On 2014-02-28 at 00:40 +0000, Michael J. Tubby B.Sc. MBCS G8TIC wrote: > I run some mail relays for a few hundred domains that I look after and > want to perform fairly complex DKIM checking - I want to: > > * enforce DKIM tests domains that are 'known signers' (google, > facebook, etc) and explicitly accept or deny mail based on the result of > the DKIM checks - to avoid faked email
> And the killer one... Facebook... they are in my "known signers" but > appear to be broken: > > 2014-02-27 10:30:16 MAIL: SPF Result=pass (facebookmail.com / > outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]) > 2014-02-27 10:30:16 MAIL: Accept from: > [email protected] host: > outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150] > 2014-02-27 10:30:16 RCPT: SPF Result2=pass (facebookmail.com / > outmail016.ash2.facebook.com (mx-out.facebook.com) [66.220.155.150]) > 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM: d=facebookmail.com > s=s1024-2013-q3 c=relaxed/simple a=rsa-sha256 t=1393497014 [verification > failed - signature did not verify (headers probably modified in transit)] > 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM START: domain=facebookmail.com > possible_signer=facebookmail.com status=fail (reason=signature_incorrect) > 2014-02-27 10:30:16 1WIyEK-0006vE-Fw DKIM DENY: Rejected > facebookmail.com is known signer (in database) but has invalid/missing > signature > 2014-02-27 10:30:16 1WIyEK-0006vE-Fw H=outmail016.ash2.facebook.com > (mx-out.facebook.com) [66.220.155.150] rejected DKIM : Message from > facebookmail.com (known signer) with invalid or missing signature > > am I the only person having problems with Facebook? So far as I've heard, yes. That doesn't mean that there's not a problem, but we need more details to debug. May I suggest a setup where, if a mail from one of these domains passes SPF (by explicit match, rather than falling into a default of not-reject) but then fails DKIM, then you accept the mail but tee off a copy with an "unseen" router for analysis and debugging? Then, if you find more such mail with a non-validating signature, you have mail for which which you might contact the recipient for permission to use the mail for debugging, and if they agree, then there are a few diagnosis tools around. If you encounter another such message and it looks good to you, and you have permission to forward it for analysis, I have some contacts at FB who may be able to assist, but not on the limited data so far. Thanks, -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
