Mailing List Archive

On 19/10/2023 21:24, brunoc68 via Exim-users wrote:
> *transport_filter = /usr/bin/altermime  --input=- --disclaimer=/etc/exim4/textdisclaimer --disclaimer-html=/etc/exim4/htmldisclaimer

The only manpage for altermime I found doesn't even
list its possible options. Do you know of a decent one.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 20/10/2023 à 11:04, Jeremy Harris via Exim-users a écrit :
> On 19/10/2023 21:24, brunoc68 via Exim-users wrote:
>> *transport_filter = /usr/bin/altermime --input=-
>> --disclaimer=/etc/exim4/textdisclaimer
>> --disclaimer-html=/etc/exim4/htmldisclaimer
>
> The only manpage for altermime I found doesn't even
> list its possible options.  Do you know of a decent one.

Actually the filter works fine : whether one sets up DKIM or not, the
outgoing email gets both disclaimers (txt + html).

However, DKIM check fails (only) when the disclaimers are added.

I do not have more information than the output of the filter itself :

==================================================
altermime --input=<input mime pack>   ( --input=- for stdin )
    [--disclaimer=<disclaimer file>]
    [--disclaimer-html=<HTML disclaimer file>]
    [--disclaimer-b64=<BASE64 encoded dislcaimer>]
    [--htmltoo]
  [--force-into-b64]
    [--force-for-bad-html]
    [--multipart-insert]
    [--remove=<remove file name (regex)>] (if filename contains a /,
matches on mime-type )
    [--removeall]
    [--replace=<filename to replace> --with=<replace with>]
    [--xheader="..."
    [--alter-header="..." --alter-with="..."
--alter-mode=<prefix|suffix|replace>]
    [--altersigned]
    [--no-qmail-bounce]
    [--verbose]
    [--log-stdout]
    [--log-stderr]
    [--log-syslog]
    [--debug]
    [--version]

Option Descriptions:
    --input=, Sets the mailpack file to be the filename supplied,
        if the filename is a single '-' (hyphen) then the mailpack
        is sourced via stdin and outputted via stdout.

    --disclaimer=, Set the plaintext disclaimer source file.
    --disclaimer-html=, Set the HTML disclaimer source file.
    --disclaimer-b64=, Set the BASE64 encoded disclaimer source file
(implies --force-into-b64).

    --htmltoo, Sets alterMIME to insert the plaintext disclaimer into
    --force-into-b64, Sets alterMIME to insert disclaimers into BASE64
encoded text segments
    --force-for-bad-html, Force adding of the HTML disclaimer even when
HTML is not correctly formatted
        the HTML portion of the email body ( if there is no explicitly
        defined HTML dislcaimer, see --disclaimer-html )

    --remove=, Remove any attachments which match the filename supplied,
        if the filename text contains a forward-slash '/', then the
        matching will occur based on content-type headers rather than
        by filename.
    --removeall, Remove all attachments
    --replace=, Replace attachments matching the given filename.
Requires to
        be used with --with.
    --with=, Replace the attachments specified by --replace with the file
        specified.
    --xheader=, Insert a header line as specified into the first set of
headers.
    --alter-header="..." --alter-with="..."
--alter-mode=(prefix|suffix|replace)
        Alter an existing header in the mailpack.  This function
modifies the
        value of the header, as apposed to the header name.
    --altersigned, Force alterMIME to modify 'signed' emails
    --no-qmail-bounce,  Don't search into email bodies for attachment
headers
    --verbose, Describe details of the process occurring
    --log-stdout, Send all output messages to stdout
    --log-stderr, Send all output messages to stderr
    --log-syslog, Send all output messages to syslog
    --debug, Provide greater verbosity and debugging information
    --version, display the alterMIME version string
==================================================







--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 20. 10. o 11:45 brunoc68 via Exim-users napísal(a):

> Actually the filter works fine : whether one sets up DKIM or not, the
> outgoing email gets both disclaimers (txt + html).
>
> However, DKIM check fails (only) when the disclaimers are added.

IMO, the DKIM signature is done before filter (and headers)
modifications. I meet that with headers modification, then i moved that
modifications to another exim, thus the signing one gets final message
and "just" signs it.

I afraid, that you will have to do some self redirect dance. Do
modification in one transport, and then deliver message back to self for
signing.

regards

--
Slavko


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Thu, Oct 19, 2023 at 10:24:08PM +0200, brunoc68 via Exim-users wrote:
> It looks as if the DKIM signature is performed before the disclaimer is
> added.

