Mailing List Archive

On 12/24/23 13:09, Hardy via Exim-users wrote:
> How can I change the local_delivery to sign a mail? Simply copying the dkim_ tags from remote to local tells me, option dkim_* unknown. I guess signing is not defined in local-delievery situations? But what can I do?

You'd have to first smtp-deliver these local-dest mails to yourself.

Use a manualroute router to pick them out of the flow first time round,
and send to 127.0.0.1
This could be done, for example, by selecting ones lacking a dkim signature
but with a local source.

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 24.12.23 um 14:50 schrieb Jeremy Harris via Exim-users:
> You'd have to first smtp-deliver these local-dest mails to yourself.
>
> Use a manualroute router to pick them out of the flow first time round,
> and send to 127.0.0.1
> This could be done, for example, by selecting ones lacking a dkim signature
> but with a local source.

Thanks Jeremy, this looks simple enough, but I don't know how to do this last bit. How can I check in a router whether the message is signed already? dkim_status is defined in ACLs only. Without switching out I will create a loop.

Hardy

On 12/25/23 10:00, Hardy via Exim-users wrote:
> I don't know how to do this last bit. How can I check in a router whether the message is signed already?

Write a condition that looks for the dkim signature *header*.

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 24.12.23 um 14:50 schrieb Jeremy Harris via Exim-users:

> You'd have to first smtp-deliver these local-dest mails to yourself.
>
> Use a manualroute router to pick them out of the flow first time round,
> and send to 127.0.0.1
> This could be done, for example, by selecting ones lacking a dkim signature
> but with a local source.
>

localuser_dkim:
driver = manualroute
domains = +local_dkim_domains
condition = "${if def:header_DKIM-Signature: {no}{yes}}"
headers_add = X-DKIM-debug: seen by localuser_dkim
transport = remote_smtp_dkim
route_list = * 127.0.0.1

I have this router now, but when triggered it throws me a temporary error "remote host address is the local host", which is the whole idea to force a dkim signature to the mail. I guess the local host issue is a protection against looping, but in this case it is wanted and taken care to take a single round only. How can I convince/force exim to allow this?

On 12/26/23 11:58, Hardy via Exim-users wrote:
>I have this router now, but when triggered it throws me a temporary error "remote host address is the local host", which is the whole idea to force a dkim signature to the mail. I guess the local host issue is a protection against looping, but in this case it is wanted and taken care to take a single round only. How can I convince/force exim to allow this?

"allow_localhost" on the transport.

Exim docs are at https://exim.org/exim-html-current/doc/html/spec_html/index.html
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 26.12.23 um 14:24 schrieb Jeremy Harris via Exim-users:
> On 12/26/23 11:58, Hardy via Exim-users wrote:
> "allow_localhost" on the transport.

remote_smtp_dkim:
driver = smtp
allow_localhost = true
dkim_canon = relaxed
dkim_domain = ${lc:${domain:$h_from:}}
dkim_private_key = /etc/exim4/dkim/private.pem
dkim_selector = key2023

Same results as without allow_localhost.
This transport works when called e.g. from the dnslookup router. Called from my router that catches +local-dkim-doms (a subset of local_domains. I took care of correct order of routers) to force it through this transport an "route_?ist = localhost" it still complains "remote host address is the local host" though this should be allowed now.
I tried to call it from the route_?ist with all variations 127.0.0.1, localhost, public IP, with same results.
As far as I can see, I did everything according to
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_manualroute_router.html
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html

A difference I noted with exim -bt. With an address that SHOULD trigger my dkim_signing router, it complains directly without telling me in which router/transport it failed.
More hints?

On 12/27/23 09:42, Hardy via Exim-users wrote:
> A difference I noted with exim -bt. With an address that SHOULD trigger my dkim_signing router, it complains directly without telling me in which router/transport it failed.
> More hints?

Repeat that, adding a "-d+all"
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> Repeat that, adding a "-d+all"

Thanks again Jeremy, I appreciate your help.

