Mailing List Archive

On 2023-09-23, Mario Emmenlauer via Exim-users <exim-users@lists.exim.org> wrote:
> I'd like to reject emails that are not sent from a valid DKIM-enabled
> sender. Previously, I enabled similar checks for SPF, reverse DNS,

It's your funeral, but you risk losing real emails.
As well as from several small family-run mail systems, I have mails from
lawyers that are not DKIMmed. (They should be, but sometimes the
lawyers are working from home or something, or something goes wrong,
and there is no DKIM.)


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Ahoj,

D?a Sat, 23 Sep 2023 11:30:02 +0200 Mario Emmenlauer via Exim-users
<exim-users@lists.exim.org> napísal:

> I'd like to reject emails that are not sent from a valid DKIM-enabled
> sender.

Do not do that. Failed DKIM is the same as no DKIM at all (by RFC) and
here is a lot reasons why legitimate email can have broken DKIM
signature. By my experiences, all SPAM has either valid or no
signature...

If you really want that, do it on per domain base. Create DB of "must
pass" domains and reject those only, but once again, prone to false
positives...

regards

--
Slavko
https://www.slavino.sk

On 23/09/2023 10:30, Mario Emmenlauer via Exim-users wrote:
> I'd like to reject emails that are not sent from a valid DKIM-enabled
> sender.
[...]
for DKIM, I could not really find
> anything useful, or I'm lacking the right search terms.

Apart fro the other answers...

You did look for the Exim docs, right?
https://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dmarc.html
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-09-24, Slavko via Exim-users <exim-users@lists.exim.org> wrote:
> --===============1966052188431819066==
> Content-Type: multipart/signed; boundary="Sig_/lzN9G3ASjGZEv5NTElT3kpN";
> protocol="application/pgp-signature"; micalg=pgp-sha256
>
> --Sig_/lzN9G3ASjGZEv5NTElT3kpN
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> Ahoj,
>
> D=C5=88a Sat, 23 Sep 2023 11:30:02 +0200 Mario Emmenlauer via Exim-users
><exim-users@lists.exim.org> nap=C3=ADsal:
>
>> I'd like to reject emails that are not sent from a valid DKIM-enabled
>> sender.
>
> Do not do that. Failed DKIM is the same as no DKIM at all (by RFC) and
> here is a lot reasons why legitimate email can have broken DKIM
> signature. By my experiences, all SPAM has either valid or no
> signature...
>
> If you really want that, do it on per domain base. Create DB of "must
> pass" domains and reject those only, but once again, prone to false
> positives...

Such a per-domain database with public sender opt-in exists.
It is called DMARC

--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 24. septembra 2023 23:40:38 UTC používate? Jasen Betts via Exim-users <exim-users@lists.exim.org> napísal:

>Such a per-domain database with public sender opt-in exists.
>It is called DMARC

No, DMARC is not "must have DKIM" DB, as it is SPF **or** DKIM.
Main problem (in this case) is, that it is not your DB/decision and
that not all are using DMARC. And, DMARC without DKIM is
suggested way to prevent forwarding...

And do not forget, that DMARC's RFC is informational only...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 23.09.23 um 11:30 schrieb Mario Emmenlauer via Exim-users:
>
> Hi,
>
> I'd like to reject emails that are not sent from a valid DKIM-enabled

acl_smtp_dkim = acl_check_dkim

acl_check_dkim:

        # skip if it's from an authenticated user
        accept condition  = ${if eq{$authenticated_id}{} {0}{1}}

        deny sender_domains = $sender_address_domain
             dkim_signers = $sender_address_domain:$dkim_signers
             dkim_status = none:invalid:fail
             log_message = "DKIM: Mail from $sender_address_domain
rejected with $dkim_verify_status"
             message = "DKIM FAILED - SIGNATURE INVALID"

        accept

acl_check_data:
 ...
 deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
         condition = ${if eq{$authenticated_id}{} {1}{0}}
         log_message = "NO DKIM-SIGNATURE found"
         message = "NO DKIM-SIGNATURE found, but it is required by the
receiver"
...

>
> My question is slightly specific to Ubuntu/Debian, so in case there
> are some users that know which switches to flip on these distros, it's
> even more welcome. But I'm also happy with general insight into DKIM
> incoming email check.
>

you SHOULD add a condition to acl_check_data IF the domain enforces DKIM
or not.

As soon as you enforce DKIM, you really only get emails with valid DKIM
sigs, that additionally could be verified.
You have no clue how many checks end up false, because the dns server
with the sig does not answer in time or M$ screwed up in another way again.

As DKIM has been invented without a way to know upfront, if a email
shall have a sig or not, it's only usefull IF YOU ENFORCE IT.
Without Enforcement DKIM has no meaning at all, as having a valid sig
and having no sig at all, end up in the same way. A Spammer just needs
to remove the sig, so it can't fail.

Without Enforcement, the only usage for DKIM is to detect false
signatures and and those have a 99.9% chance of technically failing,
rather than failing for a spoofe approve.

Honestly: It's a fail by concept. But, "compliance fanatics" love it.

If, like with SPF, a server would now upfront that the mail must have a
sig, then it would be a game changer, in terms of being no longer a fail
by design.

best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 25/09/2023 08:10, Cyborg via Exim-users wrote:
> acl_smtp_dkim = acl_check_dkim
>
> acl_check_dkim:
>
>         # skip if it's from an authenticated user
>         accept condition  = ${if eq{$authenticated_id}{} {0}{1}}
>
>         deny sender_domains = $sender_address_domain
>              dkim_signers = $sender_address_domain:$dkim_signers
>              dkim_status = none:invalid:fail
>              log_message = "DKIM: Mail from $sender_address_domain rejected with $dkim_verify_status"
>              message = "DKIM FAILED - SIGNATURE INVALID"
>
>         accept
>
> acl_check_data:
>  ...
>  deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
>          condition = ${if eq{$authenticated_id}{} {1}{0}}
>          log_message = "NO DKIM-SIGNATURE found"
>          message = "NO DKIM-SIGNATURE found, but it is required by the receiver"
> ...

