Re: [exim] Possible DKIM issue query
On Wed, 5 Oct 2022, Dave Mal via Exim-users wrote: Hi Dave! When I look up the DNS results myself the DKIM for this ( s1._domainkey.sendgrid.com ) is actually a CNAME to s1.domainkey.u7715623.wl124.sendgrid.net. That could be the cause. Based on RFC6376 only the TXT RR is defined for providing the key. However, some admins use a CNAME RR as pointer to the key (might be required by a cloud service to make DKIM work). This is one of those annoying cases of how to interpret the RFC. ciao Markus -- / Markus Reschke \ \ madi...@theca-tabellaria.de / -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Possible DKIM issue query
On 07/10/2022 14:21, Dave Mal via Exim-users wrote: DNS lookup of s1._domainkey.sendgrid.com. (TXT) gave TRY_AGAIN s1._domainkey.sendgrid.com. in dns_again_means_nonexist? no (option unset) returning DNS_AGAIN LOG: MAIN PDKIM: d=sendgrid.com s=s1 [failed key import] PDKIM [sendgrid.com] rsa-sha256 signature status: PDKIM_VERIFY_INVALID (PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE) I'm guessing that the most important here is the "TRY_AGAIN" part Yup. Is that down to a broken resolver on my part ? i.e. system resolver or something in exim I'm missing or is that down to my host? Could be this host, the network, the host that your resolv.conf points to, or (I think) further up the DNS hierachy for the lookup. In any case, a defer at the SMTP layer as a result of a TRY_AGAIN in a DNS operation seems entirely appropriate; the sending MTA should retry later. If it's a persistent problem then ther sending user will eventually get a bounce, and hopefully involve mail-admins, who in turn should involve dns-admins. Yes, this is what i meant; to turn it off entirely I feel this would be an option as spamassassin is also verifying the DKIM (pass) when it does its check. - add an acl control "dkim_disable_verify" - in a ACL *before* data - preferably in an ACL path only applying to these problem messages. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Possible DKIM issue query
On 07/10/2022 12:12, Jeremy Harris via Exim-users wrote: I don't think either of those should matter. Suggest enabling targeted debug for these domains, using ACL control=debug, probably best in RCPT ACL. You'll want at least the acl and dns debug categories. In the debug output find that "failed key import" being logged, and look at the processing leading up to it. This helped a lot! - Thank You its showing the following in that debug output: DNS lookup of s1._domainkey.sendgrid.com. (TXT) gave TRY_AGAIN s1._domainkey.sendgrid.com. in dns_again_means_nonexist? no (option unset) returning DNS_AGAIN LOG: MAIN PDKIM: d=sendgrid.com s=s1 [failed key import] PDKIM [sendgrid.com] rsa-sha256 signature status: PDKIM_VERIFY_INVALID (PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE) I'm guessing that the most important here is the "TRY_AGAIN" part Is that down to a broken resolver on my part ? i.e. system resolver or something in exim I'm missing or is that down to my host? My resolve.conf is set by my host to use their in house resolvers Not sure what you mean by "turn down". Obviously you could avoid doing dkim verification. Yes, this is what i meant; to turn it off entirely I feel this would be an option as spamassassin is also verifying the DKIM (pass) when it does its check. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Possible DKIM issue query
On 05/10/2022 21:50, Dave Mal via Exim-users wrote: Is it the fact I'm getting CNAME's back instead of a TXT causing this to fail or is it the lack of the V field or something else I'm missing ? I don't think either of those should matter. Suggest enabling targeted debug for these domains, using ACL control=debug, probably best in RCPT ACL. You'll want at least the acl and dns debug categories. In the debug output find that "failed key import" being logged, and look at the processing leading up to it. Is there something I can do to turn off the defer I'm apparently sending back or to turn down the dkim check on incoming messages ? Not sure what you mean by "turn down". Obviously you could avoid doing dkim verification. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/