I put example.com to the "local-dkim-daomains" for testing.
It selects the correct router and transport. It seems just to ignore "allow_localhost"


15:20:43 1123141 Exim version 4.95 uid=0 gid=0 pid=1123141 D=fff9ffff
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS TLS_resume move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY Experimental_Queue_Ramp SOCKS SRS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot external plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [11.4.0]
Library version: Glibc: Compile: 2.35
Runtime: 2.35
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.7.3
Runtime: 3.7.3
Library version: IDN2: Compile: 2.3.2
Runtime: 2.3.2
Library version: Stringprep: Compile: 1.38
Runtime: 1.38
Library version: Cyrus SASL: Compile: 2.1.27
Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
15:20:43 1123141 Total 20 lookups
Library version: MySQL: Compile: 80035 8.0.35 [mysqld-8.0]
Runtime: 80035 8.0.35
Library version: SQLite: Compile: 3.37.2
Runtime: 3.37.2
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
15:20:43 1123141 changed uid/gid: forcing real = effective
15:20:43 1123141 uid=0 gid=0 pid=1123141
15:20:43 1123141 auxiliary group list: <none>
15:20:43 1123141 seeking password data for user "root": cache not available
15:20:43 1123141 getpwnam() succeeded uid=0 gid=0
15:20:43 1123141 SHELL in keep_environment? no (end of list)
15:20:43 1123141 LESS in keep_environment? no (end of list)
15:20:43 1123141 EDITOR in keep_environment? no (end of list)
15:20:43 1123141 PWD in keep_environment? no (end of list)
15:20:43 1123141 LOGNAME in keep_environment? no (end of list)
15:20:43 1123141 HOME in keep_environment? no (end of list)
15:20:43 1123141 LANG in keep_environment? no (end of list)
15:20:43 1123141 TERM in keep_environment? no (end of list)
15:20:43 1123141 USER in keep_environment? no (end of list)
15:20:43 1123141 SHLVL in keep_environment? no (end of list)
15:20:43 1123141 TMOUT in keep_environment? no (end of list)
15:20:43 1123141 XDG_DATA_DIRS in keep_environment? no (end of list)
15:20:43 1123141 PATH in keep_environment? no (end of list)
15:20:43 1123141 MAIL in keep_environment? no (end of list)
15:20:43 1123141 _ in keep_environment? no (end of list)
15:20:43 1123141 OLDPWD in keep_environment? no (end of list)
15:20:43 1123141 adding PATH=/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/sbin:/bin
15:20:43 1123141 configuration file is /var/lib/exim4/config.autogenerated
15:20:43 1123141 log selectors = 00000ffc 64205022 0000001c
15:20:43 1123141 trusted user
15:20:43 1123141 admin user
15:20:43 1123141 dropping to exim gid; retaining priv uid
15:20:43 1123141 seeking password data for user "Debian-exim": cache not available
15:20:43 1123141 getpwnam() succeeded uid=113 gid=122
15:20:43 1123141 originator: uid=0 gid=0 login=root name=root ovhnew
15:20:43 1123141 sender address = root@smtp.mailfass.de
15:20:43 1123141 Address testing: uid=0 gid=122 euid=0 egid=122
15:20:43 1123141 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15:20:43 1123141 Testing hsteffin@example.com
15:20:43 1123141 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15:20:43 1123141 Considering hsteffin@example.com
15:20:43 1123141 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15:20:43 1123141 routing hsteffin@example.com
15:20:43 1123141 --------> localuser_dkim router <--------
15:20:43 1123141 local_part=hsteffin domain=example.com
15:20:43 1123141 checking domains
15:20:43 1123141 example.com in "example.com"? yes (matched "example.com")
15:20:43 1123141 data from lookup saved for cache for +local_dkim_domains: key 'example.com' value 'example.com'
15:20:43 1123141 example.com in "+local_dkim_domains"? yes (matched "+local_dkim_domains")
