Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

dkim error in paniclog

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


ke at helinet

Dec 3, 2009, 3:00 AM

Post #1 of 10 (2595 views)
Permalink
dkim error in paniclog
Hi all,

after upgrading to exim 4.71 we get the following error in paniclog:

2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
through validation, disabling signature verification.
2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
through validation, disabling signature verification.
2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
through validation, disabling signature verification.

The error does only occur from time to time, the messages are delivered
anyway. Out of 9000 mails with dkim-Header, we got only 12 error messages.
DKIM is not used in any acl, this is only the default dkim validation.

As the error is logged to paniclog, I suggest I should react in someway.;-)
Can anybody give me any advice what to do?

Unfortunately, I don't have access to the headers, as the mails get delivered
to our customers.
System is debian.

--

Thanks in advance,

Kerstin
Attachments: signature.asc (0.39 KB)


iane at sussex

Dec 3, 2009, 4:38 AM

Post #2 of 10 (2524 views)
Permalink
Re: dkim error in paniclog [In reply to]
--On 3 December 2009 12:00:14 +0100 Kerstin Espey <ke [at] helinet> wrote:

>
> Unfortunately, I don't have access to the headers, as the mails get
> delivered to our customers.
> System is debian.
>

You could change your configuration to copy DKIM headers to your log files.



--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tom at duncanthrax

Dec 3, 2009, 5:20 AM

Post #3 of 10 (2524 views)
Permalink
Re: dkim error in paniclog [In reply to]
Kerstin Espey wrote:

> 2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
> through validation, disabling signature verification.
> 2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
> through validation, disabling signature verification.
> 2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
> through validation, disabling signature verification.

> Unfortunately, I don't have access to the headers, as the mails get delivered
> to our customers.

Can you send me the envelope sender for a few of those samples, or
better, log the DKIM-Signature header and send that to me?

If possible, please intercept samples and re-run them through an Exim
session with debug output enabled. If the sample(s) do not contain
sensitive data, you can also send them to me for analysis.

Thanks,

/tom

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


ke at helinet

Dec 4, 2009, 12:53 AM

Post #4 of 10 (2506 views)
Permalink
Re: dkim error in paniclog [In reply to]
Am Donnerstag 03 Dezember 2009 schrieb Tom Kistner:
[...]
> >
> > Unfortunately, I don't have access to the headers, as the mails get
> > delivered to our customers.
>
> Can you send me the envelope sender for a few of those samples, or
> better, log the DKIM-Signature header and send that to me?

Am I right, there is no log_selector to log the dkim-header?
I have added this to acl_smtp_data

warn condition = ${if def:h_dkim-signature:}
log_message = DKIM-Signature $h_dkim-signature

but it does not log any signature.
>
> If possible, please intercept samples and re-run them through an Exim
> session with debug output enabled. If the sample(s) do not contain
> sensitive data, you can also send them to me for analysis.
>
This is really difficult, as german data protection law is very strict.

The last occurence was 2009-12-03 23:07:43.

These are some logs:

2009-12-02 08:43:57 1NFjsT-0000Jz-11 DKIM: Error while running this
message through validation, disabling signature verification.
2009-12-02 08:43:57 1NFjsT-0000Jz-11 <= root [at] eu1
H=(eu1.dbware.biz) [89.149.229.200] P=esmtp S=30278 for
user [at] soestcom
2009-12-02 08:43:57 1NFjsT-0000Jz-11 =>
user [at] imp (user [at] helimail,
user [at] helimail) <user [at] soestcom> R=spamd_smart_route
T=intern_smtp H=192.168.111.124 [192.168.111.124] C="250 OK
id=1NFjsT-0002a5-OH"
2009-12-02 08:43:57 1NFjsT-0000Jz-11 Completed

2009-12-02 11:01:03 1NFm17-00079m-VR DKIM: Error while running this
message through validation, disabling signature verification.
2009-12-02 11:01:05 1NFm17-00079m-VR <= events [at] allesheute
H=web06.empirion.at [80.245.192.121] P=esmtp S=39495
id=9B57B214930D47BB861B26C9CB42E2C2 [at] empirion for glenz [at] helimail
2009-12-02 11:01:06 1NFm17-00079m-VR => user [at] imp
(user [at] helimail) <user [at] helimail> R=spamd_smart_route
T=intern_smtp H=192.168.111.124 [192.168.111.124] C="250 OK
id=1NFm1C-0006S9-22"
2009-12-02 11:01:06 1NFm17-00079m-VR Completed

2009-12-02 11:05:57 1NFm5t-00080t-RD DKIM: Error while running this
message through validation, disabling signature verification.
2009-12-02 11:05:58 1NFm5t-00080t-RD <=
bounceind17 [at] campaignserver1 H=s15223426.onlinehome-server.info
(s15223426) [87.106.25.17] P=esmtp S=23171
id=20091202110557.416498156 [at] campaignserver1 for
user [at] helimail
2009-12-02 11:05:58 1NFm5t-00080t-RD =>
user [at] imp (user [at] helimail)
<user [at] helimail> R=spamd_smart_route T=intern_smtp
H=192.168.111.27 [192.168.111.27] C="250 OK id=1NFm5u-0003xF-OL"
2009-12-02 11:05:58 1NFm5t-00080t-RD Completed

2009-12-02 11:09:38 1NFm9S-0008KI-82 DKIM: Error while running this
message through validation, disabling signature verification.
2009-12-02 11:09:39 1NFm9S-0008KI-82 <= bounces [at] jslr18
H=ks355456.kimsufi.com [91.121.123.159] P=esmtp S=25316
id=20091202101320.22410.qmail [at] ks355456 for user [at] helimail
2009-12-02 11:09:39 1NFm9S-0008KI-82 => user [at] imp
(user [at] helimail) <user [at] helimail> R=spamd_smart_route
T=intern_smtp H=192.168.111.27 [192.168.111.27] C="250 OK
id=1NFm9T-0004Gb-4Y"
2009-12-02 11:09:39 1NFm9S-0008KI-82 Completed

2009-12-02 13:13:33 1NFo5M-00050q-Vg DKIM: Error while running this
message through validation, disabling signature verification.
2009-12-02 13:13:33 1NFo5M-00050q-Vg <= dell_technical_updates [at] dell
H=s15324915.onlinehome-server.info (s15324915) [87.106.249.175] P=esmtp
S=141639 id=AUSOLADPPROC1a8160ab4fc6f4c4bb2aa6b97e5f493de [at] AUSOLADPPROC
for user [at] helimail
2009-12-02 13:13:34 1NFo5M-00050q-Vg =>
user [at] imp (user [at] helimail)
<user [at] helimail> R=spamd_smart_route T=intern_smtp
H=192.168.111.124 [192.168.111.124] C="250 OK id=1NFo5O-0000oj-4L"
2009-12-02 13:13:34 1NFo5M-00050q-Vg Completed


--

Regards, Kerstin
Attachments: signature.asc (0.39 KB)


ke at helinet

Dec 17, 2009, 1:59 AM

Post #5 of 10 (2359 views)
Permalink
Re: dkim error in paniclog [In reply to]
Am Donnerstag 03 Dezember 2009 schrieb Kerstin Espey:
> Hi all,
>
> after upgrading to exim 4.71 we get the following error in paniclog:
>
> 2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
> through validation, disabling signature verification.
> 2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
> through validation, disabling signature verification.
> 2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
> through validation, disabling signature verification.
>

Still no one else with this error?

We have done some more debugging, but without success until now.:-(

We now have a list of 17 IP addresses, which do often trigger the error. It
looks like it depends on the sender address, if we get the error or not.
I have done a tcpdump for some of these ip, and passed the data to exim with
debugging mode enabled. No error occurs.

The mails I have seen so far, are sent from qmail-servers. But I'm not sure if
this is always the case. They don't have any dkim-header, but a header
"DomainKey-Status: no signature".
All of them seem to be newsletters.

Any ideas on how to go on?

