Mailing List Archive: exim: users

rejected DKIM.

Index | Next | Previous | View Threaded

alexey at renatasystems

Nov 16, 2009, 6:14 AM

Post #1 of 4 (624 views)
Permalink

rejected DKIM.

Hello!

I'm trying to use DKIM on my FreeBSD 7.2 amd64 box with Exim 4.70 from
ports but all I get is that messages without DKIM signature rejected
with strange commentary: 550 Administrative prohibition

configure:

...

acl_smtp_dkim = acl_check_dkim

...

acl_check_dkim:

defer sender_domains = gmail.com
dkim_signers = gmail.com
dkim_status = none:invalid:fail
log_message = message must have a valid DKIM signature
message = try again later

accept

debug log generated with -d+all -bhc 89.222.154.118 (real domain name screened
for corp security, sorry):

13:43:04 66034 >>Generated Received: header line
13:43:04 66034 P Received: from [89.222.154.118] (helo=foo)
13:43:04 66034 by mx-2.example.com with smtp (Exim)
13:43:04 66034 message id 1NA1rB-000HB4-Mk
13:43:04 66034 for a.degtyarev [at] example; Mon, 16 Nov 2009 13:43:04 +0000
13:43:04 66034 expanding: $dkim_signers
13:43:04 66034 result:
13:43:04 66034 SMTP>> 550 Administrative prohibition
550 Administrative prohibition
13:43:04 66034 LOG: MAIN REJECT
13:43:04 66034 H=(foo) [89.222.154.118] rejected DKIM : ╨
13:43:04 66034 smtp_setup_msg entered

Messages with valid DKIM signature processed ok. The mail server was running
for a long time (before upgrade) well and the mail recieved and processed
correct. All I done is binary upgrade from 4.69 to 4.70 and add configure
parameters above.

Eximstats shows that rejects in even more strange manner:

3 Rejected DKIM: <BA>^A
2 Rejected DKIM: x<E6>A

Am I missed something?

# exim -d
Exim version 4.70 (FreeBSD 7.2) uid=0 gid=0 pid=66605 D=fbb95cfd
Berkeley DB: Berkeley DB 4.7.25: (May 15, 2008)
Support for: crypteq iconv() IPv6 use_setclassresources PAM Perl Expand_dlfunc OpenSSL Content_Scanning DKIM Old_Demime Experimental_SPF Experimental_DCC
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm nis nis0 passwd
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
OpenSSL compile-time version: OpenSSL 0.9.8e 23 Feb 2007
OpenSSL runtime version: OpenSSL 0.9.8e 23 Feb 2007

--
Alexey V. Degtyarev

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tom at duncanthrax

Nov 16, 2009, 6:38 AM

Post #2 of 4 (588 views)
Permalink

Re: rejected DKIM. [In reply to]

Alexey V. Degtyarev wrote:

> I'm trying to use DKIM on my FreeBSD 7.2 amd64 box with Exim 4.70 from
> ports but all I get is that messages without DKIM signature rejected
> with strange commentary: 550 Administrative prohibition

This is a bug in 4.70 that appears when the expanded value of
dkim_verify_signers winds up empty, and you have acl_smtp_dkim defined.

To temporarily fix this, set

dkim_verify_signers = $dkim_signers:work.around

in the main configuration section. This should not have any ill effects
except for some minor processing overhead.

A proper fix is in CVS/GIT. We'll release 4.71 at the end of the week.
We're just waiting for more post-release fallout ...

Sorry,

/tom

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

ler at lerctr

Nov 16, 2009, 6:44 AM

Post #3 of 4 (647 views)
Permalink

Re: rejected DKIM. [In reply to]

On Mon, 16 Nov 2009, Tom Kistner wrote:

> Alexey V. Degtyarev wrote:
>
>> I'm trying to use DKIM on my FreeBSD 7.2 amd64 box with Exim 4.70 from
>> ports but all I get is that messages without DKIM signature rejected
>> with strange commentary: 550 Administrative prohibition
>
> This is a bug in 4.70 that appears when the expanded value of
> dkim_verify_signers winds up empty, and you have acl_smtp_dkim defined.
>
> To temporarily fix this, set
>
> dkim_verify_signers = $dkim_signers:work.around
>
> in the main configuration section. This should not have any ill effects
> except for some minor processing overhead.
>
> A proper fix is in CVS/GIT. We'll release 4.71 at the end of the week.
> We're just waiting for more post-release fallout ...
Thanks, Tom. This also explains my problem that I posted.

>
> Sorry,
>
> /tom
>
>

--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler [at] lerctr
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

alexey at renatasystems

Nov 16, 2009, 8:49 AM

Post #4 of 4 (585 views)
Permalink

Re: rejected DKIM. [In reply to]

On 15:38 Mon 16 Nov, Tom Kistner wrote:

> Alexey V. Degtyarev wrote:
>
> > I'm trying to use DKIM on my FreeBSD 7.2 amd64 box with Exim 4.70 from
> > ports but all I get is that messages without DKIM signature rejected
> > with strange commentary: 550 Administrative prohibition
>
> This is a bug in 4.70 that appears when the expanded value of
> dkim_verify_signers winds up empty, and you have acl_smtp_dkim defined.
>
> To temporarily fix this, set
>
> dkim_verify_signers = $dkim_signers:work.around
>
> in the main configuration section. This should not have any ill effects
> except for some minor processing overhead.
>
> A proper fix is in CVS/GIT. We'll release 4.71 at the end of the week.
> We're just waiting for more post-release fallout ...
>
> Sorry,

Thank you! The problem fixed with [1].

[1] http://git.exim.org/exim-src.git/patch/5d4d946a3f205c50ce05f50e1126f98913ed8fea

>
> /tom

--
Alexey V. Degtyarev

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads