Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Log recipient with DKIM failures
exim-users at exim
May 18, 2021, 12:24 AM
Post #1 of 4 (455 views)
Permalink
Hello,

Sometimes I receive messages that fail the DKIM test and are thus
rejected. Sometimes, the sender complains about that (like mailing lists
being annoyed about bounced messages that they broke) or the recipient
misses a message and asks me where it went. Then I'll have to dig deep
into the Exim log to find the message by its timestamp because that's
all I have.

The log lines look like this:

> 2021-04-29 22:58:46 +0200 1lcDkD-00DLFl-S2 DKIM: validation error: Public key signature verification has failed.
> 2021-04-29 22:58:46 +0200 1lcDkD-00DLFl-S2 DKIM test failed: signature_incorrect
> 2021-04-29 22:58:46 +0200 1lcDkD-00DLFl-S2 H=pb1.pair.com (lists.php.net) [76.75.200.58] rejected DKIM : DKIM test failed: signature_incorrect

There's nothing about the sender or recipient in the main log. The
reject log doesn't contain that message at all. But in order to give the
mailbox owner some information about the rejected message, I have to
know the recipient of the rejected message.

What can I add to my Exim configuration to include that data in the
logs? The best option would be to include such events in the reject log
because that's already my main source for that and it has all the
details like sender and subject.

-Yves

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Log recipient with DKIM failures [ In reply to ]
exim-users at exim
May 18, 2021, 1:32 AM
Post #2 of 4 (455 views)
Permalink
On 18/05/2021 08:24, Yves Goergen via Exim-users wrote:
> DKIM test failed

This text does not appear in Exim source code. I assume it is
a custom log line from your config, so you just need to
enhance that. Have a look at the $recipients and
$h_Subject: variables.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Log recipient with DKIM failures [ In reply to ]
exim-users at exim
May 18, 2021, 2:09 AM
Post #3 of 4 (455 views)
Permalink
I have this in my config:

-----
acl_check_dkim:
(...)

deny
dkim_status = fail
logwrite = DKIM test failed: $dkim_verify_reason
message = DKIM test failed: $dkim_verify_reason
add_header = X-DKIM: DKIM test failed: (address=$sender_address
domain=$dkim_cur_signer), signature is bad.

(...)
-----

After reading the Exim manual on logs and ACL some more, I assume that I
have to deny the DATA ACL to have the message written to the reject log
and this is not possible from the DKIM ACL. Is that correct? I couldn't
find that statement explicitly anywhere. The description of the reject
log is a bit vague in what goes into it.

Can I instead not deny the DKIM ACL but just set a variable that I can
use to deny the DATA ACL later? Would that be a possible/good solution
to have all the usual details about the rejected message?

Having such long and arbitrary content as a subject might be problematic
in a single log line with the other data.

-Yves


-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@exim.org>
Gesendet: Dienstag, 18. Mai 2021, 10:32 MESZ
Betreff: [exim] Log recipient with DKIM failures

On 18/05/2021 08:24, Yves Goergen via Exim-users wrote:
DKIM test failed

This text does not appear in Exim source code. I assume it is
a custom log line from your config, so you just need to
enhance that. Have a look at the $recipients and
$h_Subject: variables.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Log recipient with DKIM failures [ In reply to ]
exim-users at exim
May 18, 2021, 2:41 AM
Post #4 of 4 (455 views)
Permalink
On 18/05/2021 10:09, Yves Goergen via Exim-users wrote:
> After reading the Exim manual on logs and ACL some more, I assume that I have to deny the DATA ACL to have the message written to the reject log and this is not possible from the DKIM ACL. Is that correct? I couldn't find that statement explicitly anywhere.

No.

http://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_and_dmarc.html#SECDKIM
section 3:

"If any ACL call does not accept, the message is not accepted."

Admittedly it doesn't use the word "reject", but the intent seems clear to me
that the message gets rejected. Also, per the chapter on Log Files,
the rejectlog should be getting the full set of (original) message
headers.


Alternatively you could write direct to the reject log from the
DKIM ACL, using logwrite with a log name specifier.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal