Mailing List Archive

On 02/12/2022 16:54, Victor Sudakov via Exim-users wrote:
> I have an exim 4.95 installation sending DKIM-signed mails to two
> other exim servers. On one of the receiving servers (FreeBSD,exim-4.95_5),
> I see that the DKIM check is successful:
>
> Authentication-Results: XXXXXX;
> iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
> spf=pass smtp.mailfrom=library.tomsk.ru;
> dkim=pass header.d=library.tomsk.ru header.s=20221203 header.a=rsa-sha256
>
> On the other receiving server (Debian, exim4 4.94.2-7), the very same
> mail (sent simultaneously to two recipients on XXXXXX and YYYYYY) is
> reported as having an unsuccessful DKIM check:
>
> Authentication-Results: YYYYYY;
> iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
> dkim=fail (body hash mismatch; body probably modified in transit)
> header.d=library.tomsk.ru header.s=20221203 header.a=rsa-sha256

Is this consistent for all messages sent to the pair of hosts?
Or only occasional?

What libraries do 'exim -d -bV' report for each host?
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users wrote:
> On 02/12/2022 16:54, Victor Sudakov via Exim-users wrote:
> > I have an exim 4.95 installation sending DKIM-signed mails to two
> > other exim servers. On one of the receiving servers (FreeBSD,exim-4.95_5),
> > I see that the DKIM check is successful:
> >
> > Authentication-Results: XXXXXX;
> > iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
> > spf=pass smtp.mailfrom=library.tomsk.ru;
> > dkim=pass header.d=library.tomsk.ru header.s=20221203 header.a=rsa-sha256
> >
> > On the other receiving server (Debian, exim4 4.94.2-7), the very same
> > mail (sent simultaneously to two recipients on XXXXXX and YYYYYY) is
> > reported as having an unsuccessful DKIM check:
> >
> > Authentication-Results: YYYYYY;
> > iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
> > dkim=fail (body hash mismatch; body probably modified in transit)
> > header.d=library.tomsk.ru header.s=20221203 header.a=rsa-sha256
>
> Is this consistent for all messages sent to the pair of hosts?
> Or only occasional?

I have sent 10 short messages from the library.tomsk.ru host:

echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY

and its 10 times dkim=pass on FreeBSD and 10 times dkim=fail on Debian
so I guess it's consistent.

However, I've noticed that when I send a larger mail, like

uuencode /usr/bin/vi vi | mail -s "test test" vas@XXXXXX vas@YYYYYY

then 10 of the 10 mails on Debian have dkim=pass. So the message size
or encoding is envolved somehow? What gives?

>
> What libraries do 'exim -d -bV' report for each host?

FreeBSD sender:
Compiler: CLang [10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)]
Probably Berkeley DB version 1.8x (native mode)
Library version: OpenSSL: Compile: OpenSSL 1.1.1l-freebsd 24 Aug 2021
Runtime: OpenSSL 1.1.1l-freebsd 24 Aug 2021
: built on: reproducible build, date unspecified
Library version: IDN: Compile: 1.35
Runtime: 1.35
Library version: spf2: Compile: 1.2.10
Runtime: 1.2.10
Library version: Cyrus SASL: Compile: 2.1.28
Runtime: 2.1.28 [Cyrus SASL]
Library version: PCRE: Compile: 8.45
Runtime: 8.45 2021-06-15

FreeBSD receiver:

Compiler: CLang [10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)]
Probably Berkeley DB version 1.8x (native mode)
Library version: OpenSSL: Compile: OpenSSL 1.1.1l-freebsd 24 Aug 2021
Runtime: OpenSSL 1.1.1l-freebsd 24 Aug 2021
: built on: reproducible build, date unspecified
Library version: IDN: Compile: 1.35
Runtime: 1.38
Library version: spf2: Compile: 1.2.10
Runtime: 1.2.11
Library version: Cyrus SASL: Compile: 2.1.28
Runtime: 2.1.28 [Cyrus SASL]
Library version: PCRE: Compile: 8.45
Runtime: 8.45 2021-06-15

Debian receiver YYYYYY:

Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.7.1
Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
Library version: MySQL: Compile: 100510 10.5.10 [mariadb-10.5]
Runtime: 100515 10.5.15
Library version: SQLite: Compile: 3.34.1
Runtime: 3.34.1

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Victor Sudakov via Exim-users <exim-users@exim.org> wrote:
> However, I've noticed that when I send a larger mail, like
>
> uuencode /usr/bin/vi vi | mail -s "test test" vas@XXXXXX vas@YYYYYY
>
> then 10 of the 10 mails on Debian have dkim=pass. So the message size
> or encoding is envolved somehow? What gives?

Is it possible that the failing system does not accept 8bitmime?
Reencoding the message would break DKIM.

Michael

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 04/12/2022 11:33, Michael Haardt via Exim-users wrote:
> Is it possible that the failing system does not accept 8bitmime?
> Reencoding the message would break DKIM.

Only if there's a non-exim gateway on the path we've
not been told about. Exim doesn't recode.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 04/12/2022 06:33, Victor Sudakov via Exim-users wrote:
> I have sent 10 short messages from the library.tomsk.ru host:
>
> echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY
>
> and its 10 times dkim=pass on FreeBSD and 10 times dkim=fail on Debian
> so I guess it's consistent.
>
> However, I've noticed that when I send a larger mail, like
>
> uuencode /usr/bin/vi vi | mail -s "test test" vas@XXXXXX vas@YYYYYY
>
> then 10 of the 10 mails on Debian have dkim=pass. So the message size
> or encoding is envolved somehow? What gives?

So. Size-dependent, rx-end dependent, and seems consistently reproducible.

Could be the library used for hashing the body, or the way it's being
driven, or the exact sizes of chunks of body being handed it.


> FreeBSD sender:
> Compiler: CLang [10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)]
> Probably Berkeley DB version 1.8x (native mode)
> Library version: OpenSSL: Compile: OpenSSL 1.1.1l-freebsd 24 Aug 2021
> Runtime: OpenSSL 1.1.1l-freebsd 24 Aug 2021
> : built on: reproducible build, date unspecified

> FreeBSD receiver:
>
> Compiler: CLang [10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)]
> Probably Berkeley DB version 1.8x (native mode)
> Library version: OpenSSL: Compile: OpenSSL 1.1.1l-freebsd 24 Aug 2021
> Runtime: OpenSSL 1.1.1l-freebsd 24 Aug 2021
> : built on: reproducible build, date unspecified

> Debian receiver YYYYYY:
>
> Compiler: GCC [10.2.1 20210110]

> Library version: GnuTLS: Compile: 3.7.1
> Runtime: 3.7.1


A test here does not fail:

Sender:
FreeBSD 13.0-ALPHA3
Exim version: 4.96+ (44b6e099b76f403a55e77650821f8a69e9d2682e)
Compiler: CLang [11.0.1 (git@github.com:llvm/llvm-project.git llvmorg-11.0.1-0-g43ff75f2c3fe)]
OpenSSL 1.1.1i-freebsd 8 Dec 2020

Command-line exim initiation, stdin from "echo -e 'Subject: test\n\nSmall body\n'"

DKIM used ed25519-sha256



Receiver A:
Debian 11
Debian 5.10.127-1 (2022-06-30)
Exim version: 4.96+ (44b6e099b76f403a55e77650821f8a69e9d2682e)
Compiler: GCC [10.2.1 20210110]
GnuTLS: Compile: 3.7.1
Runtime: 3.7.1

Log line: DKIM: d=wizmail.org s=e202001 c=relaxed/relaxed a=ed25519-sha256 b=512 [.verification succeeded

Receiver B:
Debian 11
Debian 5.10.127-1 (2022-06-30)
Exim version: 4.96+ (44b6e099b76f403a55e77650821f8a69e9d2682e)
Compiler: GCC [10.2.1 20210110]
OpenSSL: Compile: OpenSSL 1.1.1n 15 Mar 2022

Log line: DKIM: d=wizmail.org s=e202001 c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]


The body-hash differing implies, I think, that the signature algorithm isn't
involved. I was using sha256; what's yours?

I guess there's also the dkim canonicalisation. Mine was relaxed/relaxed. Yours?

Can you set up the receiver exim with debug enabled? Either commandline option
or ACL modifier can be used to enable that, the latter having the benefit of
being able to only trace certain classes of connection. The interesting part
would be the DKIM receive processing, which is in the debug "acl" channel.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users wrote:
> On 04/12/2022 11:33, Michael Haardt via Exim-users wrote:
> > Is it possible that the failing system does not accept 8bitmime?
> > Reencoding the message would break DKIM.
>
> Only if there's a non-exim gateway on the path we've
> not been told about.

There is none.

Also, as I said, I've checked MD5 sums of bodies (from the mutt Email
client) and they are the same on both the receivers.

I should also note that the test mails were 7bit ascii messages, I've
produced them with `echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY` on the sender host.


--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users wrote:
> On 04/12/2022 06:33, Victor Sudakov via Exim-users wrote:
> > I have sent 10 short messages from the library.tomsk.ru host:
> >
> > echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY
> >
> > and its 10 times dkim=pass on FreeBSD and 10 times dkim=fail on Debian
> > so I guess it's consistent.
> >
> > However, I've noticed that when I send a larger mail, like
> >
> > uuencode /usr/bin/vi vi | mail -s "test test" vas@XXXXXX vas@YYYYYY
> >
> > then 10 of the 10 mails on Debian have dkim=pass. So the message size
> > or encoding is envolved somehow? What gives?
>
> So. Size-dependent, rx-end dependent, and seems consistently reproducible.

Correct.

>
> Could be the library used for hashing the body, or the way it's being
> driven, or the exact sizes of chunks of body being handed it.

[dd]

>
> A test here does not fail:

Can you give me an address to send a test mail to on one of your
Debian receivers? And we will look at what it says about the body.

>
>
> The body-hash differing implies, I think, that the signature algorithm isn't
> involved. I was using sha256; what's yours?

Hmm, how do I figure out? Below is the complete sender configuration,
without hiding anything:

remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
dkim_domain = library.tomsk.ru
dkim_selector = 20221203
dkim_private_key = /usr/local/etc/exim/dkim/library.tomsk.ru-private.pem
dkim_canon = relaxed
dkim_sign_headers = Date:From:To:Subject:Message-Id:In-Reply-To

I think it's using some exim default algorithm.

>
> I guess there's also the dkim canonicalisation. Mine was relaxed/relaxed. Yours?

dkim_canon = relaxed

>
> Can you set up the receiver exim with debug enabled? Either commandline option
> or ACL modifier can be used to enable that, the latter having the benefit of
> being able to only trace certain classes of connection. The interesting part
> would be the DKIM receive processing, which is in the debug "acl" channel.

What should I add to acl_smtp_dkim to enable debugging?

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Victor Sudakov via Exim-users wrote:
>
> I should also note that the test mails were 7bit ascii messages, I've
> produced them with `echo "test test" | mail -s "test test" vas@XXXXXX vas@YYYYYY` on the sender host.

Interestingly, I've installed the DKIM verifier plugin on Thunderbird
(it seems to verify the signature independently from the MTA) and it
shows "DKIM Valid" for all those mails so the problem is definitely
how Exim/Debian calculates DKIM.

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 05/12/2022 05:46, Victor Sudakov via Exim-users wrote:
> Can you give me an address to send a test mail to on one of your
> Debian receivers?

I cannot; that was an internal-only test VM, not internet-facing.

>> The body-hash differing implies, I think, that the signature algorithm isn't
>> involved. I was using sha256; what's yours?
>
> Hmm, how do I figure out? Below is the complete sender configuration,
> without hiding anything:
>
> remote_smtp:
> driver = smtp
> message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
> dkim_domain = library.tomsk.ru
> dkim_selector = 20221203
> dkim_private_key = /usr/local/etc/exim/dkim/library.tomsk.ru-private.pem
> dkim_canon = relaxed
> dkim_sign_headers = Date:From:To:Subject:Message-Id:In-Reply-To
>
> I think it's using some exim default algorithm.

