Verification of DKIM signatures in SMTP incoming email is done for all
messages for which an ACL control &%dkim_disable_verify%& has not been set.
+
.cindex DKIM "selecting signature algorithms"
-Individual classes of signature algorithm can be ignored by changing
+Individual classes of DKIM signature algorithm can be ignored by changing
the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&.
The &%dkim_verify_minimal%& option can be set to cease verification
processing for a message once the first passing signature is found.
of this section can be ignored.
The results of verification are made available to the
-&%acl_smtp_dkim%& ACL, which can examine and modify them.
+&%acl_smtp_dkim%& ACL, which (for complex needs) can examine and modify them.
A missing ACL definition defaults to accept.
By default, the ACL is called once for each
syntactically(!) correct signature in the incoming message.
&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
+So long as a DKIM ACL is defined
+(it need do no more than accept, which is the default),
+after all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
+The value is maintained for the MIME, PRDR and DATA ACLs.
+
Within the DKIM ACL,
a string describing the general status of the signature. One of
.ilist
set dkim_verify_reason = hash too weak or key too short
.endd
-So long as a DKIM ACL is defined (it need do no more than accept),
-after all the DKIM ACL runs have completed, the value becomes a
-colon-separated list of the values after each run.
-This is maintained for the mime, prdr and data ACLs.
-
.vitem &%$dkim_verify_reason%&
A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
.endlist
-In addition, two ACL conditions are provided, usable only in a DKIM ACL:
+In addition, two ACL conditions are provided:
.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
for a match against the domain or identity that the ACL is currently verifying
-(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+(reflected by &%$dkim_cur_signer%&).
+This condition is only usable in a DKIM ACL.
+This is typically used to restrict an ACL
verb to a group of domains or identities. For example:
.code
.vitem &%dkim_status%&
ACL condition that checks a colon-separated list of possible DKIM verification
-results against the actual result of verification. This is typically used
+results against the actual result of verification,
+given by &$dkim_verify_status$& if that is non-empty or "none" if empty.
+.new
+This condition may be used in DKIM, MIME, PRDR and DATA ACLs.
+.wen
+
+A basic verification might be:
+.code
+deny !dkim_status = pass:none:invalid
+.endd
+
+A more complex use could be
to restrict an ACL verb to a list of verification outcomes, for example:
.code
The possible status keywords are: 'none','invalid','fail' and 'pass'. Please
see the documentation of the &%$dkim_verify_status%& expansion variable above
for more information of what they mean.
+
+The condition is true if the status
+.new
+(or any of the list of status values)
+.wen
+is any one of the supplied list.
.endlist
JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
and ${tr...}. Found and diagnosed by Heiko Schlichting.
+JH/40 Support list of dkim results in the dkim_status ACL condition, making
+ it more usable in the data ACL.
+
Exim version 4.96
-----------------
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Since 4.97
+------------
+ 1. The dkim_status ACL condition may not be used in data ACLs
+
Version 4.97
------------
[ACLC_DELAY] = { US"delay", TRUE, TRUE, ACL_BIT_NOTQUIT },
#ifndef DISABLE_DKIM
[ACLC_DKIM_SIGNER] = { US"dkim_signers", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
- [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DKIM },
+ [ACLC_DKIM_STATUS] = { US"dkim_status", TRUE, FALSE,
+ (unsigned int)
+ ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
+# ifndef DISABLE_PRDR
+ | ACL_BIT_PRDR
+# endif
+ ),
+ },
#endif
#ifdef SUPPORT_DMARC
[ACLC_DMARC_STATUS] = { US"dmarc_status", TRUE, FALSE, (unsigned int) ~ACL_BIT_DATA },
break;
case ACLC_DKIM_STATUS:
- rc = match_isinlist(dkim_verify_status,
- &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+ { /* return good for any match */
+ const uschar * s = dkim_verify_status ? dkim_verify_status : US"none";
+ int sep = 0;
+ for (uschar * ss; ss = string_nextinlist(&s, &sep, NULL, 0); )
+ if ( (rc = match_isinlist(ss, &arg,
+ 0, NULL, NULL, MCL_STRING, TRUE, NULL))
+ == OK) break;
+ }
break;
#endif
if (*dkim_verify_min_keysizes)
{
unsigned minbits;
- uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
+ const uschar * ss = expand_getkeyed(US pdkim_keytypes[sig->keytype],
dkim_verify_min_keysizes);
- if (ss && (minbits = atoi(CS ss)) > sig->keybits)
+ if (ss && (minbits = atoi(CCS ss)) > sig->keybits)
{
DEBUG(D_acl) debug_printf("Key too short: Actual: %s %u Minima '%s'\n",
pdkim_keytypes[sig->keytype], sig->keybits, dkim_verify_min_keysizes);
.endif
check_data:
- accept logwrite = ${authresults {$primary_hostname}}
+ warn logwrite = ${authresults {$primary_hostname}}
+ accept dkim_status = pass
+ logwrite = dkim_status includes pass
+ accept logwrite = dkim_state DOES NOT include pass
# End
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=ses_sha1 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbB-000000005vi-0000 NOTE: forcing dkim verify fail (was pass)
1999-03-02 09:44:33 10HmbB-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=policy (fail - hash too weak) header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification failed - signature invalid (key too short)]
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha256;\n dkim=fail (public key too short: 512 bits)\n header.d=test.ex header.s=ses header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_status includes pass
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= pass@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= fail@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=564CFC9B.1040905@yahoo.com
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad [failed key import]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (public key record import problem)\n header.d=test.ex header.s=sel_bad header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 1024
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha512
