Re: [exim] How to use DKIM with Ed25519 - Dual DKIM signing
Evgeniy Berdnikov via Exim-users writes:
> On Thu, Oct 14, 2021 at 05:50:23PM +0300, Odhiambo Washington via Exim-users
> wrote:
>> On Thu, Oct 14, 2021 at 4:25 PM Evgeniy Berdnikov via Exim-users <
>> exim-users@exim.org> wrote:
>> > | dkim_selectorUse: smtp Type: string list† Default:
>> > unset
>> > |
>> > | This sets the key selector string. After expansion, which can use
>> > | $dkim_domain, this can be a list. Each element in turn is put in the
>> > | expansion variable $dkim_selector which may be used in the
>> > | dkim_private_key option along with $dkim_domain.
>> >
>> > Does the assignment dkim_selector="key1:key2" work?
>> >
>>
>> I don't think that would work, because I have to then match a selector to a
>> key.
>
> The last sentense in the cited paragraph explains how this match works.
> Read it again carefully. Description of dkim_private_key repeats it:
>
> | dkim_private_key Use: smtp Type: string† Default: unset
> |
> | This sets the private key to use. You can use the $dkim_domain and
> | $dkim_selector expansion variables to determine the private key to use.
Indeed, but getting it to work took a while for me too. I'm now using
the following (Debian-esque config but you should see how it works):
DKIM_CANON = relaxed
DKIM_SELECTOR = ed2110 : rsa2110
DKIM_DOMAIN = ${sender_address_domain}
DKIM_PRIVATE_KEY = ${lookup {${sender_address_domain}} \
dsearch,ret=full {/etc/exim4/dkim} \
{$value/privkey-$dkim_selector.pem} {false}}
DKIM_TIMESTAMPS = 1209600
/Simon
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PIPE_CONNECT
On 16/10/2021 10:08, Simon Josefsson via Exim-users wrote: Dovecot SMTP submission agent complains about Exim's PIPE_CONNECT: Oct 16 10:32:32 pippi dovecot: submission(simon)<111236><8poyJ3TOeNEgAQmxQaz/ANGknOU4qRZw>: Warning: smtp-client: conn pippi.sjd.se:25 (127.0.1.1:25) [1]: Received invalid EHLO response line: Unexpected character in EHLO keyword It's a reasonable complaint, and a change in Exim wouldn't be too hard. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM d= field and corresponding key
Dňa 14. októbra 2021 22:22:34 UTC používateľ Andy Bennett via Exim-users napísal: >Is there any reason why the default settings are not optimal? > >...and how to choose between relaxed and strict modes? I mean not optimal for me, of course. By derault "the header names listed in RFC4871 will be used, whether or not each header is present in the message" (from docs). This is not always what one want, while still good choice as default. Some headers have to be oversigned, to cannot be added later (without invalidating signature), same will be oversigned, but only when they present in message and some will be signed, but allow to be added later (again without invalidating signature). The exim default nor provided macros fulfill this, thus i chose rspamd's way... One mostly want relaxed, as simple (beware, not strict) can leads to unexpected results if message is "fixed" on the path, or to cite someone other: The really simple takeaway is “use relaxed canonicalization”. As relaxed is default, not need to care ;-) The strict (aka dkim_strict) is not about signing, but about exim behavior, when signing fails. But it is about internal fail, not about not signing due empty domain, selector or key value. As my service is not mission critical, i leave default. If something goes bad, i will see it in DMARC reports. Your needs/requirements can be different... regards -- Slavko -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] PIPE_CONNECT
Hi. I noticed that Dovecot SMTP submission agent complains about Exim's PIPE_CONNECT: Oct 16 10:32:32 pippi dovecot: submission(simon)<111236><8poyJ3TOeNEgAQmxQaz/ANGknOU4qRZw>: Warning: smtp-client: conn pippi.sjd.se:25 (127.0.1.1:25) [1]: Received invalid EHLO response line: Unexpected character in EHLO keyword It was discussed on the dovecot list before: https://dovecot.org/pipermail/dovecot/2020-September/119854.html Should the specification and Exim be fixed here? It seems '_' is not permitted by RFC 5321. /Simon signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] test bad SNI
test bad SNI for non memeber bounce -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Hello.