As the docs say, the default for dkim_hash is sha256.

> What should I add to acl_smtp_dkim to enable debugging?

In ACL for (DATA-or-earlier) - not the DKIM ACL -

warn
( any conditions preferred to limit what gets debugged,
eg. hosts = my.test.source.ip )

control = debug/tag=.dkimtest/opts=+all

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-12-05 at 00:46:07 UTC-0500 (Mon, 5 Dec 2022 05:46:07 +0000)
Victor Sudakov via Exim-users <vas@sibptus.ru>
is rumored to have said:

> Jeremy Harris via Exim-users wrote:
[...]
>>
>> I guess there's also the dkim canonicalisation. Mine was
>> relaxed/relaxed. Yours?
>
> dkim_canon = relaxed

There's your problem.

If you use relaxed instead of relaxed/relaxed, the unspecified body
canonicalization is "simple" which is never what anyone should use.

DKIM canonicalizations are proof that DKIM was devised by people without
useful real-world email knowledge. None of the defaults make sense and
the "relaxed" canonicalizations are grossly inadequate for dealing with
entirely reasonable and harmless message modifications.




--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 05/12/2022 15:38, Bill Cole via Exim-users wrote:
> If you use relaxed instead of relaxed/relaxed, the unspecified body canonicalization is "simple" which is never what anyone should use.

It shouldn't be. The docs say:

"the current implementation only supports signing with
the same canonicalization method for both headers and body".
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-12-05 at 11:00:21 UTC-0500 (Mon, 5 Dec 2022 16:00:21 +0000)
Jeremy Harris via Exim-users <jgh@wizmail.org>
is rumored to have said:

> On 05/12/2022 15:38, Bill Cole via Exim-users wrote:
>> If you use relaxed instead of relaxed/relaxed, the unspecified body
>> canonicalization is "simple" which is never what anyone should use.
>
> It shouldn't be. The docs say:
>
> "the current implementation only supports signing with
> the same canonicalization method for both headers and body".

Does the code itself concur? I'm not conversant with the Exim code so
I'm a bit at a handicap in checking.

If a message arrives with "c=relaxed;" in the DKIM-Signature header, a
*compliant* verifying implementation will act as if it said
"c=relaxed/simple;" If the signer DID "relaxed/relaxed" but only claimed
"relaxed" then the verification SHOULD break unless the 'relaxed' body
canonicalization is equivalent to "simple" (which it could sometimes
be...)

OR: the OP's 2 machines are using different DKIM implementations that
handle identical messages' bodies differently. He has made clear that
the messages are in fact identical (same hash) so the issue is somewhere
in the verification software.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 5. decembra 2022 5:46:07 UTC používate? Victor Sudakov via Exim-users <exim-users@exim.org> napísal:

>Can you give me an address to send a test mail to on one of your
>Debian receivers? And we will look at what it says about the body.

Be free to send test mesage to me, if your IP is not on RBLs. Try
small and big too, and we will see, if they will not be rejected by
SPAM filter...

regards


--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Bill Cole via Exim-users wrote:
> On 2022-12-05 at 00:46:07 UTC-0500 (Mon, 5 Dec 2022 05:46:07 +0000)
> Victor Sudakov via Exim-users <vas@sibptus.ru>
> is rumored to have said:
>
> > Jeremy Harris via Exim-users wrote:
> [...]
> >>
> >> I guess there's also the dkim canonicalisation. Mine was
> >> relaxed/relaxed. Yours?
> >
> > dkim_canon = relaxed
>
> There's your problem.
>
> If you use relaxed instead of relaxed/relaxed, the unspecified body
> canonicalization is "simple" which is never what anyone should use.

I've replaced with "dkim_canon = relaxed/relaxed" on the sender but
still am seeing this "dkim=fail (body hash mismatch..." on the Debian
receiver.


