[exim] Re: disclaimer + DKIM does not work (reopened)
On 20/10/2023 13:19, brunoc68 via Exim-users wrote: Le 20/10/2023 à 12:47, Jeremy Harris via Exim-users a écrit : On 20/10/2023 10:45, brunoc68 via Exim-users wrote: However, DKIM check fails (only) when the disclaimers are added. Can you get a debug run for a sample small test message? Also the original and resulting (signed) messages. Feel free to mail them to me, or use a pastebin. I guess a smple of the result of a non-signed, but altermime-filtered, message would also be useful. Dear Jeremy, I will send 3 email samples from the production server to your private email address : 1. with disclaimer 2. without disclaimer but with DKIM signature 3. with disclaimer and DKIM signature I received all three, and the signatures appear to be good (both as evaluated by my MRA, and as by the built-in in Thunderbird). -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: disclaimer + DKIM does not work (reopened)
Le 22/10/2023 à 13:44, Jeremy Harris via Exim-users a écrit : Dear Jeremy, I will send 3 email samples from the production server to your private email address : 1. with disclaimer 2. without disclaimer but with DKIM signature 3. with disclaimer and DKIM signature I received all three, and the signatures appear to be good (both as evaluated by my MRA, and as by the built-in in Thunderbird). Dear Jeremy, Thank you for considering the case. I use mail-tester.com to test my mail server configuration. I've just done it again. Cases 1 and 2 are both ok, whereas case 3 has failed, with the following details : == DKIM signature : v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=; s=dkim; h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=63NW/yufriU/IxIXVLTm1de/Ms/WMrD4gB58AVbyOLI=; b=CpL8lrU/F4CBeH14Z0XQiW4rJMFfxErIF+6xK7bxgDk3Fq3OsbcybzCBs94KKfJhgtrHHb9VVDu+FCY1qCqpm3DDzN+0c+9tKtVa3HR7UWB4E4bHweB2JpaKRl0JhP5drN9Alq+NJbBcViaAbleiKmB46fIZgmWYtP46EDK6rS/ug6Iyk7TRyRPqDNdpWX+kYsJHxvih7+HMJ1/rzt/FiBAndbu5TV/BvUi1Q4onU4Z7YP7TMUAKrhdN54NqS2eOCat9qu9W/pESw7xENyXkzMWGXHnqcToJBNleqNAp36ClRI946xNhl6xIa9hbX9jSi2FrkG6BYhfH3JYUrmWtew==; Public key : "v=DKIM1; k=rsa; p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE=" key length : 2046bits *Your DKIM signature is not valid* == To be noted : spamassassin also ends up with "DKIM_INVALID" -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: disclaimer + DKIM does not work (reopened)
On Sun, Oct 22, 2023 at 07:03:19PM +0200, brunoc68 via Exim-users wrote: > Public key : > "v=DKIM1; > k=rsa; > p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE=" > > key length : 2046bits Oh, 2046 bits, really? Not 2048? I tried to check this record, it doesn't look as RSA key: % cat /tmp/key.pem -BEGIN PRIVATE KEY- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE= -END PRIVATE KEY- % openssl rsa -in /tmp/key.pem -noout Could not read private key from /tmp/key.pem 40B7C589407F:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151: This is something wrapped by ASN.1, but I have no ideas what is it: % openssl asn1parse -in /tmp/key.pem 0:d=0 hl=4 l= 289 cons: SEQUENCE 4:d=1 hl=2 l= 13 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption 17:d=2 hl=2 l= 0 prim: NULL 19:d=1 hl=4 l= 270 prim: BIT STRING > *Your DKIM signature is not valid* > == > > To be noted : spamassassin also ends up with "DKIM_INVALID" Did you use the same key for successful DKIM signings? Isn't there some differences in DKIM selectors? -- Eugene Berdnikov -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] List headers [Was: DKIM does not work]
On Sun, Oct 22, 2023 at 07:03:19PM +0200, brunoc68 via Exim-users wrote: > h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:\ > Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:\ > Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:\ > Resent-Message-ID:In-Reply-To:References:\ vvv > List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:\ > List-Archive ^^^ I have just been alerted by a fellow subscriber to the postgresql-general mailing list that dkim-signing with the full set of headers as per the exim default set above is broken: the list server appends the list related headers which were absent in my original messages, thus making my signature invalid. This is probably well known; maybe it should be mentioned by the docs? Also, this probably has nothing to do with Bruno's problem, so tweaking the subject. -- Ian -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
On 22/10/2023 19:48, Ian Z via Exim-users wrote: dkim-signing with the full set of headers as per the exim default set above is broken I'll take issue with "broken". If (and there's the question) you think that a DKIM signature should detect when a message has been modified, do you not think that adding headers is a modification? -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
