Mailing List Archive: exim: users

Exim 4.77 and understanding DKIM signature verification and DKIM ACL

Index | Next | Previous | View Threaded

mike.tubby at thorcom

Apr 14, 2012, 2:04 PM

Post #1 of 4 (597 views)
Permalink

Exim 4.77 and understanding DKIM signature verification and DKIM ACL

All,

I haven't put in much of an appearance here for a couple of years, but a
long time ago Peter Bowyer and myself built a mail relay system, its
been running Exim 4.63 for years on Fedora 6 and I've just come to do a
major upgrade on it and replace it with Exim 4.77 and Ubuntu 12.4 LTS
server.

We had experimental DomainKeys on the old system and I've replaced it
with Exim's in-built DKIM and I'm having some trouble getting my head
around the way it works, or more precisely, the way it confuses me...

What I am trying to do:

a) accept messages that are correctly signed
b) reject (deny) messages that are incorrectly signed
c) defer for messages that are signed but we can't verify them for
a transient reason (eg. can't reach their DNS)
d) accept all messages that have no signature
e) maintain sufficient information in the logs so that I can
understand what is going on

What I have:

* Pentuim 4 2.8GHz server, 1Gb RAM, 250Gb HDD
* Ubuntu 12.4 LTS Server (Beta2)
* Exim-4.77 built from source with experimental SPF, SRS, DKIM,
MySQL and a few other bits and pieces
* latest ClamAV, SpamAssassin, etc.

Here is my current config pertaining to the DKIM parts:

# mysql table with things like paypal.com, ebay.com, google.com etc.
SELECT_DKIM_KNOWN_SIGNERS = select domain from dkim_known_signers where
active=1;
DKIM_KNOWN_SIGNERS = ${lookup
mysql{SELECT_DKIM_KNOWN_SIGNERS}{${sg{$value}{\\n}{ : }} }}

# list of signers we should attempt to verify
dkim_verify_signers = $dkim_signers : $sender_address_domain :
DKIM_KNOWN_SIGNERS

acl_check_dkim:

#
# debugging
#
warn logwrite = DKIM TEST: domain=$sender_address_domain
possible_signer=$dkim_cur_signer status=$dkim_verify_status
reason=$dkim_verify_reason

#
# skip DKIM if domain whitelisted for DKIM, i.e. known good
domain that has broken DKIM
#
accept sender_domains = +dkim_whitelist_domains
logwrite = DKIM SKIP: Skipping DKIM checks for
whitelisted domain: $sender_address_domain

#
# skip DKIM checks on hosts we relay for
#
accept hosts = +relay_from_hosts
logwrite = DKIM SKIP: Skipping DKIM checks for relay
host: $sender_fullhost

#
# skip DKIM checks on authenticated hosts (that we also relay for)
#
accept authenticated = *
logwrite = DKIM SKIP: Skipping DKIM checks for
authenticated host: $sender_fullhost

#
# defer when message not testable, e.g. can't get public key, etc.
#
defer dkim_status = invalid
message = Message from $sender_address_domain cannot be
verified
logwrite = DKIM DEFER: domain=$sender_address_domain

#
# deny when message fails signature test
#
deny dkim_status = fail
message = Message from $sender_address_domain has
invalid DKIM signature
logwrite = DKIM DENY: domain=$sender_address_domain

#
# accept the message (correctly signed)
#
accept
sender_domains = $sender_address_domain
dkim_signers = $sender_address_domain
dkim_status = pass
logwrite = DKIM MATCH: domain=$sender_address_domain
signer=$dkim_cur_signer status=$dkim_verify_status
add_header = :after_received:X-DKIM-Result:
domain=$sender_address_domain result=signature ok

#
# accept anything else
#
accept
# debugging
logwrite = DKIM DEFAULT: Accept at end of ACL:
domain=$sender_address_domain

I see some discrepancies between documented and actual behaviour (and
what I expected or would like to see :-)

Exim's documentation (Chapter 54 section 2) states: "Verification of
DKIM signatures in incoming email is implemented via the acl_smtp_dkim
ACL. By default, this ACL is called once for each syntactically(!)
correct signature in the incoming message."

If I leave $dkim_verify_signers set to default ($dkim_signers) and I
receive a signed mail message then I see what I would expect:

2012-04-14 07:18:07 1SIwJD-0000k1-3k DKIM: d=mail.dealcloud.co.uk s=key1
c=relaxed/relaxed a=rsa-sha1 i=deals [at] mail [verification
succeeded]
2012-04-14 07:18:07 1SIwJD-0000k1-3k DKIM START:
domain=xpressus.emarsys.net signer=mail.dealcloud.co.uk status=pass reason=
2012-04-14 07:18:07 1SIwJD-0000k1-3k DKIM ACCEPT:
domain=xpressus.emarsys.net signer=mail.dealcloud.co.uk status=pass
2012-04-14 07:18:07 1SIwJD-0000k1-3k DKIM START:
domain=xpressus.emarsys.net signer=deals [at] mail
status=pass reason=
2012-04-14 07:18:07 1SIwJD-0000k1-3k DKIM ACCEPT:
domain=xpressus.emarsys.net signer=deals [at] mail status=pass

the above example appears to have two signatures and the ACL is called
twice, both signers pass and on both occasions the ACL returns accept
before reaching the bottom.

However, if I set $dkim_verify_signers to the compound list
(dkim_verify_signers = $dkim_signers : $sender_address_domain :
DKIM_KNOWN_SIGNERS) then the DKIM ACL gets called even when Exim has not
generated its initial "DKIM: d= s= c= a= i= [status]" message (that
it generates when it detects a signature) - here it is doing it:

2012-04-14 21:08:51 CONNECT: New connection from 194.25.134.18:38422 -> 25
2012-04-14 21:08:53 CONNECT: Accepting connection from: 194.25.134.18 as
not blocked by any DNSRBL
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=t-online.de status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=ebay.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=paypal.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=paypal.co.uk status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=ebay.co.uk status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=yahoo.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=yahoo.co.uk status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=gmail.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=googlemail.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM TEST: domain=t-online.de
possible_signer=google.com status=none reason=
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ DKIM DEFAULT: Accecpt at end of
ACL: domain=t-online.de
2012-04-14 21:08:53 1SJ9HB-0003S3-CZ MIME: Checking status: 1

so, it iterates over all of the entries in $dkim_verify_signers and
*not* all of the signatures in the email (since there are none) - is
this not a bug - I can't see the point of the ACL being called for the
contents of $dkim_verify_signers ?

Next, for the testing that I think that I want to do I'm trying to find
the first definite 'accept' (good signature) or 'deny' (bad signature)
and bail out of the ACL checking for the message at that point. I can't
see the point in carrying on calling the ACL when we know we want to
bail out - I think what is needed is a bit like a "no_more" when
routing, for example:

deny dkim_status = fail
message = Message from $sender_address_domain has
invalid DKIM signature
logwrite = DKIM DENY: domain=$sender_address_domain
no_more // return 'deny' and exit the DKIM ACL
altogether

One of the conditions that I'm not sure how we resolve (or even it it
ever happens) is what we do if there are two signatures on an incoming
message and one is good (pass) and one is bad (fail) - but I guess this
is down to the ACL creator ;-)

Mike

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Apr 14, 2012, 3:15 PM

Post #2 of 4 (557 views)
Permalink

Re: Exim 4.77 and understanding DKIM signature verification and DKIM ACL [In reply to]

On 2012-04-14 22:04, Michael J. Tubby B.Sc G8TIC wrote:
> One of the conditions that I'm not sure how we resolve (or even it it ever happens) is what we do if there are two signatures on an incoming message and one is good (pass) and one is bad (fail) - but I guess this is down to the ACL creator ;-)

I'm not a DKIM user myself, but I see plenty of mails through my system
that are described exactly like that.....
--
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Apr 15, 2012, 1:25 AM

Post #3 of 4 (559 views)
Permalink

Re: Exim 4.77 and understanding DKIM signature verification and DKIM ACL [In reply to]

On 2012-04-14 at 23:15 +0100, Jeremy Harris wrote:
> On 2012-04-14 22:04, Michael J. Tubby B.Sc G8TIC wrote:
> > One of the conditions that I'm not sure how we resolve (or even it it ever happens) is what we do if there are two signatures on an incoming message and one is good (pass) and one is bad (fail) - but I guess this is down to the ACL creator ;-)
>
> I'm not a DKIM user myself, but I see plenty of mails through my system
> that are described exactly like that.....

Most mailing-list software breaks DKIM signatures. Rejecting based on a
broken DKIM signature will reject mail from most mailing-lists where the
poster uses DKIM and the list ignores DKIM.

For instance: most mail from me.

(Some might regard that as a good thing.)

Before rejecting on bad DKIM signatures, you should look for other
indications of the message's origin and path to you and perhaps skip the
DKIM check accordingly. Pure DKIM is only worth rejecting on for
transactional mails that should not have gone through a mailing-list;
eg, Paypal notifications.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

iane at sussex

Apr 16, 2012, 4:05 AM

Post #4 of 4 (556 views)
Permalink

Re: Exim 4.77 and understanding DKIM signature verification and DKIM ACL [In reply to]

On 14 Apr 2012, at 23:15, Jeremy Harris wrote:
> On 2012-04-14 22:04, Michael J. Tubby B.Sc G8TIC wrote:
>> One of the conditions that I'm not sure how we resolve (or even it it ever happens) is what we do if there are two signatures on an incoming message and one is good (pass) and one is bad (fail) - but I guess this is down to the ACL creator ;-)
>
> I'm not a DKIM user myself, but I see plenty of mails through my system
> that are described exactly like that.....

That's quite a normal situation. Mailing lists tend to break DKIM signatures. However, it's recommended practice for a mailing list to add its own signature, and not remove the signature that it has just broken (e.g., by adding a footer to the message, or by adding a prefix to the Subject line).

The broken signature is not removed because it carries potentially useful information, even though that information cannot be relied upon.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads