Mailing List Archive

odd DKIM verify failure
A rare piece of spam was able to get through my exim based defenses.
It was DKIM signed, and the log entry when it was received looks like
this:

2018-07-13 15:46:16 1fe6pM-0007WY-7X PDKIM: d=wallstreetinsider.org s=mail [failed key import]
2018-07-13 15:46:16 1fe6pM-0007WY-7X <= info@wallstreetinsider.org H=mail2.wallstreetinsider.org [139.9
9.102.117]:48086 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3826 id=5uCA1Amsmymlao3vrJH
2X4YXb3UbMQekyO3UkbDZ4@localhost

Is there a way to have an ACL deny rule specifically for this failure
mode? Not necessarily in acl_smtp_dkim, maybe in a generic acl based on
the key not being available in DNS?

--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: odd DKIM verify failure [ In reply to ]
You don't say what Exim version, and it may matter. Look for $dkim_verify_status in the docs; it should be available in the data ACL.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: odd DKIM verify failure [ In reply to ]
On 2018-07-15 09:30, Jeremy Harris wrote:

> You don't say what Exim version, and it may matter.

Sorry about that, it's 4.91

> Look for $dkim_verify_status in the docs; it should be available in
> the data ACL.

The doc paragraph mentioning this variable and its friends starts:

"Inside the acl_smtp_dkim, the following expansion variables are
available"

which doesn't make it clear if it's available in acl_smtp_data as well.
Also, seemingly this will depend on dkim_cur_signer which (as I
understand it) may be different each time through acl_smtp_dkim, so it
wouldn't even make sense in other ACLs.

--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: odd DKIM verify failure [ In reply to ]
Peeking at the source on a phone is tricky, but I think it goes... If you have a dkim ACL (even a dummy) then the variable values are rolled up into a list for later ACLs.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/