Yes, DKIM signing is performed before transport filter.

You can implement MTA cascading. First add disclaimer message, then sign.
Via two hosts, or two containers, or even twice-passing the same MTA
if you are skilled enauph to configure it.
--
Eugene Berdnikov

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/10/2023 11:25, Slavko via Exim-users wrote:
> IMO, the DKIM signature is done before filter (and headers) modifications.

No; it is after.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/10/2023 11:32, Evgeniy Berdnikov via Exim-users wrote:
> Yes, DKIM signing is performed before transport filter.

No, it is after.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/10/2023 10:45, brunoc68 via Exim-users wrote:
> However, DKIM check fails (only) when the disclaimers are added.

Can you get a debug run for a sample small test message?
Also the original and resulting (signed) messages.

Feel free to mail them to me, or use a pastebin.

I guess a smple of the result of a non-signed, but
altermime-filtered, message would also be useful.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 19.10.23 um 22:24 schrieb brunoc68 via Exim-users:
>
> *transport_filter = /usr/bin/altermime  --input=-
> --disclaimer=/etc/exim4/textdisclaimer
> --disclaimer-html=/etc/exim4/htmldisclaimer
> size_addition = 1
> *
>

To find out, if it's really the "wrong" sorting of dkim and filtering,
you can warp a script around that altermine call and save the created
message somewhere.
You can than check if it has DKIM already, and if so, come back here
with the result and ask how to change it. But I'm sure, Jeremy is right,
as he always is.

Best regards,
Cyborg

Le 20/10/2023 à 12:47, Jeremy Harris via Exim-users a écrit :
> On 20/10/2023 10:45, brunoc68 via Exim-users wrote:
>> However, DKIM check fails (only) when the disclaimers are added.
>
> Can you get a debug run for a sample small test message?
> Also the original and resulting (signed) messages.
>
> Feel free to mail them to me, or use a pastebin.
>
> I guess a smple of the result of a non-signed, but
> altermime-filtered, message would also be useful.

Dear Jeremy,

I will send 3 email samples from the production server to your private
email address :
1. with disclaimer
2. without disclaimer but with DKIM signature
3. with disclaimer and DKIM signature

I have to wait this evening when there is no user at office (in about 4h
from now).





--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/10/2023 13:19, brunoc68 via Exim-users wrote:
> Le 20/10/2023 à 12:47, Jeremy Harris via Exim-users a écrit :
>> On 20/10/2023 10:45, brunoc68 via Exim-users wrote:
>>> However, DKIM check fails (only) when the disclaimers are added.
>>
>> Can you get a debug run for a sample small test message?
>> Also the original and resulting (signed) messages.
>>
>> Feel free to mail them to me, or use a pastebin.
>>
>> I guess a smple of the result of a non-signed, but
>> altermime-filtered, message would also be useful.
>
> Dear Jeremy,
>
> I will send 3 email samples from the production server to your private email address :
> 1. with disclaimer
> 2. without disclaimer but with DKIM signature
> 3. with disclaimer and DKIM signature

I received all three, and the signatures appear to be good
(both as evaluated by my MRA, and as by the built-in in Thunderbird).
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 22/10/2023 à 13:44, Jeremy Harris via Exim-users a écrit :
>
>> Dear Jeremy,
>>
>> I will send 3 email samples from the production server to your
>> private email address :
>> 1. with disclaimer
>> 2. without disclaimer but with DKIM signature
>> 3. with disclaimer and DKIM signature
>
> I received all three, and the signatures appear to be good
> (both as evaluated by my MRA, and as by the built-in in Thunderbird).

Dear Jeremy,

Thank you for considering the case.

I use mail-tester.com to test my mail server configuration.

I've just done it again. Cases 1 and 2 are both ok, whereas case 3 has
failed, with the following details :

======================================
DKIM signature :
v=1;
    a=rsa-sha256;
    q=dns/txt;
    c=relaxed/relaxed;
    d=XXXXXXXXXXXX;
    s=dkim;
 h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
    bh=63NW/yufriU/IxIXVLTm1de/Ms/WMrD4gB58AVbyOLI=;
 b=CpL8lrU/F4CBeH14Z0XQiW4rJMFfxErIF+6xK7bxgDk3Fq3OsbcybzCBs94KKfJhgtrHHb9VVDu+FCY1qCqpm3DDzN+0c+9tKtVa3HR7UWB4E4bHweB2JpaKRl0JhP5drN9Alq+NJbBcViaAbleiKmB46fIZgmWYtP46EDK6rS/ug6Iyk7TRyRPqDNdpWX+kYsJHxvih7+HMJ1/rzt/FiBAndbu5TV/BvUi1Q4onU4Z7YP7TMUAKrhdN54NqS2eOCat9qu9W/pESw7xENyXkzMWGXHnqcToJBNleqNAp36ClRI946xNhl6xIa9hbX9jSi2FrkG6BYhfH3JYUrmWtew==;


Public key :
"v=DKIM1;
k=rsa;
p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE="

key length : 2046bits

*Your DKIM signature is not valid*
======================================

To be noted : spamassassin also ends up with "DKIM_INVALID"



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Oct 22, 2023 at 07:03:19PM +0200, brunoc68 via Exim-users wrote:
> Public key :
> "v=DKIM1;
> k=rsa;
> p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE="
>
> key length : 2046bits

Oh, 2046 bits, really? Not 2048? I tried to check this record,
it doesn't look as RSA key:

% cat /tmp/key.pem
-----BEGIN PRIVATE KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE=
-----END PRIVATE KEY-----

% openssl rsa -in /tmp/key.pem -noout
Could not read private key from /tmp/key.pem
40B7C589407F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:

This is something wrapped by ASN.1, but I have no ideas what is it:

% openssl asn1parse -in /tmp/key.pem
0:d=0 hl=4 l= 289 cons: SEQUENCE
4:d=1 hl=2 l= 13 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
17:d=2 hl=2 l= 0 prim: NULL
19:d=1 hl=4 l= 270 prim: BIT STRING

> *Your DKIM signature is not valid*
> ======================================
>
> To be noted : spamassassin also ends up with "DKIM_INVALID"

Did you use the same key for successful DKIM signings?
Isn't there some differences in DKIM selectors?
--
Eugene Berdnikov

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, Oct 22, 2023 at 09:03:19PM +0300, Evgeniy Berdnikov via Exim-users wrote:
> > p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE="
> >
> > key length : 2046bits
>
> I tried to check this record, it doesn't look as RSA key:

Sorry, I forgot this key should be read as rsa-public:

% cat /tmp/key.pem
-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE=
-----END PUBLIC KEY-----

% openssl rsa -in /tmp/key.pem -pubin -text -noout
Public-Key: (2046 bit)
Modulus:
33:bf:70:6f:1d:bc:06:b0:75:99:8e:74:4e:b5:a3:
50:32:1c:e4:2f:ac:a8:6f:47:bb:c3:64:9b:6a:db:
b7:9b:bb:b0:97:cf:4a:9c:16:d9:06:49:a8:c5:7b:
0c:72:92:be:7f:55:c5:ed:e6:a1:5a:6e:f5:7f:58:
45:a8:c3:fb:73:04:15:c1:d4:3f:db:af:0d:7d:70:
6d:ef:7c:cc:70:c8:0c:a8:33:eb:54:7e:69:b7:3f:
77:8f:fb:93:94:8b:fd:2c:d2:db:43:0c:39:7f:26:
21:ce:a8:1d:04:80:fe:29:24:d4:83:6c:a4:66:68:
4c:72:c2:ab:e6:2a:69:59:94:b9:ad:e6:00:96:6f:
5f:f3:f9:da:f6:21:29:1a:e6:9e:72:94:d3:00:b4:
35:3e:cc:25:9a:bc:5c:d7:1d:fa:9e:ac:6e:f5:ff:
be:97:ea:bb:6d:68:0e:44:6b:37:9c:f7:23:2c:b3:
60:b9:88:2b:76:e0:ea:c5:61:32:4c:cd:b7:04:7f:
0b:62:57:88:05:98:fe:24:40:4c:1f:02:86:4a:8b:
3b:84:b9:a7:81:b6:61:4d:91:62:62:8e:a2:80:ea:
fa:4b:69:b7:3b:47:45:74:c8:ef:3f:37:65:bf:c2:
06:d9:9d:9b:56:6c:0f:c3:ba:e9:b7:f2:a8:ad:3a:
df
Exponent: 65537 (0x10001)
--
Eugene Berdnikov

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-10-19, brunoc68 via Exim-users <exim-users@lists.exim.org> wrote:
> Dear all,
>
> In my organization I must configure Exim to add a disclaimer for every
> outgoing email, both text and html.
>
> Please do not argue that this should not be done blablabla... I have to
> do this for administrative reasons, too long to explain and off topic.

I am doing something similar, and am not seeing widespread DKIM
refusals. I have not used altermime.

Be aware that exim filter wants line endings as \n not as \r\n

I suggest wrapping the filter in a script and have the script save
before and after versions of the filtered email (eg: use tee),
and then check those for basic validity, especially line endings.

--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 24/10/2023 à 05:30, Jasen Betts via Exim-users a écrit :
> On 2023-10-19, brunoc68 via Exim-users <exim-users@lists.exim.org> wrote:
>> Dear all,
>>
>> In my organization I must configure Exim to add a disclaimer for every
>> outgoing email, both text and html.
>>
>> Please do not argue that this should not be done blablabla... I have to
>> do this for administrative reasons, too long to explain and off topic.
> I am doing something similar, and am not seeing widespread DKIM
> refusals. I have not used altermime.
>
> Be aware that exim filter wants line endings as \n not as \r\n
>
> I suggest wrapping the filter in a script and have the script save
> before and after versions of the filtered email (eg: use tee),
> and then check those for basic validity, especially line endings.
>
Dear Jasen,

The altermime filter does the job well with Exim, as long as I do not
use DKIM. So I do not think the issue is there.

Could you please also test sending a mail to mail-tester.com ?




--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 24/10/2023 à 05:30, Jasen Betts via Exim-users a écrit :
> On 2023-10-19, brunoc68 via Exim-users <exim-users@lists.exim.org> wrote:
>> Dear all,
>>
>> In my organization I must configure Exim to add a disclaimer for every
>> outgoing email, both text and html.
>>
>> Please do not argue that this should not be done blablabla... I have to
>> do this for administrative reasons, too long to explain and off topic.
> I am doing something similar, and am not seeing widespread DKIM
> refusals.  I have not used altermime.
>
> Be aware that exim filter wants line endings as \n not as \r\n
>
> I suggest wrapping the filter in a script and have the script save
> before and after versions of the filtered email (eg: use tee),
> and then check those for basic validity, especially line endings.
>
Dear Jasen,

The altermime filter does the job well with Exim, as long as I do not
use DKIM. So I do not think the issue is there.

Could you please also test sending a mail to mail-tester.com ?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Tue, 24 Oct 2023, brunoc68 via Exim-users wrote:

> Le 24/10/2023 à 05:30, Jasen Betts via Exim-users a écrit :
>> On 2023-10-19, brunoc68 via Exim-users <exim-users@lists.exim.org> wrote:
>>> Dear all,
>>>
>>> In my organization I must configure Exim to add a disclaimer for every
>>> outgoing email, both text and html.
>>>
>>> Please do not argue that this should not be done blablabla... I have to
>>> do this for administrative reasons, too long to explain and off topic.
>> I am doing something similar, and am not seeing widespread DKIM
>> refusals.  I have not used altermime.
>>
>> Be aware that exim filter wants line endings as \n not as \r\n
>>
>> I suggest wrapping the filter in a script and have the script save
>> before and after versions of the filtered email (eg: use tee),
>> and then check those for basic validity, especially line endings.
>>
> Dear Jasen,
>
> The altermime filter does the job well with Exim, as long as I do not use
> DKIM. So I do not think the issue is there.

I se that you have set dmarc to do 'strict' checking; if you changed
to relaxed checking with
adkim=r
the line endings that Jasen mentioned would be ignored:

# host -t txt _dmarc.abcreseau.com
_dmarc.abcreseau.com descriptive text
"v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:postmaster@abcreseau.com "

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Please ignore my previous messagee.
I was thinking of a different sort of alignment.

On Tue, 24 Oct 2023, Andrew C Aitchison wrote:

> On Tue, 24 Oct 2023, brunoc68 via Exim-users wrote:
>
>> Le 24/10/2023 à 05:30, Jasen Betts via Exim-users a écrit :
>>> Be aware that exim filter wants line endings as \n not as \r\n
>>>
>>> I suggest wrapping the filter in a script and have the script save
>>> before and after versions of the filtered email (eg: use tee),
>>> and then check those for basic validity, especially line endings.
>>>
>> Dear Jasen,
>>
>> The altermime filter does the job well with Exim, as long as I do not use
>> DKIM. So I do not think the issue is there.
>
> I se that you have set dmarc to do 'strict' checking; if you changed
> to relaxed checking with
> adkim=r
> the line endings that Jasen mentioned would be ignored:
>
> # host -t txt _dmarc.abcreseau.com
> _dmarc.abcreseau.com descriptive text
> "v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:postmaster@abcreseau.com "

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-10-24, Bruno CAPELETO via Exim-users <exim-users@lists.exim.org> wrote:
> Le 24/10/2023 à 05:30, Jasen Betts via Exim-users a écrit :
>> On 2023-10-19, brunoc68 via Exim-users <exim-users@lists.exim.org> wrote:
>>> Dear all,
>>>
>>> In my organization I must configure Exim to add a disclaimer for every
>>> outgoing email, both text and html.
>>>
>>> Please do not argue that this should not be done blablabla... I have to
>>> do this for administrative reasons, too long to explain and off topic.
>> I am doing something similar, and am not seeing widespread DKIM
>> refusals. I have not used altermime.
>>
>> Be aware that exim filter wants line endings as \n not as \r\n
>>
>> I suggest wrapping the filter in a script and have the script save
>> before and after versions of the filtered email (eg: use tee),
>> and then check those for basic validity, especially line endings.
>>
> Dear Jasen,
>
> The altermime filter does the job well with Exim, as long as I do not
> use DKIM. So I do not think the issue is there.

Just because something appears to work doesn't mean that it actually
worked.

And yet DKIM works fine without altermime.

Perhaps it is in my mind due to a recent bug report that exim is
sensitive to mixing different line endings in a single email, but I
also remeber haviong to do things with line endings to get python
"email" to handle the stream from Exim and for Exim to handle the
stream back from python "email".

> ould you please also test sending a mail to mail-tester.com ?

My filter-modified email passed DKIM on mail-tester.com so I can
confirm that mail-tester.com appears to me to be functioning correctly.

1--
Jasen.
???????? ????? ???????

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 25/10/2023 à 05:44, Jasen Betts via Exim-users a écrit :
> On 2023-10-24, Bruno CAPELETO via Exim-users<exim-users@lists.exim.org> wrote:
>> Dear Jasen,
>>
>> The altermime filter does the job well with Exim, as long as I do not
>> use DKIM. So I do not think the issue is there.
> Just because something appears to work doesn't mean that it actually
> worked.
>
> And yet DKIM works fine without altermime.
>
> Perhaps it is in my mind due to a recent bug report that exim is
> sensitive to mixing different line endings in a single email, but I
> also remeber haviong to do things with line endings to get python
> "email" to handle the stream from Exim and for Exim to handle the
> stream back from python "email".
>
>> ould you please also test sending a mail to mail-tester.com ?
> My filter-modified email passed DKIM on mail-tester.com so I can
> confirm that mail-tester.com appears to me to be functioning correctly.
>
>
Dear all,

This issue is not solved for me, and I do not see where to look further.
So I need help.

I do use the altermime filter. As far as Jeremy said, the filter is
processed first, then the message is signed.

So how could the filter be the issue to a wrong signature ?

Looking at the description of the transport option "size_addition", I
understand that the size of the message is sent by smtp before the
message is processed by the filter.

I am not sure about my understanding of this option. Could that be a
possible source of the error I obtain ?



--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 30/10/2023 09:42, brunoc68 via Exim-users wrote:
> Looking at the description of the transport option "size_addition", I understand that the size of the message is sent by smtp before the message is processed by the filter.
>
> I am not sure about my understanding of this option. Could that be a possible source of the error I obtain ?

Marginally possible. It would require that the receiving system uses the SIZE
passed with the MAIL TO for its dkim verification but *not* for its actual
reception of the message. Pretty unlikely, but you could test by setting
the option to -1 (which would mean it couldn't possibly do that).
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 30/10/2023 à 11:09, Jeremy Harris via Exim-users a écrit :
> On 30/10/2023 09:42, brunoc68 via Exim-users wrote:
>> Looking at the description of the transport option "size_addition", I
>> understand that the size of the message is sent by smtp before the
>> message is processed by the filter.
>>
>> I am not sure about my understanding of this option. Could that be a
>> possible source of the error I obtain ?
>
> Marginally possible.  It would require that the receiving system uses
> the SIZE
> passed with the MAIL TO for its dkim verification but *not* for its
> actual
> reception of the message.  Pretty unlikely, but you could test by setting
> the option to -1 (which would mean it couldn't possibly do that).