On 22/10/2023 20:04, Jeremy Harris via Exim-users wrote: On 22/10/2023 19:48, Ian Z via Exim-users wrote: dkim-signing with the full set of headers as per the exim default set above is broken I'll take issue with "broken". If (and there's the question) you think that a DKIM signature should detect when a message has been modified, do you not think that adding headers is a modification? Definitely not broken, just a trap for the unwary... I ran into the same problem on the PostgreSQL lists with my personal server. Altering the list of headers included in the signature fixed the problem. Ray. -- Raymond O'Donnell // Galway // Ireland r...@rodonnell.ie -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: disclaimer + DKIM does not work (reopened)
On Sun, Oct 22, 2023 at 09:03:19PM +0300, Evgeniy Berdnikov via Exim-users wrote: > > p=MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE=" > > > > key length : 2046bits > > I tried to check this record, it doesn't look as RSA key: Sorry, I forgot this key should be read as rsa-public: % cat /tmp/key.pem -BEGIN PUBLIC KEY- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAzv3BvHbwGsHWZjnROtaNQMhzkL6yob0e7w2Sbatu3m7uwl89KnBbZBkmoxXsMcpK+f1XF7eahWm71f1hFqMP7cwQVwdQ/268NfXBt73zMcMgMqDPrVH5ptz93j/uTlIv9LNLbQww5fyYhzqgdBID+KSTUg2ykZmhMcsKr5ippWZS5reYAlm9f8/na9iEpGuaecpTTALQ1Pswlmrxc1x36nqxu9f++l+q7bWgORGs3nPcjLLNguYgrduDqxWEyTM23BH8LYleIBZj+JEBMHwKGSos7hLmngbZhTZFiYo6igOr6S2m3O0dFdMjvPzdlv8IG2Z2bVmwPw7rpt/KorTrfAgMBAAE= -END PUBLIC KEY- % openssl rsa -in /tmp/key.pem -pubin -text -noout Public-Key: (2046 bit) Modulus: 33:bf:70:6f:1d:bc:06:b0:75:99:8e:74:4e:b5:a3: 50:32:1c:e4:2f:ac:a8:6f:47:bb:c3:64:9b:6a:db: b7:9b:bb:b0:97:cf:4a:9c:16:d9:06:49:a8:c5:7b: 0c:72:92:be:7f:55:c5:ed:e6:a1:5a:6e:f5:7f:58: 45:a8:c3:fb:73:04:15:c1:d4:3f:db:af:0d:7d:70: 6d:ef:7c:cc:70:c8:0c:a8:33:eb:54:7e:69:b7:3f: 77:8f:fb:93:94:8b:fd:2c:d2:db:43:0c:39:7f:26: 21:ce:a8:1d:04:80:fe:29:24:d4:83:6c:a4:66:68: 4c:72:c2:ab:e6:2a:69:59:94:b9:ad:e6:00:96:6f: 5f:f3:f9:da:f6:21:29:1a:e6:9e:72:94:d3:00:b4: 35:3e:cc:25:9a:bc:5c:d7:1d:fa:9e:ac:6e:f5:ff: be:97:ea:bb:6d:68:0e:44:6b:37:9c:f7:23:2c:b3: 60:b9:88:2b:76:e0:ea:c5:61:32:4c:cd:b7:04:7f: 0b:62:57:88:05:98:fe:24:40:4c:1f:02:86:4a:8b: 3b:84:b9:a7:81:b6:61:4d:91:62:62:8e:a2:80:ea: fa:4b:69:b7:3b:47:45:74:c8:ef:3f:37:65:bf:c2: 06:d9:9d:9b:56:6c:0f:c3:ba:e9:b7:f2:a8:ad:3a: df Exponent: 65537 (0x10001) -- Eugene Berdnikov -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
On Sun, Oct 22, 2023 at 08:51:37PM +0100, Ray O'Donnell via Exim-users wrote: > On 22/10/2023 20:04, Jeremy Harris via Exim-users wrote: > > > dkim-signing with the full set of headers as per the exim > > > default set above is broken > > I'll take issue with "broken". > > If (and there's the question) you think that a DKIM signature > > should detect when a message has been modified, do you not think > > that adding headers is a modification? > Definitely not broken, just a trap for the unwary... I ran into the > same problem on the PostgreSQL lists with my personal > server. Altering the list of headers included in the signature fixed > the problem. To be clear, I'm not blaming exim. It is a matter best left to configuration by each site admin. I'm just saying that because it is such a trap (thanks for the word, Ray), it's a good candidate to be written up somewhere. I wonder what the fabulous debian configuration daoes in this respect. -- Ian -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
On 2023-10-22 Jeremy Harris via Exim-users wrote: [...] > If (and there's the question) you think that a DKIM signature should > detect when a message has been modified, do you not think that > adding headers is a modification? Hello, I think it depends on which the header would be added. Some additions should be allowed. Exim's default setting for dkim_sign_headers is extremely conservative and imho does not make sense. I had tried to discuss this in https://bugs.exim.org/show_bug.cgi?id=2394. I personally am using +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post I am sure this set is not perfect and I have missed something, though. cu Andreas -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: List headers [Was: DKIM does not work]
On 2023-10-23 Ian Z via Exim-users wrote: [...] > I wonder what the fabulous debian configuration daoes in this respect. We have a open bug about it https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939808 but have not yet overridden exim's default. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
