Mailing List Archive

Disclaimer and DKIM
Message classification: OFFICIAL

Hi all

We need to add disclaimers to out email and also use DKIM to sign our messages. Each of these things work individually but if they are both configured on a transport then the DKIM check fails because the disclaimer is added after the signature has been added. The disclaimers are added using altermime in a transport filter (see transport below)

remote_smtp_outbound:
debug_print = "T: remote_smtp for $local_part@$domain - Disclaimer domain = $acl_c_disclaimer"
headers_add = X-disclaimer-domain: $acl_c_disclaimer
driver = smtp
transport_filter = /usr/bin/altermime --verbose --log-syslog --input=- --disclaimer=/etc/exim4/local/disclaimers/$acl_c_disclaimer/textdisclaimer --disclaimer-b64=/etc/exim4/local/disclaimers/$acl_c_disclaimer/disclaimer.b64 --disclaimer-html=/etc/exim4/local/disclaimers/$acl_c_disclaimer/htmldisclaimer
size_addition = -1
dkim_domain = ${lc:${domain:$h_from:}}
dkim_selector = x
dkim_private_key = /etc/exim4/local/dkim_keys/$dkim_selector/dkim.$dkim_domain.key
dkim_canon = relaxed
dkim_sign_headers = DKIM_HEADERS_BTLS

Is there any way to add the disclaimer before the DKIM signature is generated that anyone knows of or a different way of adding disclaimers?

Thanks in advance

Dan Douglas


********************

This e-mail contains information intended for the addressee only.
It may be confidential and may be the subject of legal and/or professional privilege.
If you are not the addressee you are not authorised to disseminate, distribute, copy or use this e-mail or any attachment to it.
The content may be personal or contain personal opinions and unless specifically stated or followed up in writing, the content cannot be taken to form a contract or to be an expression of the County Council's position.
Lancashire County Council reserves the right to monitor all incoming and outgoing email.
Lancashire County Council has taken reasonable steps to ensure that outgoing communications do not contain malicious software and it is your responsibility to carry out any checks on this email before accepting the email and opening attachments.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
Douglas, Daniel via Exim-users <exim-users@exim.org> (Mi 07 Nov 2018 21:46:38 CST):
> We need to add disclaimers to out email and also use DKIM to sign our messages. Each of these things work individually but if they are both configured on a transport then the DKIM check fails because the disclaimer is added after the signature has been added. The disclaimers are added using altermime in a transport filter (see transport below)

You should refuse to use your MTA for message alteration.
Adding a disclaimer may do a lot of harm. E.g. it will destroy a GPG
signature, or it will be outside of the GPG signature, and worthless
then.

What you *can* do is, checking if the disclaimer exists (in unencrypted
messages) and your MTA can refuse to transport such messages.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Disclaimer and DKIM [ In reply to ]
On 2018-11-07, Douglas, Daniel via Exim-users <exim-users@exim.org> wrote:
> We need to add disclaimers to out email and also use DKIM to sign our messages. Each of these things work individually but if they are both configured on a transport then the DKIM check fails because the disclaimer is added after the signature has been added. The disclaimers are added using altermime in a transport filter (see transport below)

Can you do the dkim-signing with opendkim in the transport filter,
after adding the disclaimer?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
On 2018-11-07, Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
> Douglas, Daniel via Exim-users <exim-users@exim.org> (Mi 07 Nov 2018 21:46:38
> CST):
[ snip ]

> You should refuse to use your MTA for message alteration.

This is not a useful comment. Many places are required by law to
ensure that every communication from them includes certain text. If
you don't do it at the outbound MTA, where do you do it? (Unless, of
course you force everybody to use Exchange and absolutely nothing
else...)

> Adding a disclaimer may do a lot of harm. E.g. it will destroy a GPG
> signature, or it will be outside of the GPG signature, and worthless
> then.

A disclaimer is not worthless outside a GPG signature. Nor is the
charity identification number which you would see as a signature if I
were posting this from work.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
On 2018-11-07, Douglas, Daniel via Exim-users <exim-users@exim.org> wrote:
> Message classification: OFFICIAL
>
> Hi all
>
> We need to add disclaimers to out email and also use DKIM to sign
> our messages. Each of these things work individually but if they are
> both configured on a transport then the DKIM check fails because the
> disclaimer is added after the signature has been added. The
> disclaimers are added using altermime in a transport filter (see
> transport below)

DKIM signing is done after the transport filter. (and headers_add etc)
this is not the problem.