--
Thanks in advance,

Kerstin
Attachments: signature.asc (0.39 KB)


jethro.binks at strath

Dec 17, 2009, 2:31 AM

Post #6 of 10 (2365 views)
Permalink
Re: dkim error in paniclog [In reply to]
On Thu, 17 Dec 2009, Kerstin Espey wrote:

> > after upgrading to exim 4.71 we get the following error in paniclog:
> >
> > 2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
> > through validation, disabling signature verification.
> > 2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
> > through validation, disabling signature verification.
> > 2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
> > through validation, disabling signature verification.
> >
>
> Still no one else with this error?

Sorry, yes, I get it too, but I don't have anything much to offer.

That's not strictly true, I did start to write something about this and
other issues but not sent it. Made some documentation comments in
bugzilla.

> We now have a list of 17 IP addresses, which do often trigger the error.
> It looks like it depends on the sender address, if we get the error or
> not. I have done a tcpdump for some of these ip, and passed the data to
> exim with debugging mode enabled. No error occurs.
>
> The mails I have seen so far, are sent from qmail-servers. But I'm not
> sure if this is always the case. They don't have any dkim-header, but a
> header "DomainKey-Status: no signature". All of them seem to be
> newsletters.

I had added to data acl:

warn
condition = ${if def:h_dkim-signature:}
log_message = Recording DKIM-Signature: $h_dkim-signature

but it didn't record anything for these failing messages. I hadn't got
any further, so your comment about "DomainKey-Status: no signature" was
news to me, and maybe explains why I get nothing logged.

Here are the hosts I see:

H=(mail.vgpharma.com) [61.129.51.38]
H=(smtp.outsourcingprofessional.org) [216.139.217.166]
H=(xbadon.info) [86.104.195.114]
H=(xbutcher.info) [86.104.195.85]
H=(xcarland.info) [86.104.195.81]
H=(xcostello.info) [86.104.195.90]
H=(xelizondo.info) [86.104.195.64]
H=(xforcier.info) [86.104.195.108]
H=(xheloise.info) [86.104.195.91]
H=(xhendrich.info) [86.104.195.109]
H=(xhoaglin.info) [86.104.195.117]
H=(xhuberty.info) [86.104.195.94]
H=(xjanet.info) [86.104.195.103]
H=(xlemley.info) [86.104.195.68]
H=(xmazzarella.info) [86.104.195.92]
H=(xrueth.info) [86.104.195.69]
H=(xshubin.info) [86.104.195.118]
H=(xspeigner.info) [86.104.195.97]
H=(xspruill.info) [86.104.195.106]
H=(xtingler.info) [86.104.195.80]
H=(xtwist.info) [86.104.195.84]
H=(xwhorton.info) [86.104.195.93]
H=81-179-28-156.dsl.pipex.com (office.scotwebshops.com)
H=ausc60ps301.us.dell.com [143.166.148.206]
H=chrome-onfofo.cccampaigns.net [81.92.121.144]
H=healthorbit.ca (server5131.internal.developersnetwork.com)
H=lv3-4.domainxyz.de [87.119.205.37]
H=mercure-ei.ccemails.net [81.92.123.8]
H=mercure-onei.ccemails.net [81.92.123.18]
H=mercure-sitw.ccemails.net [81.92.123.62]
H=n1-vm2.bullet.mail.sp2.yahoo.com [67.195.134.222]
H=n73b.bullet.mail.sp1.yahoo.com [98.136.45.46]
H=ns6618.ovh.net [87.98.222.132]
H=raspberry.hosteurope.com (raspberry.webfusion.co.uk)
H=snt0-omc2-s7.snt0.hotmail.com [65.55.90.82]
H=snt0-omc4-s35.snt0.hotmail.com [65.55.90.238]
H=theadventuristsmail.bucklehosting.com (mail.bucklehosting.com)