Overkill.

acl_check_mail:
...
# save computation effort
warn condition = ${if def:authenticated_id}
control = dkim_disable_verify
...

acl_check_data:
...
deny condition = ${if !inlist {pass}{$dkim_verify_status}}
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 25/09/2023 08:10, Cyborg via Exim-users wrote:
>
> acl_smtp_dkim = acl_check_dkim
>
> acl_check_dkim:
>
>         # skip if it's from an authenticated user
>         accept condition  = ${if eq{$authenticated_id}{} {0}{1}}
>
>         deny sender_domains = $sender_address_domain
>              dkim_signers = $sender_address_domain:$dkim_signers
>              dkim_status = none:invalid:fail
>              log_message = "DKIM: Mail from $sender_address_domain rejected with $dkim_verify_status"
>              message = "DKIM FAILED - SIGNATURE INVALID"
>
>         accept
>
> acl_check_data:
>  ...
>  deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
>          condition = ${if eq{$authenticated_id}{} {1}{0}}
>          log_message = "NO DKIM-SIGNATURE found"
>          message = "NO DKIM-SIGNATURE found, but it is required by the receiver"

Overkill.


acl_smtp_mail:
...
warn condition = ${if def:authenticated_id}
control = dkim_disable_verify
...

acl_smtp_data:
...
deny condition = ${if def:dkim_verify_status}
${if !inlist {pass}{$dkim_verify_status}}
# remove line below to also reject non-signed messages
${if !inlist {none}{$dkim_verify_status}}
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 25.09.23 10:31, Jeremy Harris via Exim-users wrote:
> On 25/09/2023 08:10, Cyborg via Exim-users wrote:
>> acl_smtp_dkim = acl_check_dkim
>>
>> acl_check_dkim:
>>
>>          # skip if it's from an authenticated user
>>          accept condition  = ${if eq{$authenticated_id}{} {0}{1}}
>>
>>          deny sender_domains = $sender_address_domain
>>               dkim_signers = $sender_address_domain:$dkim_signers
>>               dkim_status = none:invalid:fail
>>               log_message = "DKIM: Mail from $sender_address_domain rejected with $dkim_verify_status"
>>               message = "DKIM FAILED - SIGNATURE INVALID"
>>
>>          accept
>>
>> acl_check_data:
>>   ...
>>   deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
>>           condition = ${if eq{$authenticated_id}{} {1}{0}}
>>           log_message = "NO DKIM-SIGNATURE found"
>>           message = "NO DKIM-SIGNATURE found, but it is required by the receiver"
>> ...
>
> Overkill.
>
> acl_check_mail:
>             ...
>             # save computation effort
>             warn condition = ${if def:authenticated_id}
>                  control = dkim_disable_verify
>             ...
>
> acl_check_data:
>            ...
>            deny condition = ${if !inlist {pass}{$dkim_verify_status}}


Awesome help and input, Marius and Jeremy! I understand now much better the
shortcoming of DKIM, and also how to implement it, in case I still want that.

Jeremy, could you help me one last bit, which parts of Marius's example in
acl_check_data are replaced by your acl_check_mail? Is the whole acl_check_data
unneeded with your approach?

All the best,

Mario




--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 25/09/2023 09:48, Mario Emmenlauer via Exim-users wrote:
> Jeremy, could you help me one last bit, which parts of Marius's example in
> acl_check_data are replaced by your acl_check_mail?

All of the section he showed. Though (cf. my later mail) I did decide
that my single line wasn't quite enough. It's probably a good move
to read around the docs to check how what I suggest works.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 25. septembra 2023 8:46:49 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:

>acl_smtp_data:
> ...
> deny condition = ${if def:dkim_verify_status}
> ${if !inlist {pass}{$dkim_verify_status}}
> # remove line below to also reject non-signed messages
> ${if !inlist {none}{$dkim_verify_status}}

The docs mentions $dkim_verify_status inside:

Inside the DKIM ACL, the following expansion variables are available...

I tried to log the $dkim_verify_status in DATA ACL, but it logs empty
string, despite that message logs "verification success" (by dkim_verbose)
in 4.96. Thus, are you sure with that variable in DATA ACL?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 25/09/2023 11:34, Slavko via Exim-users wrote:
> The docs mentions $dkim_verify_status inside:
>
> Inside the DKIM ACL, the following expansion variables are available...
>
> I tried to log the $dkim_verify_status in DATA ACL, but it logs empty
> string, despite that message logs "verification success" (by dkim_verbose)
> in 4.96. Thus, are you sure with that variable in DATA ACL?

Docs I'm looking at say:

"So long as a DKIM ACL is defined (it need do no more than accept), after all the DKIM ACL runs have completed, the value becomes a colon-separated list of the values after each run. This is maintained for the mime, prdr and data ACLs."
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 25. septembra 2023 10:47:30 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:

>"So long as a DKIM ACL is defined (it need do no more than accept), after all the DKIM ACL runs have completed, the value becomes a colon-separated list of the values after each run. This is maintained for the mime, prdr and data ACLs."

Yes, now it works, that was enough (in main):

acl_smtp_dkim = accept

Thanks ;-)


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/