--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Bill Cole via Exim-users wrote:
> On 2022-12-05 at 11:00:21 UTC-0500 (Mon, 5 Dec 2022 16:00:21 +0000)
> Jeremy Harris via Exim-users <jgh@wizmail.org>
> is rumored to have said:
>
> > On 05/12/2022 15:38, Bill Cole via Exim-users wrote:
> >> If you use relaxed instead of relaxed/relaxed, the unspecified body
> >> canonicalization?is?"simple"?which?is?never?what?anyone?should?use.
> >
> > It shouldn't be. The docs say:
> >
> > "the current implementation only supports signing with
> > the same canonicalization method for both headers and body".
>
> Does the code itself concur? I'm not conversant with the Exim code so
> I'm a bit at a handicap in checking.
>
> If a message arrives with "c=relaxed;" in the DKIM-Signature header, a

No, it arrives with "c=relaxed/relaxed;" no matter if dkim_canon is
set to "relaxed" or "relaxed/relaxed" on the sender.


--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote:
> D?a 5. decembra 2022 5:46:07 UTC používate? Victor Sudakov via Exim-users <exim-users@exim.org> napísal:
>
> >Can you give me an address to send a test mail to on one of your
> >Debian receivers? And we will look at what it says about the body.
>
> Be free to send test mesage to me, if your IP is not on RBLs. Try
> small and big too, and we will see, if they will not be rejected by
> SPAM filter...

I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 9. 12. o 5:15 Victor Sudakov via Exim-users napísal(a):

> I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>

I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd
(3.4) -- some headers (wrapped by me):

The small message:

Authentication-Results: primex.slavino.sk;
iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
dkim=pass header.d=library.tomsk.ru header.s=20221203
header.a=rsa-sha256;
spf=pass smtp.mailfrom=library.tomsk.ru

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=library.tomsk.ru; s=20221203;
h=Date:From:Message-Id:Subject:To:In-Reply-To;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; b=...;

The big(was marked as SPAM by rspamd):

Authentication-Results: primex.slavino.sk;
iprev=pass (www.library.tomsk.ru) smtp.remote-ip=95.170.141.50;
dkim=pass header.d=library.tomsk.ru header.s=20221203
header.a=rsa-sha256;
spf=pass smtp.mailfrom=library.tomsk.ru

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=library.tomsk.ru; s=20221203;
h=Date:From:Message-Id:Subject:To:In-Reply-To;
bh=9HxxvB7GfVK3gbXXriSX8J4iQZLu0Qt7g7Og/M3WjXQ=; b=...;

regards

--
Slavko


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote:
> D?a 9. 12. o 5:15 Victor Sudakov via Exim-users napísal(a):
>
> > I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>
>
> I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd

What OS is exim running on?


--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 9. 12. o 8:49 Victor Sudakov via Exim-users napísal(a):
> Slavko via Exim-users wrote:
>> D?a 9. 12. o 5:15 Victor Sudakov via Exim-users napísal(a):
>>
>> > I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>
>>
>> I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd
>
> What OS is exim running on?
>
>

I am sorry, Debian bullseye (stable), exim is from debian repo, rspamd
is from its repo, no own builds.

regards

--
Slavko


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote:
> D?a 9. 12. o 8:49 Victor Sudakov via Exim-users napísal(a):
> > Slavko via Exim-users wrote:
> >> D?a 9. 12. o 5:15 Victor Sudakov via Exim-users napísal(a):
> >>
> >> > I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>
> >>
> >> I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd
> >
> > What OS is exim running on?
> >
> >
>
> I am sorry, Debian bullseye (stable), exim is from debian repo, rspamd
> is from its repo, no own builds.

So, if we both have Debian Bullseye and the stock exim, what could
make the difference?