Hmm. Looking more closely at them, the yahoo ones are more suspicious.
Seemingly the validation error occurred but I also did record the
signature header, which I will send to Tom direct to take a look at.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


alexey at renatasystems

Dec 17, 2009, 2:34 AM

Post #7 of 10 (2362 views)
Permalink
Re: dkim error in paniclog [In reply to]
On 10:59 Thu 17 Dec, Kerstin Espey wrote:

> Am Donnerstag 03 Dezember 2009 schrieb Kerstin Espey:
> >
> > after upgrading to exim 4.71 we get the following error in paniclog:
> >
> > 2009-12-02 22:06:05 1NFwOj-0005JP-2X DKIM: Error while running this message
> > through validation, disabling signature verification.
> > 2009-12-03 00:36:35 1NFykN-0007Js-6B DKIM: Error while running this message
> > through validation, disabling signature verification.
> > 2009-12-03 01:01:03 1NFz83-0001RP-9U DKIM: Error while running this message
> > through validation, disabling signature verification.
> >
> Still no one else with this error?

No no, the same here.

> We have done some more debugging, but without success until now.:-(
>
> We now have a list of 17 IP addresses, which do often trigger the error. It
> looks like it depends on the sender address, if we get the error or not.
> I have done a tcpdump for some of these ip, and passed the data to exim with
> debugging mode enabled. No error occurs.
>
> The mails I have seen so far, are sent from qmail-servers. But I'm not sure if
> this is always the case. They don't have any dkim-header, but a header
> "DomainKey-Status: no signature".
> All of them seem to be newsletters.
>
> Any ideas on how to go on?

The servers under heavy production, for almost 100k messages per day is
about 100 DKIM errors "while running this message through validation". I
have no idea how to troubleshoot that.

--
Alexey V. Degtyarev

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tom at duncanthrax

Dec 17, 2009, 4:38 AM

Post #8 of 10 (2360 views)
Permalink
Re: dkim error in paniclog [In reply to]
On 17.12.2009 10:59, Kerstin Espey wrote:

> Still no one else with this error?

I'll add more debug output to the main log, which will include the error
code returned from the library.

Looking through the code, these are the most likely causes for the failures:

1) The message has more than 512 headers.
2) The message contains a single line longer than 16k bytes.

Both are limits that can be tweaked in src/pdkim/pdkim.c. They are set
to avoid DoS scenarios.

/tom

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


ke at helinet

Dec 18, 2009, 2:27 AM

Post #9 of 10 (2339 views)
Permalink
Re: dkim error in paniclog [In reply to]
Am Donnerstag, 17. Dezember 2009 schrieb Tom Kistner:
[...]
>
> Looking through the code, these are the most likely causes for the
> failures:
>
> 1) The message has more than 512 headers.
> 2) The message contains a single line longer than 16k bytes.
>
That's it! Thank's al lot for this information.:-) At least Dell is sending
out newsletter with 101k bytes in one single line!

Saving the tcp stream in wireshark as ascii, does cause line breaks. That's
why I didn't get an error message passing the dump to exim.
Saving the tcp stream as raw, does show the long lines.

> Both are limits that can be tweaked in src/pdkim/pdkim.c. They are set
> to avoid DoS scenarios.
>
That does make sense. But is it necessary to look at the body, if there isn't
any dkim-signature at all?

--
Regards, Kerstin

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


eximusers at downhill

Feb 1, 2010, 10:41 AM

Post #10 of 10 (1958 views)
Permalink
Re: dkim error in paniclog [In reply to]
On 2009-12-17 Tom Kistner wrote:
[...]
> Looking through the code, these are the most likely causes for the
> failures:
>
> 1) The message has more than 512 headers.
> 2) The message contains a single line longer than 16k bytes.

> Both are limits that can be tweaked in src/pdkim/pdkim.c. They are set
> to avoid DoS scenarios.

Hello,

this has come up again in <http://bugs.debian.org/567876>. Since the
triggered error message is not of the "oh no, something horribly and
unexpected broke, let's warn the admin about pending dooom."-kind it
should not go to paniclog (but only to mainlog). Further on a little
more verbosity could not hurt, dkim_exim_verify_feed's exit code
would provide more info.

thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.