I checked several configuration of the "size_addition" option and it
does not work.

I also sent an email to another of my servers running both Exim and
spamassassin as well.
I got the following, clearly telling DKIM_INVALID :

------------------------------------------------------------------------------------
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ciarem.fr;
s=dkim; h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:
Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=KqNN2YxYpsbEJ+qOKn2J3M0huRA1QxmBanUfyMElrc0=; b=LypOiBYcyrZvGx6xEIsFbc4/L8
Hu1UMcQH/SXtR4R6fRYqbx7yPMOzXsN83LVsiIFTNF+LUdFJrEwIFxOF/Kz30CB86x96BMZwsHy7s
JxlHdFBdnmD7rgc21vLV/dmavvgHQaPnAw2TCCxpv84qvOivKn0CfBaWyRXXkRBXxVzVuW658QMjQ
OjR9rLZ1Z4wToQ9tm43S08rLZivFGiWp5Rtz8HGeydmmmWAolYEsvJmJwCFdMeR3DWxXtdp7xjSmL
/d1Ot6IgZUJef9vfxcJTG8PoPJvxO09Jche5xn4zQjjcw51xqO4w6ut4zILH/qW/tyGxo9VnH9ov3
Bv0slp7A==;

X-Spam-Status: No, score=3.3 required=5.0 tests=*DKIM_INVALID*,DKIM_SIGNED,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_QP_LONG_LINE,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS,T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED,
URIBL_DBL_BLOCKED_OPENDNS autolearn=disabled version=3.4.0

------------------------------------------------------------------------------------

Jeremy, you told me what I sent to your private email was ok, but on my
side I can not reproduce any recipient (mail-tester.com, gmail.com,
another of my server) where the DKIM signature is valid...

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Le 30/10/2023 à 11:09, Jeremy Harris via Exim-users a écrit :
> On 30/10/2023 09:42, brunoc68 via Exim-users wrote:
>> Looking at the description of the transport option "size_addition", I
>> understand that the size of the message is sent by smtp before the
>> message is processed by the filter.
>>
>> I am not sure about my understanding of this option. Could that be a
>> possible source of the error I obtain ?
>
> Marginally possible.  It would require that the receiving system uses
> the SIZE
> passed with the MAIL TO for its dkim verification but *not* for its
> actual
> reception of the message.  Pretty unlikely, but you could test by setting
> the option to -1 (which would mean it couldn't possibly do that).


I checked several configuration of the "size_addition" option and it
does not work.

I also sent an email to another of my servers running both Exim and
spamassassin as well.
I got the following, clearly telling DKIM_INVALID :

------------------------------------------------------------------------------------
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ciarem.fr;
s=dkim; h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:
Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=KqNN2YxYpsbEJ+qOKn2J3M0huRA1QxmBanUfyMElrc0=; b=LypOiBYcyrZvGx6xEIsFbc4/L8
Hu1UMcQH/SXtR4R6fRYqbx7yPMOzXsN83LVsiIFTNF+LUdFJrEwIFxOF/Kz30CB86x96BMZwsHy7s
JxlHdFBdnmD7rgc21vLV/dmavvgHQaPnAw2TCCxpv84qvOivKn0CfBaWyRXXkRBXxVzVuW658QMjQ
OjR9rLZ1Z4wToQ9tm43S08rLZivFGiWp5Rtz8HGeydmmmWAolYEsvJmJwCFdMeR3DWxXtdp7xjSmL
/d1Ot6IgZUJef9vfxcJTG8PoPJvxO09Jche5xn4zQjjcw51xqO4w6ut4zILH/qW/tyGxo9VnH9ov3
Bv0slp7A==;

X-Spam-Status: No, score=3.3 required=5.0 tests=*DKIM_INVALID*,DKIM_SIGNED,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_QP_LONG_LINE,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS,T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED,
URIBL_DBL_BLOCKED_OPENDNS autolearn=disabled version=3.4.0

------------------------------------------------------------------------------------

Jeremy, you told me what I sent to your private email was ok, but on my
side I can not reproduce any recipient (mail-tester.com, gmail.com,
another of my server) where the DKIM signature is valid...

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/