> Is there any way to add the disclaimer before the DKIM signature is
> generated that anyone knows of or a different way of adding disclaimers?

I'm doing pretty-much what you are and it's working.

--
When I tried casting out nines I made a hash of it.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
On 7 Nov 2018, at 19:12, Jasen Betts via Exim-users <exim-users@exim.org> wrote:
> DKIM signing is done after the transport filter. (and headers_add etc)
> this is not the problem.

I concur; I just tested this with a simple transport filter and sent a message to a Google Mail account, in which the DKIM headers pass validation without error.

To the OP: you’ll most likely need to run in debug mode to see what/where is mangling your message. It would also be useful and instructive if you let us know your OS and Exim versions.

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
Julian Bradfield via Exim-users <exim-users@exim.org> (Do 08 Nov 2018 01:22:12 CST):
> you don't do it at the outbound MTA, where do you do it? (Unless, of
> course you force everybody to use Exchange and absolutely nothing
> else...)

As I mentioned, I setup Exim *checking* if the disclaimer exists and ask
users to configure their clients to add the disclaimer. It is IMHO there
responsibility to add it.

--
Heiko
Re: Disclaimer and DKIM [ In reply to ]
I have made some progress. The disclaimers work in plain text emails but not html.

OS - Ubuntu 16.04.5 LTS (Xenial Xerus)
EXIM - 4.86_2

In debug mode I get the output below which shows the DKIM running after the transport filter as you said so I guess that isn't the issue. I'll play around with the disclaimer and see if it's some sort of formatting issue.

22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
22484 read response data: size=157
22484 SMTP<< 250-mx.google.com at your service,
22484 250-SIZE 157286400
22484 250-8BITMIME
22484 250-ENHANCEDSTATUSCODES
22484 250-PIPELINING
22484 250-CHUNKING
22484 250 SMTPUTF8
22484 173.194.76.27 in hosts_avoid_pipelining? no (option unset)
22484 using PIPELINING
22484 use_dsn=0
22484 173.194.76.27 in hosts_require_auth? no (option unset)
22484 direct command:
22484 argv[0] = /usr/bin/altermime
22484 argv[1] = --verbose
22484 argv[2] = --log-syslog
22484 argv[3] = --input=-
22484 argv[4] = --disclaimer=/etc/exim4/local/disclaimers/$acl_c_disclaimer/textdisclaimer
22484 argv[5] = --disclaimer-b64=/etc/exim4/local/disclaimers/$acl_c_disclaimer/disclaimer.b64
22484 argv[6] = --disclaimer-html=/etc/exim4/local/disclaimers/$acl_c_disclaimer/htmldisclaimer
22484 direct command after expansion:
22484 argv[0] = /usr/bin/altermime
22484 argv[1] = --verbose
22484 argv[2] = --log-syslog
22484 argv[3] = --input=-
22484 argv[4] = --disclaimer=/etc/exim4/local/disclaimers/btlancashire.co.uk/textdisclaimer
22484 argv[5] = --disclaimer-b64=/etc/exim4/local/disclaimers/btlancashire.co.uk/disclaimer.b64
22484 argv[6] = --disclaimer-html=/etc/exim4/local/disclaimers/btlancashire.co.uk/htmldisclaimer
22484 SMTP>> MAIL FROM:<Daniel.Douglas@btlancashire.co.uk>
22484 SMTP>> RCPT TO:<dandouglio.dd@googlemail.com>
22484 SMTP>> DATA
22484 tls_do_write(0x7ffdfcc5e8f0, 93)
22484 gnutls_record_send(SSL, 0x7ffdfcc5e8f0, 93)
22484 outbytes=93
22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
22484 read response data: size=45
22484 SMTP<< 250 2.1.0 OK n13-v6si3772576wri.199 - gsmtp
22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
22484 read response data: size=45
22484 SMTP<< 250 2.1.5 OK n13-v6si3772576wri.199 - gsmtp
22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
22484 read response data: size=46
22484 SMTP<< 354 Go ahead n13-v6si3772576wri.199 - gsmtp
22484 SMTP>> writing message and terminating "."
22484 process 22485 running as transport filter: write=13 read=14
22484 process 22486 writing to transport filter
22484 copying from the filter
22486 added header line:
22486 X-disclaimer-domain: btlancashire.co.uk
22486 ---
22486 writing data block fd=13 size=4304 timeout=300
22484 waiting for filter process
22484 waiting for writing process
22484 writing data block fd=11 size=6646 timeout=300
22484 end of filtering transport writing: yield=1
PDKIM >> Hashed body data, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
--_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_{CR}{LF}Content-Type:{SP}text/plain;{SP}charset="us-ascii"{CR}{LF}Content-Transfer-Encoding:{SP}quoted-printable{CR}{LF}{CR}{LF}Why{SP}does{SP}this{SP}not{SP}work{CR}{LF}{CR}{LF}=0AThis{SP}e-mail{SP}and{SP}its{SP}attachments,{SP}if{SP}any,{SP}contains{SP}information{SP}intended{SP}for{SP}the{SP}addressee{SP}only.{SP}It{SP}may{SP}be{SP}confidential{SP}and{SP}may{SP}be{SP}the{SP}subject{SP}of{SP}legal{SP}and/or{SP}professional{SP}privilege.{SP}If{SP}you{SP}are{SP}not{SP}the{SP}addressee{SP}you{SP}are{SP}not{SP}authorised{SP}to{SP}disseminate,{SP}distribute{SP},{SP}copy{SP}or{SP}use{SP}this{SP}e-mail{SP}or{SP}any{SP}attachment{SP}to{SP}it.{SP}The{SP}content{SP}may{SP}be{SP}personal{SP}or{SP}contain{SP}personal{SP}opinions{SP}and{SP}unless{SP}specifically{SP}stated{SP}or{SP}followed{SP}up{SP}in{SP}writing,{SP}the{SP}content{SP}cannot{SP}be{SP}taken{SP}to{SP}form{SP}a{SP}contract{SP}or{SP}to{SP}be{SP}an{SP}expression{SP}of{SP}BT{SP}Lancashire{SP}Services'{SP}position.{SP}If{SP}you{SP}receive{SP}an{SP}email{SP}in{SP}error{SP}from{SP}BT{SP}Lancashire{SP}Services{SP}please{SP}contact{SP}the{SP}sender{SP}and{SP}delete{SP}the{SP}email{SP}from{SP}your{SP}system.