15:20:43 1123141 checking "condition" "${if def:header_DKIM-Signature: {no}{yes}}"...
15:20:43 1123141 ?considering: ${if def:header_DKIM-Signature: {no}{yes}}
15:20:43 1123141 ???condition: def:header_DKIM-Signature:
15:20:43 1123141 ??????result: false
15:20:43 1123141 ????scanning: no}{yes}}
15:20:43 1123141 ???expanding: no
15:20:43 1123141 ??????result: no
15:20:43 1123141 ????skipping: result is not used
15:20:43 1123141 ?considering: yes}}
15:20:43 1123141 ???expanding: yes
15:20:43 1123141 ??????result: yes
15:20:43 1123141 ???expanding: ${if def:header_DKIM-Signature: {no}{yes}}
15:20:43 1123141 ??????result: yes
15:20:43 1123141 calling localuser_dkim router
15:20:43 1123141 localuser_dkim router called for hsteffin@example.com
15:20:43 1123141 domain = example.com
15:20:43 1123141 route_item = * 127.0.0.1
15:20:43 1123141 example.com in "*"? yes (matched "*")
15:20:43 1123141 original list of hosts = '127.0.0.1' options = ''
15:20:43 1123141 expanded list of hosts = '127.0.0.1' options = ''
15:20:43 1123141 set transport remote_smtp_dkim
15:20:43 1123141 finding IP address for 127.0.0.1
15:20:43 1123141 calling host_find_byname
15:20:43 1123141 gethostbyname2(af=inet6) returned 1 (HOST_NOT_FOUND)
15:20:43 1123141 Actual local interface address is 127.0.0.1 (lo)
15:20:43 1123141 Actual local interface address is 148.113.174.32 (ens3)
15:20:43 1123141 Actual local interface address is ::1 (lo)
15:20:43 1123141 Actual local interface address is fe80::f816:3eff:fe1c:416d (ens3)
15:20:43 1123141 Actual local interface address is fe80::f816:3eff:fe1c:416d (ens3)
15:20:43 1123141 Actual local interface address is ::1 (lo)
15:20:43 1123141 local host found for non-MX address
15:20:43 1123141 fully qualified name = 127.0.0.1
15:20:43 1123141 gethostbyname2 looked up these IP addresses:
15:20:43 1123141 name=127.0.0.1 address=127.0.0.1
15:20:43 1123141 LOG: MAIN
15:20:43 1123141 remote host address is the local host: example.com (while routing <hsteffin@example.com>)
15:20:43 1123141 localuser_dkim router: defer for hsteffin@example.com
15:20:43 1123141 message: remote host address is the local host
hsteffin@example.com cannot be resolved at this time: remote host address is the local host
15:20:43 1123141 search_tidyup called
15:20:43 1123141 >>>>>>>>>>>>>>>> Exim pid=1123141 (fresh-exec) terminating with rc=1 >>>>>>>>>>>>>>>>

On 12/27/23 14:28, Hardy via Exim-users wrote:
> It selects the correct router and transport. It seems just to ignore "allow_localhost"

self = send on that router

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 27. decembra 2023 14:28:23 UTC používate? Hardy via Exim-users <exim-users@lists.exim.org> napísal:

>I put example.com to the "local-dkim-daomains" for testing.
>It selects the correct router and transport. It seems just to ignore "allow_localhost"

Is not the allow_localhost transport option?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 27.12.23 um 15:47 schrieb Slavko via Exim-users:
>> It selects the correct router and transport. It seems just to ignore "allow_localhost"
>
> Is not the allow_localhost transport option?

That's where I have it:

remote_smtp_dkim:
driver = smtp
allow_localhost = true
...
[ dkim options ]

Hardy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 27.12.23 um 15:41 schrieb Jeremy Harris via Exim-users:
> self = send on that router

self = send
in the router does the trick.
Thanks Jeremy for bearing with my ignorance, but people who are not full time exim mechanics fail to find so damn special options. (okay, given, I had quite a special requirement. People interested in the context need to trace back to the beginning of this thread.)

I'm happy. Everybody have a good start into 2024.

Hardy