On Sat, Oct 16, 2021 at 06:44:28PM +0200, Heiko Schlittermann via Exim-users
wrote:
> Adam D. Barratt via Exim-users (Sa 16 Okt 2021 17:43:57
> CEST):
> > >
> > > This hh.schlittermann.de runs the latest Exim, and probaby sends you
> > > an SNI your server for some reason doesn't accept?
> >
> > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and
> > 11:08:41UTC today. The server in question is running Debian's 4.92-
> > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log
> > selector.
> >
> > The log entries for the second failed connection are:
> >
> > 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP
> > connection count = 1)
> > 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de
> > [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been
> > received.
This message ("A disallowed SNI server name has been received") is generated
by GnuTLS library in lib/ext/server_name.c:112, error is thrown if SNI
does not pass this check:
inline static unsigned _gnutls_dnsname_is_valid(const char *str, unsigned size)
{
unsigned i;
for (i=0;ihttps://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
On Sat, 2021-10-16 at 18:44 +0200, Heiko Schlittermann via Exim-users wrote: > Adam D. Barratt via Exim-users (Sa 16 Okt 2021 > 17:43:57 CEST): > > > This hh.schlittermann.de runs the latest Exim, and probaby sends > > > you > > > an SNI your server for some reason doesn't accept? > > > > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and > > 11:08:41UTC today. The server in question is running Debian's 4.92- > > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the > > log > > selector. > > > > The log entries for the second failed connection are: > > > > 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP > > connection count = 1) > > 2021-10-16 11:08:41 TLS error on connection from > > hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A > > disallowed SNI server name has been received. > > 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de > > [213.128.132.49] closed by EOF > > 2021-10-16 11:08:41 no MAIL in SMTP connection from > > hh.schlittermann.de [213.128.132.49] D=0s C=EHLO,STARTTLS > > > > The same server has received 21 successful connections from > > hh.schlittermann.de in the past couple of days. > > Interesting. Can you tell *what* SNI the server hh sent? Unfortunately the above appears to be all that's logged. > That's what the hh server uses as the transport: > [...] > So, it sends you *your* hostname as an SNI. That's indeed what I see for successful connections. I've hopefully enabled TLS debug logging for connections from hh, so we'll see if that provides any useful information if it happens again. Regards, Adam -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Hi, Dňa Sat, 16 Oct 2021 17:22:30 +0200 Heiko Schlittermann via Exim-users napísal: > This hh.schlittermann.de runs the latest Exim, and probaby sends you > an SNI your server for some reason doesn't accept? My MX doesn't rejects emails based on SNI. It uses SNI to serve different certificates, but with fallback to default one. As i provided over IRC, there is nothing more in exim's log about this connection and can be related to "not member bounce", as i post to ML from wrong address roughly in that time and i didn't get bounce into my mailbox. AFAIK, it is GnuTLS, which was rejected to create TLS connection and can be related (as my quick Internet research shows) to the underscore (or other not allowed char) in SNI, see a little outdated https://github.com/osixia/docker-openldap/issues/383 but with link to GnuTLS source. But here my knowledge ends ;-) regards -- Slavko https://www.slavino.sk pgpzkGh9s3VIy.pgp Description: Digitálny podpis OpenPGP -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Hi, Dňa Sat, 16 Oct 2021 16:43:57 +0100 "Adam D. Barratt via Exim-users" napísal: > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and > 11:08:41UTC today. The server in question is running Debian's 4.92- > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log > selector. If it helps, my exim is on debian too, but i use exim4-daemon-heavy 4.94.2-7 and libgnutls30 3.7.1-5. And BTW, i see significant delay between i send message to ML and get it back (>1 hour). I afraid/guess that it can be related to mentioned IP blacklisting, as i block some blacklisted IP. Can you please publish all outgoing IPs, to i can manually clean my blocklist? regards -- Slavko https://www.slavino.sk pgp_1HK6Hq0uG.pgp Description: Digitálny podpis OpenPGP -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