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, 11 Dec 2022, Victor Sudakov via Exim-users wrote:

> Slavko via Exim-users wrote:
>> D?a 9. 12. o 8:49 Victor Sudakov via Exim-users nap?sal(a):
>>> Slavko via Exim-users wrote:
>>>> D?a 9. 12. o 5:15 Victor Sudakov via Exim-users nap?sal(a):
>>>>
>>>>> I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>
>>>>
>>>> I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd
>>>
>>> What OS is exim running on?
>>>
>>>
>>
>> I am sorry, Debian bullseye (stable), exim is from debian repo, rspamd
>> is from its repo, no own builds.
>
> So, if we both have Debian Bullseye and the stock exim, what could
> make the difference?

IIRC Debian has two versions of exim: light and heavy,
and "split" and "non-split" config files.
One way to start would be by comparing
/etc/exim4/update-exim4.conf.conf

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andrew C Aitchison via Exim-users wrote:
>
> > Slavko via Exim-users wrote:
> >> D?a 9. 12. o 8:49 Victor Sudakov via Exim-users napísal(a):
> >>> Slavko via Exim-users wrote:
> >>>> D?a 9. 12. o 5:15 Victor Sudakov via Exim-users napísal(a):
> >>>>
> >>>>> I've just sent two messages to you with Message-IDs <E1p3Uk1-000J4G-3I@library.tomsk.ru> and <E1p3UkO-000J4r-DZ@library.tomsk.ru>
> >>>>
> >>>> I got both and both has DKIM=pass in both, the exim (4.94.2) and rspamd
> >>>
> >>> What OS is exim running on?
> >>>
> >>>
> >>
> >> I am sorry, Debian bullseye (stable), exim is from debian repo, rspamd
> >> is from its repo, no own builds.
> >
> > So, if we both have Debian Bullseye and the stock exim, what could
> > make the difference?
>
> IIRC Debian has two versions of exim: light and heavy,

That is what I have installed:

$ apt list --installed | grep exim

exim4-base/stable,now 4.94.2-7 amd64 [installed,automatic]
exim4-config/stable,now 4.94.2-7 all [installed,automatic]
exim4-daemon-heavy/stable,now 4.94.2-7 amd64 [installed]

> and "split" and "non-split" config files.

I'm using a single /etc/exim4/exim4.conf file as I have a FreeBSD
background and am used to a single exim config. In fact, I hate the
split stuff very much.

I guess there is not much to configure for DKIM checking, it's
basically

"acl_smtp_dkim = acl_check_dkim" and then

begin acl

acl_check_dkim:
accept add_header = :at_start:${authresults {$primary_hostname}}

acl ...


--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 12/12/2022 09:21, Victor Sudakov via Exim-users wrote:
> acl_check_dkim:
> accept add_header = :at_start:${authresults {$primary_hostname}}

It's generally better to use ${authresults } in the data ACL, so that it
can pick up other results even when the message wasn't DKIM-signed.
Also, the DKIM ACL can get called more than once (when there are multiple
signatures in a message) which would, with the header added here,
give you multiple results headers -
and can *modify* the result for a signature (yours doesn't, obviously).
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 12. decembra 2022 9:21:11 UTC používate? Victor Sudakov via Exim-users <exim-users@exim.org> napísal:

>I'm using a single /etc/exim4/exim4.conf file as I have a FreeBSD
>background and am used to a single exim config. In fact, I hate the
>split stuff very much.

It must do not matter until you switch from one to other, by default
both are the same, then you customize only one of them... I like
the split config, as it is more simple to upgrade with it...

>"acl_smtp_dkim = acl_check_dkim" and then

You do not need it at all, unless you do something with DKIM
signature, eg. reject some of signatures. All DKIM signatures
in message are checked by default, there is global option to
customize which domains add/require to check even without
signature in message.

You can try to send messages to two recipients (target hosts)
at once, then get message file from both and compare them to
find difference. You can try to test the file from other host with
-bh option, to see results...

You can install some software/tool to do DKIM verify from shell
to see/compare result with exim's, if they differ, there will be
something wrong, with one or other. I never used any...

Carefully check, that exim gets right public key from DNS, that
it wasn't modified on wire... You can do it from exim with the
-be option.

regards


--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/