64 #1 built 10-Jul-2024 07:34:56



With dkim_verify_minimal set to false, both DKIM sigs get validated.
DMARC passes:
| DKIM--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.net--@???--
| DKIM--pass--@???--@bf02x.hubspotemail.net--
| DKIM--pass--lease-a-bike.nl----lease-a-bike.nl--@???--
| DKIM--pass--@???--@lease-a-bike.nl--
| DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'


With dkim_verify_minimal set to true, the first encountered DKIM sig gets
validated. No further attempts are performed. DMARC passes:
| DKIM--pass--bf02x.hubspotemail.net----bf02x.hubspotemail.net--@???--
| DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'



With dkim_verify_minimal set to false, and one of the DKIM sigs broken,
the last DKIM signature still validates, DMARC passes:
| DKIM--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--fail--@???_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--pass--lease-a-bike.nl----lease-a-bike.nl--@???--
| DKIM--pass--@???--@lease-a-bike.nl--
| DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'


With dkim_verify_minimal set to true, and one of the DKIM sigs broken,
the first broken sig is tested invalid, the next one validates, no
further attempts are made, DMARC passes:
| DKIM--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--fail--@???_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--pass--lease-a-bike.nl----lease-a-bike.nl--@???--
| DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=yes enforcement='Accept'



With dkim_verify_minimal set to false, and both DKIM sigs broken,
both are attempted, none succeed, DMARC fails:
| DKIM--fail--bf02x.hubspotemail.net--bodyhash_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--fail--@???_mismatch--bf02x.hubspotemail.net--@???--
| DKIM--fail--lease-a-bike.nl--bodyhash_mismatch--lease-a-bike.nl--@???--
| DKIM--fail--@???_mismatch--lease-a-bike.nl--@???--
| DMARC results: spf_domain=bf02x.hubspotemail.net dmarc_domain=lease-a-bike.nl spf_align=no dkim_align=no enforcement='Reject'


And not unexpected: with dkim_verify_minimal set to true, and both DKIM
sigs broken, both are attempted, none succeed, DMARC fails as well.


As far as i can tell, this is how it should be!

Regards,
-Sander.
--
| With her marriage she got a new name and a dress.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/