[exim-dev] [Bug 1309] New: Headers included in dkim_sign_headers are not in the signature when not in the message

[Tony Meyer]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1309
           Summary: Headers included in dkim_sign_headers are not in the
                    signature when not in the message
           Product: Exim
           Version: 4.80
          Platform: x86-64
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: DKIM
        AssignedTo: t...@duncanthrax.net
        ReportedBy: t...@spamexperts.com
                CC: exim-dev@exim.org


The documentation for the dkim_sign_headers option says:

OPTIONAL: When set, this option must expand to (or be specified as) a
colon-separated list of header names. Headers with these names will be included
in the message signature. When unspecified, the header names recommended in
RFC4871 will be used.

It sounds to me like this is intended to expose the "signed header fields" part
of DKIM (i.e. the h= tag), although it doesn't say that explicitly.

The behaviour, as far as I can determine (see debugging process below), is not
that, however.  What happens is that the headers with those names will be
included in the message signature *iff* they are present in the message being
signed.

For example, in the message below I have dkim_sign_headers set to
subject:to:from, and a message that has Subject: and From: headers, but no To:
header, and the h= tag in the DKIM signature is From:Subject (i.e. "To" is
missing).

Exim version:

$ /usr/exim/bin/exim -bV
Exim version 4.80 #5 built 20-Sep-2012 04:58:22
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 4.6.21: (June 10, 2009)
Support for: iconv() DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz
dnsdb
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/exim/configure

Data part of Exim debug output:

23922   SMTP>> DATA
23922 waiting for data on socket
23922 read response data: size=56
23922   SMTP<< 354 Enter message, ending with "." on a line by itself
23922   SMTP>> writing message and terminating "."
23922 writing data block fd=8 size=310 timeout=300
PDKIM >> Hashed body data, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DKIM{SP}signing{SP}test.{CR}{LF}PDKIM
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [dkimtest.simplyspamfree.com] Body bytes hashed: 20
PDKIM [dkimtest.simplyspamfree.com] bh  computed:
6f9649e04ec67550c6ad9c05d6f3fe0ddec2e47a019062147a1d8b2d1eef2347
PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
from:t...@spamexperts.com{CR}{LF}
subject:Hello{SP}world!{CR}{LF}
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>
dkim-signature:v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}d=dkimtest.simplyspamfree.com;{SP}s=testing;{SP}h=From:Subject;{SP}bh=b5ZJ4E7GdVDGrZwF1vP+Dd7C5HoBkGIUeh2LLR7vI0c=;{SP}b=;
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [dkimtest.simplyspamfree.com] hh computed:
a3b31fa092e45a6c5bf67fabd124c8984f446afe3628586f1b0f1fc177d6ba25
PDKIM [dkimtest.simplyspamfree.com] b computed:
c8bc27d6387835fbf9b35e5d1cfad023f143a21c4d138993dcfc1ac65d3a3bf0034b17452892ba94bf207084738dc3afaef22ca9f3c300a81fbfecd4911726715f6fc62d01871cac4cf8da07716ee6f622c0390d72cb24867246caaeb2f1df523947c8219a54e7c90042077127f2247e99d5031e407f2d03e9620f1becf83660
23922 waiting for data on socket
23916 SMTP<< quit
23916 SMTP>> 221 server1.test8.simplyspamfree.com closing connection
23916 LOG: smtp_connection MAIN
23916   SMTP connection from (fyx.co.nz) [124.198.208.183] closed by QUIT
23916 search_tidyup called
23915 child 23916 ended: status=0x0
23915   normal exit, 0
23915 0 SMTP accept processes now running

Exim configuration:

$ cat /usr/exim/configure 
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
accept
  domains = spamexperts.com
deny
begin routers
dnslookup:
driver = dnslookup
transport = remote_smtp
same_domain_copy_routing = yes
begin transports
remote_smtp:
driver = smtp
dkim_domain = dkimtest.simplyspamfree.com
dkim_selector = testing
dkim_private_key = /tmp/key
dkim_sign_headers = subject:to:from

Message sending:

220 server1.test8.simplyspamfree.com ESMTP Exim 4.80 Thu, 20 Sep 2012 09:27:52
+0200
helo fyx.co.nz
250 server1.test8.simplyspamfree.com Hello fyx.co.nz [124.198.208.183]
mail from:t...@spamexperts.com
250 OK
rcpt to:t...@spamexperts.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: Hello world!
From: t...@spamexperts.com

DKIM signing test.
.
250 OK id=1TEbB5-0006Dk-ER
quit
221 server1.test8.simplyspamfree.com closing connection


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##