Bug#567876: DKIM-related failures should not end up in the panic log
tags 567876 pending thanks On 2010-08-18 Andreas Metzler ametz...@downhill.at.eu.org wrote: On 2010-08-17 Philipp Kern pk...@debian.org wrote: On Mon, Feb 01, 2010 at 07:11:58PM +0100, Andreas Metzler wrote: Looks like restricting the error to main_log is the right thing to do. could we get that done? At least in Debian? Considering how pedantic Exim is when it comes to a panic_log having content, it is really annoying to get those messages. [...] it is fixed in upstream git http://git.exim.org/exim.git/commitdiff/d4f333f76f0904e18506a7e1964b33b3d39175c1 I think we should pull this and target it for lenny. Marc, do we have other stuff we need to get fixed for lenny? [...] I have comitted the fix to SVN. cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
On 2010-08-17 Philipp Kern pk...@debian.org wrote: Andreas, On Mon, Feb 01, 2010 at 07:11:58PM +0100, Andreas Metzler wrote: Looks like restricting the error to main_log is the right thing to do. could we get that done? At least in Debian? Considering how pedantic Exim is when it comes to a panic_log having content, it is really annoying to get those messages. [...] Hello, it is fixed in upstream git http://git.exim.org/exim.git/commitdiff/d4f333f76f0904e18506a7e1964b33b3d39175c1 I think we should pull this and target it for lenny. Marc, do we have other stuff we need to get fixed for lenny? (Or otherwise: is there a way to turn this off? I verify through amavisd and spamassassin and don't need Exim to run it through its own filters and spewing a bogus warning.) spec: | You might want to turn off DKIM verification processing entirely for | internal or relay mail sources. To do that, set the | dkim_disable_verify ACL control modifier. This should typically be | done in the RCPT ACL, at points where you accept mail from relay | sources (internal hosts or authenticated senders). So something like warn control = dkim_disable_verify should do thrick. cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
Andreas, On Mon, Feb 01, 2010 at 07:11:58PM +0100, Andreas Metzler wrote: Looks like restricting the error to main_log is the right thing to do. could we get that done? At least in Debian? Considering how pedantic Exim is when it comes to a panic_log having content, it is really annoying to get those messages. (Or otherwise: is there a way to turn this off? I verify through amavisd and spamassassin and don't need Exim to run it through its own filters and spewing a bogus warning.) Kind regards, Philipp Kern signature.asc Description: Digital signature
Bug#567876: DKIM-related failures should not end up in the panic log
Is there anything else to do than to delete (this line from) the panic.log? Was the signature verification only disabled for this one message or do we have to enable it somehow again? Bernhard -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
On 2010-04-18 Bernhard Kuemel bernh...@bksys.at wrote: Is there anything else to do than to delete (this line from) the panic.log? No. Was the signature verification only disabled for this one message or do we have to enable it somehow again? There is no need to re-enable verification it just involves the specific message. cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
forwarded 567876 http://mid.gmane.org/200912031200.14973.ke%40helinet.de thanks On 2010-01-31 Florian Weimer f...@deneb.enyo.de wrote: Package: exim4-daemon-heavy Version: 4.71-3 I don't think these messages belong to the panic log: 2010-01-31 21:41:16 1Nbga6-0005ZL-FH DKIM: Error while running this message through validation, disabling signature verification. Hello, I first thought this was a should not happen error, so paniclog might have been correct ... The error message could be more helpful, too. The message in question does not contain a DKIM signature, and no DKIM data is stored in DNS AFAICT. [...] This was also discussed upstream, ending with: -- On 2009-12-18 Kerstin Espey wrote Am Donnerstag, 17. Dezember 2009 schrieb Tom Kistner: [...] Looking through the code, these are the most likely causes for the failures: 1) The message has more than 512 headers. 2) The message contains a single line longer than 16k bytes. That's it! [...] Saving the tcp stream in wireshark as ascii, does cause line breaks. That's why I didn't get an error message passing the dump to exim. Saving the tcp stream as raw, does show the long lines. Both are limits that can be tweaked in src/pdkim/pdkim.c. They are set to avoid DoS scenarios. That does make sense. But is it necessary to look at the body, if there isn't any dkim-signature at all? -- Looks like restricting the error to main_log is the right thing to do. cu andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
* Andreas Metzler: This was also discussed upstream, ending with: -- On 2009-12-18 Kerstin Espey wrote Am Donnerstag, 17. Dezember 2009 schrieb Tom Kistner: [...] Looking through the code, these are the most likely causes for the failures: 1) The message has more than 512 headers. 2) The message contains a single line longer than 16k bytes. -- Looks like restricting the error to main_log is the right thing to do. Thanks for tracking this down. Can this be used to bypass DKIM-based filters? This would be a bit problematic. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
On 2010-02-01 Florian Weimer f...@deneb.enyo.de wrote: * Andreas Metzler: This was also discussed upstream, ending with: -- On 2009-12-18 Kerstin Espey wrote Am Donnerstag, 17. Dezember 2009 schrieb Tom Kistner: [...] Looking through the code, these are the most likely causes for the failures: 1) The message has more than 512 headers. 2) The message contains a single line longer than 16k bytes. -- Looks like restricting the error to main_log is the right thing to do. Thanks for tracking this down. Can this be used to bypass DKIM-based filters? This would be a bit problematic. Hello, I do not think so, for exim the message should look as if it did not have any DKIM signature, which can be accomplished a lot more easily by inserting a message without signature. Sure, it would not detect a invalid DKIM signature for the message, but exim would not mark it as checked and valid either. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567876: DKIM-related failures should not end up in the panic log
Package: exim4-daemon-heavy Version: 4.71-3 I don't think these messages belong to the panic log: 2010-01-31 21:41:16 1Nbga6-0005ZL-FH DKIM: Error while running this message through validation, disabling signature verification. The error message could be more helpful, too. The message in question does not contain a DKIM signature, and no DKIM data is stored in DNS AFAICT. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
