subject:"Re\: \[exim\] Possible DKIM issue query"

Re: [exim] Possible DKIM issue query

2022-10-10 Thread Markus Reschke via Exim-users


On Wed, 5 Oct 2022, Dave Mal via Exim-users wrote:

Hi Dave!

When I look up the DNS results myself the DKIM for this ( 
s1._domainkey.sendgrid.com ) is actually a CNAME to 
s1.domainkey.u7715623.wl124.sendgrid.net.


That could be the cause. Based on RFC6376 only the TXT RR is defined for 
providing the key. However, some admins use a CNAME RR as pointer to the 
key (might be required by a cloud service to make DKIM work). This is one 
of those annoying cases of how to interpret the RFC.


ciao
 Markus
--
/ Markus Reschke  \
\ madi...@theca-tabellaria.de /


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Possible DKIM issue query

2022-10-07 Thread Jeremy Harris via Exim-users


On 07/10/2022 14:21, Dave Mal via Exim-users wrote:

DNS lookup of s1._domainkey.sendgrid.com. (TXT) gave TRY_AGAIN
s1._domainkey.sendgrid.com. in dns_again_means_nonexist? no (option unset)
returning DNS_AGAIN
LOG: MAIN
   PDKIM: d=sendgrid.com s=s1 [failed key import]
PDKIM [sendgrid.com] rsa-sha256 signature status: PDKIM_VERIFY_INVALID 
(PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE)


I'm guessing that the most important here is the "TRY_AGAIN" part


Yup.


Is that down to a broken resolver on my part ? i.e. system resolver or 
something in exim I'm missing
or is that down to my host?


Could be this host, the network, the host that your resolv.conf points to,
or (I think) further up the DNS hierachy for the lookup.

In any case, a defer at the SMTP layer as a result of a TRY_AGAIN in a
DNS operation seems entirely appropriate; the sending MTA should
retry later.

If it's a persistent problem then ther sending user will eventually get a 
bounce, and
hopefully involve mail-admins, who in turn should involve dns-admins.


Yes, this is what i meant; to turn it off entirely
I feel this would be an option as spamassassin is also verifying the DKIM 
(pass) when it does its check.


- add an acl control "dkim_disable_verify"
- in a ACL *before* data
- preferably in an ACL path only applying to these problem messages.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Possible DKIM issue query

2022-10-07 Thread Dave Mal via Exim-users


On 07/10/2022 12:12, Jeremy Harris via Exim-users wrote:

I don't think either of those should matter.
Suggest enabling targeted debug for these domains, using ACL 
control=debug,
probably best in RCPT ACL.  You'll want at least the acl and dns debug 
categories.

In the debug output find that "failed key import" being logged,
and look at the processing leading up to it.


This helped a lot! - Thank You

its showing the following in that debug output:


DNS lookup of s1._domainkey.sendgrid.com. (TXT) gave TRY_AGAIN
s1._domainkey.sendgrid.com. in dns_again_means_nonexist? no (option unset)
returning DNS_AGAIN
LOG: MAIN
  PDKIM: d=sendgrid.com s=s1 [failed key import]
PDKIM [sendgrid.com] rsa-sha256 signature status: PDKIM_VERIFY_INVALID 
(PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE)



I'm guessing that the most important here is the "TRY_AGAIN" part

Is that down to a broken resolver on my part ? i.e. system resolver or 
something in exim I'm missing

or is that down to my host?

My resolve.conf is set by my host to use their in house resolvers




Not sure what you mean by "turn down".
Obviously you could avoid doing dkim verification.


Yes, this is what i meant; to turn it off entirely
I feel this would be an option as spamassassin is also verifying the 
DKIM (pass) when it does its check.





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Possible DKIM issue query

2022-10-07 Thread Jeremy Harris via Exim-users


On 05/10/2022 21:50, Dave Mal via Exim-users wrote:

Is it the fact I'm getting CNAME's back instead of a TXT causing this to fail 
or is it the lack of the V field or something else I'm missing ?


I don't think either of those should matter.
Suggest enabling targeted debug for these domains, using ACL control=debug,
probably best in RCPT ACL.  You'll want at least the acl and dns debug 
categories.
In the debug output find that "failed key import" being logged,
and look at the processing leading up to it.



Is there something I can do to turn off the defer I'm apparently sending back 
or to turn down the dkim check on incoming messages ?


Not sure what you mean by "turn down".
Obviously you could avoid doing dkim verification.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Possible DKIM issue query

Re: [exim] Possible DKIM issue query

Re: [exim] Possible DKIM issue query

Re: [exim] Possible DKIM issue query

4 matches

Site Navigation

Mail list logo

Footer information