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (body hash mismatch; body probably modified in transit)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: validation error: LONG_LINE
1999-03-02 09:44:33 10HmbB-000000005vi-0000 DKIM: Error during validation, disabling signature verification: LONG_LINE
1999-03-02 09:44:33 10HmbB-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbB-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmbC-000000005vi-0000 signer: test.ex bits: 512
1999-03-02 09:44:33 10HmbC-000000005vi-0000 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
1999-03-02 09:44:33 10HmbC-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (unspecified reason)\n header.d=test.ex header.s=ses_sha256 header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbC-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbC-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 DKIM: validation error: EXCESS_SIGS
1999-03-02 09:44:33 10HmbD-000000005vi-0000 DKIM: Error during validation, disabling signature verification: EXCESS_SIGS
1999-03-02 09:44:33 10HmbD-000000005vi-0000 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 10HmbD-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbD-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=20180418125440.Horde.vVKB6E7UvpLfJsPzv2ZPs6z@webmail.sego.es
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbE-000000005vi-0000 unknown
1999-03-02 09:44:33 10HmbE-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmbE-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmbE-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=neutral (signature tag missing or invalid)\n header.d=test.ex header.s=sel header.a=rsa-sha1
+1999-03-02 09:44:33 10HmbE-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbE-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 0
1999-03-02 09:44:33 10HmaX-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmaY-000000005vi-0000 DKIM: d=test.ex s=sedw c=relaxed/relaxed a=ed25519-sha256 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sedw header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaY-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaY-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: kitterman.org bits: 253
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 signer: @kitterman.org bits: 253
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 DKIM: d=kitterman.org s=ed25519 c=relaxed/simple a=ed25519-sha256 b=512 i=@kitterman.org t=1517847601 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=kitterman.org header.i=@kitterman.org header.s=ed25519 header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmaZ-000000005vi-0000 dkim_status includes pass
1999-03-02 09:44:33 10HmaZ-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=kitterman.org id=example@example.com
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbA-000000005vi-0000 signer: test.ex bits: 253
1999-03-02 09:44:33 10HmbA-000000005vi-0000 DKIM: d=test.ex s=sed c=relaxed/relaxed a=ed25519-sha256 b=512 [verification failed - signature invalid (key too short)]
1999-03-02 09:44:33 10HmbA-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=fail (public key too short: 253 bits)\n header.d=test.ex header.s=sed header.a=ed25519-sha256
+1999-03-02 09:44:33 10HmbA-000000005vi-0000 dkim_state DOES NOT include pass
1999-03-02 09:44:33 10HmbA-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
exim -DSERVER=server -DMSIZE='rsa=512 ed25519=250' -bd -oX PORT_D
****
#
+# (A)
# This should pass.
# - sha1, 1024b
# Mail original in aux-fixed/4500.msg1.txt
??? 221
****
#
+# (B)
# This should pass.
# - sha1, 512b
# Mail original in aux-fixed/4500.msg1.txt
??? 221
****
#
+# (C)
# This should pass.
# - sha256, 1024b
# Mail original in aux-fixed/4500.msg1.txt
****
#
#
+# (D)
# This should pass. The pubkey dns decord has a additional sha1-only h= field
#
# - sha1, 512b
exim -DSERVER=server -DOPTION -DMSIZE='rsa=512 ed25519c=32' -bd -oX PORT_D
****
#
+# (E)
# This should fail despite being a passing submission above (with the unlimited verifier).
# - sha1, 1024b
# Mail original in aux-fixed/4500.msg1.txt
#
#
#
+# (F)
# With the default keysize minima, a 512b key should fail
exim -DSERVER=server -bd -oX PORT_D
****
Message-ID: <qwerty1234@disco-zombie.net>
Subject: simple test
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+#
+#
+# (G)
+# Two signature, one pass one fail. Checking for "at least one pass".
+# Sigs from (F) and (C) above
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=ses; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+ cIErF1eueIT9AU4qG54FyT3yrlVDDM7RZnuU6fWTevZpAuMqhYcRO8tU3U4vtKWB
+ +I2vd+F1gzqCzBcRtfLhZg==
+DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=sel; bh=3UbbJTudPxmejzh7U1Zg33U3QT+1
+ 6kfV2eOTvMeiEis=; b=xQSD/JMqz0C+xKf0A1NTkPTbkDuDdJbpBuyjjT9iYvyP
+ Zez+xl0TkoPobFGVa6EN8+ZeYV18zjifhtWYLSsNmPinUtcpKQLG1zxAKmmS0JEh
+ +qihlWbeGJ5+tK588ugUzXHPj+4JBW0H6kxHvdH0l2SlQE5xs/cdggnx5QX5USY=
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
This is a simple test.
.
??? 250
>>> list element: @
>>> list element: @[]
>>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 47)
+>>> processing "accept" (TESTSUITE/test-config 50)
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
>>> end of ACL "check_dkim": ACCEPT
LOG: 10HmaX-000000005vi-0000 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
>>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 45)
+>>> processing "warn" (TESTSUITE/test-config 45)
>>> check logwrite = ${authresults {$primary_hostname}}
>>> = Authentication-Results: myhost.test.ex;
>>> dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
LOG: 10HmaX-000000005vi-0000 Authentication-Results: myhost.test.ex;\n dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
+>>> warn: condition test succeeded in ACL "check_data"
+>>> processing "accept" (TESTSUITE/test-config 46)
+>>> check dkim_status = pass
+>>> pass in "pass"?
+>>> list element: pass
+>>> pass in "pass"? yes (matched "pass")
+>>> check logwrite = dkim_status includes pass
+LOG: 10HmaX-000000005vi-0000 dkim_status includes pass
>>> accept: condition test succeeded in ACL "check_data"
>>> end of ACL "check_data": ACCEPT
LOG: 10HmaX-000000005vi-0000 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss DKIM=test.ex id=qwerty1234@disco-zombie.net
git://git.exim.org / exim.git / commitdiff