On Sat, 2021-10-16 at 17:22 +0200, Heiko Schlittermann via Exim-users wrote: > Slavko via Exim-users (Sa 16 Okt 2021 11:14:45 > CEST): > > I am not sure if it is related to migration, but recently i start > > to see > > something as this in my exim log: > > > > TLS error on connection from hh.schlittermann.de > > [213.128.132.49] > > (gnutls_handshake): A disallowed SNI server name has been > > received. > > > > The recent one was today at 2021-10-16 01:51:16. > > While it is related to the migration, it seems to be a side effect of > mitigating (hotmail/live/outlook)'s blacklist for the IP the "new > exim site" is using now. We're sending the mails via a server that > has better reputation at MS. > > This hh.schlittermann.de runs the latest Exim, and probaby sends you > an SNI your server for some reason doesn't accept? FWIW, I've also seen two of these, at 23:53:41UTC yesterday and 11:08:41UTC today. The server in question is running Debian's 4.92- 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log selector. The log entries for the second failed connection are: 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection count = 1) 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been received. 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de [213.128.132.49] closed by EOF 2021-10-16 11:08:41 no MAIL in SMTP connection from hh.schlittermann.de [213.128.132.49] D=0s C=EHLO,STARTTLS The same server has received 21 successful connections from hh.schlittermann.de in the past couple of days. Regards, Adam -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
On 16/10/2021 17:56, Slavko via Exim-users wrote: And BTW, i see significant delay between i send message to ML and get it back (>1 hour). That's not just you. We're running a fair-size backlog at present. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Adam D. Barratt via Exim-users (Sa 16 Okt 2021 17:43:57 CEST): > > > > This hh.schlittermann.de runs the latest Exim, and probaby sends you > > an SNI your server for some reason doesn't accept? > > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and > 11:08:41UTC today. The server in question is running Debian's 4.92- > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log > selector. > > The log entries for the second failed connection are: > > 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection > count = 1) > 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de > [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been > received. > 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de [213.128.132.49] > closed by EOF > 2021-10-16 11:08:41 no MAIL in SMTP connection from hh.schlittermann.de > [213.128.132.49] D=0s C=EHLO,STARTTLS > > The same server has received 21 successful connections from > hh.schlittermann.de in the past couple of days. Interesting. Can you tell *what* SNI the server hh sent? That's what the hh server uses as the transport: remote_smtp: driver = smtp tls_sni = $host dnssec_request_domains = * hosts_try_dane = * hosts_require_dane = +require_dane hosts_try_fastopen = So, it sends you *your* hostname as an SNI. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Slavko via Exim-users (Sa 16 Okt 2021 11:14:45 CEST): > I am not sure if it is related to migration, but recently i start to see > something as this in my exim log: > > TLS error on connection from hh.schlittermann.de [213.128.132.49] > (gnutls_handshake): A disallowed SNI server name has been received. > > The recent one was today at 2021-10-16 01:51:16. While it is related to the migration, it seems to be a side effect of mitigating (hotmail/live/outlook)'s blacklist for the IP the "new exim site" is using now. We're sending the mails via a server that has better reputation at MS. This hh.schlittermann.de runs the latest Exim, and probaby sends you an SNI your server for some reason doesn't accept? -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Hi, I am not sure if it is related to migration, but recently i start to see something as this in my exim log: TLS error on connection from hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been received. The recent one was today at 2021-10-16 01:51:16. regards -- Slavko http://slavino.sk pgpkypfLSfQRJ.pgp Description: Digitálny podpis OpenPGP -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
