[exim] Spurious DKIM failures

Evgeniy Berdnikov via Exim-users Mon, 05 Jul 2021 14:30:40 -0700

  Hello.

 I have an informational message for developers. In some rare cases Exim
 considers correct DKIM signature as invalid. My estimate of fault rate
 is less than 1 event for 10,000 imcoming mails.


 In my environment it can be traced by headers, because each incoming
 mail passes the chain

   (1) Exim MTA -> (2) Amavis -> (3) Exim MTA,

 where receiving relay (1) and anti-spam filter (2) save result of
 DKIM verification in headers. On the failure, headers are like:

Authentication-Results: passat.rdtex.ru (amavisd-new);
        dkim=pass (1024-bit key) header.d=netology.ru header.b=OXxIl1Hh;
        dkim=pass (1024-bit key) header.d=mta.mindbox.ru header.b=I5B1tR/y
Received: from passat.rdtex.ru ([127.0.0.1])
        by localhost (passat.rdtex.ru [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id UjeSDm4hSaiL for <[email protected]>;
        Mon,  5 Jul 2021 19:06:34 +0300 (MSK)
X-Authentication-Results: passat.rdtex.ru Exim-4.94.2;
        iprev=pass (mta.mindbox.ru) smtp.remote-ip=185.99.9.135;
        dkim=fail (body hash mismatch; body probably modified in transit)
                 header.d=netology.ru header.s=mindbox header.a=rsa-sha256;
        dkim=fail (body hash mismatch; body probably modified in transit)
                 header.d=mta.mindbox.ru header.s=mindbox header.a=rsa-sha256
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received-SPF: pass client-ip=185.99.9.135; 
[email protected]; 
helo=mta.mindbox.ru
Received: from mta.mindbox.ru ([185.99.9.135]:29146)
        by passat.rdtex.ru with esmtps 
(TLS1.2:ECDHE_X25519__RSA_SHA256__AES_256_GCM:256)
        (Exim 4.94.2)
        (envelope-from <[email protected]>)
        id 1m0R7C-00HEVp-GA size 24034 maxlen 175
...

 Mainlog for frontend Exim (1) contains:

2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=netology.ru 
s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body 
hash mismatch (body probably modified in transit)]
2021-07-05 19:06:34.545 [4107365] 1m0R7C-00HEVp-GA DKIM: d=mta.mindbox.ru 
s=mindbox c=relaxed/relaxed a=rsa-sha256 b=1024 [verification failed - body 
hash mismatch (body probably modified in transit)]

 Manual test of the received mail with perl module Mail::DKIM::Verifier
 gives "pass" result for both signatures. If sample mail is re-injected
 by SMTP from other host, it passes verification on frontend Exim.

 I have 4 frontend relays with almost identical configuration, failures
 happen on each of them, randomly. There are no evidence for hardware
 problems (segfaults, etc). No evidence of "inherited" memory corruption:
 after failure of DKIM verificaion subsequent mails are verified correctly.
 So it seems as rarely manifested bug.

 I have no ideas how such bug can be located. However, I can share this
 sample mail with developers (in private).
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Spurious DKIM failures

Reply via email to