On 2022-09-29, Johnnie W Adams via Exim-users wrote:
> Hi, folks,
>
> We have an unusual mail routing topology, where mail passes through
> our SMTP server, through LISTSERV, and then back through our SMTP server.
>
> We are failing DMARC for reasons I think having to do with when the
>
On Thu, 29 Sep 2022, Johnnie W Adams via Exim-users wrote:
Well, it's a moral victory. I did get the acl to do what I wanted and give
me only the final DKIM signature. No go. Then I turned back on the LISTSERV
DKIM service so I'd get a LISTSERV signature +followed+ by an SMTP
signature. That
Well, it's a moral victory. I did get the acl to do what I wanted and give
me only the final DKIM signature. No go. Then I turned back on the LISTSERV
DKIM service so I'd get a LISTSERV signature +followed+ by an SMTP
signature. That fails, too. I'm beginning to think DMARC wants mailing list
But maybe that's not necessary! This condition will only be true if the
host which passes the mail to my SMTP server is the LISTSERV server. I take
it that's the "calling host", correct? So:
accept hosts = dbm;/etc/exim/friendly_hosts #which will contain my LISTSERV
server's FQDN
So it sounds like I need to add something like:
accept
remove_header = DKIM-Signature
in order to remove the first pass's signature. I'm not finding a
condition with which to test for the presence of a DKI header, though.
On Thu, Sep 29, 2022 at 2:01 PM Jeremy Harris via Exim-users <
On 29/09/2022 19:11, Johnnie W Adams via Exim-users wrote:
So my next step, I think, is
to add a DKIM header for the second pass through our SMTP servers.
I'd be tempted to add that signature and not add the other two.
You should not be removing any that you were not responsible
for adding.
So it +is+ obvious from the documentation. Just not the part I read. ;-)
But now I'm getting a glimpse of an answer.
RIght now, I'm failing ARC/DMARC with either a DKIM header from the first
pass through our SMTP servers, a DKIM header from the pass through the
LISTSERV server, or both. That's
Dňa 29. septembra 2022 16:32:33 UTC používateľ Viktor Dukhovni via Exim-users
napísal:
>On Thu, Sep 29, 2022 at 04:11:35PM +, Slavko via Exim-users wrote:
>SHOULD NOT is not "MUST NOT". Especially if the signatures are one's
>own from a prior internal SMTP relay hop. And there is RFC
On Thu, Sep 29, 2022 at 04:11:35PM +, Slavko via Exim-users wrote:
> RFC 6376, section 4.2:
>
> Signers SHOULD NOT remove any DKIM-Signature header fields from
> messages they are signing, even if they know that the signatures
> cannot be verified.
SHOULD NOT is not "MUST NOT".
Dňa 29. septembra 2022 15:28:16 UTC používateľ Johnnie W Adams via Exim-users
napísal:
> I +think+ the issue is that the DKIM signature from our SMTP server is
>from the first pass through and not the second pass. So what I would like
>to do is tell Exim to remove any DKIM signatures from
On 29/09/2022 16:28, Johnnie W Adams via Exim-users wrote:
tell Exim to remove any DKIM signatures from inbound mail. That
way, when mail leaves our data center, it'll be signed only at the point of
departure.
Can this be done? It's not obvious from the documentation.
Hi, folks,
We have an unusual mail routing topology, where mail passes through
our SMTP server, through LISTSERV, and then back through our SMTP server.
We are failing DMARC for reasons I think having to do with when the
message is signed by DKIM.
I +think+ the issue is that the
12 matches
Mail list logo