{SP}BT{SP}Lancashire{SP}Services{SP}reserves{SP}the{SP}right{SP}to{SP}monitor{SP}all{SP}incoming{SP}and{SP}outgoing{SP}email.{SP}BT{SP}Lancashire{SP}Services{SP}has{SP}taken{SP}reasonable{SP}steps{SP}to{SP}ensure{SP}that{SP}outgoing{SP}communications{SP}do{SP}not{SP}contain{SP}malicious{SP}software{SP}and{SP}it{SP}is{SP}your{SP}responsibility{SP}to{SP}carry{SP}out{SP}any{SP}checks{SP}on{SP}this{SP}email{SP}before{SP}accepting{SP}the{SP}email{SP}and{SP}opening{SP}attachments.=0ABT{SP}Lancashire{SP}Services,{SP}County{SP}Hall,{SP}Fishergate,{SP}Preston,{SP}Lancashire,{SP}PR1{SP}8XJ.{SP}Company{SP}Number{SP}07444626.=0A{CR}{CR}{LF}{CR}{LF}--_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_{CR}{LF}Content-Type:{SP}text/html;{SP}charset="us-ascii"{CR}{LF}Content-Transfer-Encoding:{SP}quoted-printable{CR}{LF}{CR}{LF}<html{SP}xmlns:v=3D"urn:schemas-microsoft-com:vml"{SP}xmlns:o=3D"urn:schemas-micr={CR}{LF}osoft-com:office:office"{SP}xmlns:w=3D"urn:schemas-microsoft-com:office:word"{SP}={CR}{LF}xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"{SP}xmlns=3D"http:={CR}{LF}//www.w3.org/TR/REC-html40">{CR}{LF}<head>{CR}{LF}<meta{SP}http-equiv=3D"Content-Type"{SP}content=3D"text/html;{SP}charset=3Dus-ascii"={CR}{LF}>{CR}{LF}<meta{SP}name=3D"Generator"{SP}content=3D"Microsoft{SP}Word{SP}15{SP}(filtered{SP}medium)">{CR}{LF}<style><!--{CR}{LF}/*{SP}Font{SP}Definitions{SP}*/{CR}{LF}@font-face{CR}{LF}{SP}{BO}font-family:"Cambria{SP}Math";{CR}{LF}{SP}panose-1:2{SP}4{SP}5{SP}3{SP}5{SP}4{SP}6{SP}3{SP}2{SP}4;{BC}{CR}{LF}@font-face{CR}{LF}{SP}{BO}font-family:Calibri;{CR}{LF}{SP}panose-1:2{SP}15{SP}5{SP}2{SP}2{SP}2{SP}4{SP}3{SP}2{SP}4;{BC}{CR}{LF}/*{SP}Style{SP}Definitions{SP}*/{CR}{LF}p.MsoNormal,{SP}li.MsoNormal,{SP}div.MsoNormal{CR}{LF}{SP}{BO}margin:0cm;{CR}{LF}{SP}margin-bottom:.0001pt;{CR}{LF}{SP}font-size:11.0pt;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}mso-fareast-language:EN-US;{BC}{CR}{LF}a:link,{SP}span.MsoHyperlink{CR}{LF}{SP}{BO}mso-style-priority:99;{CR}{LF}{SP}color:#0563C1;{CR}{LF}{SP}text-decoration:underline;{BC}{CR}{LF}a:visited,{SP}span.MsoHyperlinkFollowed{CR}{LF}{SP}{BO}mso-style-priority:99;{CR}{LF}{SP}color:#954F72;{CR}{LF}{SP}text-decoration:underline;{BC}{CR}{LF}span.EmailStyle17{CR}{LF}{SP}{BO}mso-style-type:personal-compose;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}color:windowtext;{BC}{CR}{LF}.MsoChpDefault{CR}{LF}{SP}{BO}mso-style-type:export-only;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}mso-fareast-language:EN-US;{BC}{CR}{LF}@page{SP}WordSection1{CR}{LF}{SP}{BO}size:612.0pt{SP}792.0pt;{CR}{LF}{SP}margin:72.0pt{SP}72.0pt{SP}72.0pt{SP}72.0pt;{BC}{CR}{LF}div.WordSection1{CR}{LF}{SP}{BO}page:WordSection1;{BC}{CR}{LF}--></style><!--[if{SP}gte{SP}mso{SP}9]><xml>{CR}{LF}<o:shapedefaults{SP}v:ext=3D"edit"{SP}spidmax=3D"1026"{SP}/>{CR}{LF}</xml><![endif]--><!--[if{SP}gte{SP}mso{SP}9]><xml>{CR}{LF}<o:shapelayout{SP}v:ext=3D"edit">{CR}{LF}<o:idmap{SP}v:ext=3D"edit"{SP}data=3D"1"{SP}/>{CR}{LF}</o:shapelayout></xml><![endif]-->{CR}{LF}</head>{CR}{LF}<body{SP}lang=3D"EN-GB"{SP}link=3D"#0563C1"{SP}vlink=3D"#954F72">{CR}{LF}<div{SP}class=3D"WordSection1">{CR}{LF}<p{SP}class=3D"MsoNormal">Why{SP}does{SP}this{SP}not{SP}work<o:p></o:p></p>{CR}{LF}</div>{CR}{LF}{CR}{LF}<br>={CR}{LF}=0AThis{SP}e-mail{SP}and{SP}its{SP}attachments,{SP}if{SP}any,{SP}contains{SP}information{SP}intended{SP}for{SP}the{SP}addressee{SP}only.{SP}It{SP}may{SP}be{SP}confidential{SP}and{SP}may{SP}be{SP}the{SP}subject{SP}of{SP}legal{SP}and/or{SP}professional{SP}privilege.{SP}If{SP}you{SP}are{SP}not{SP}the{SP}addressee{SP}you{SP}are{SP}not{SP}authorised{SP}to{SP}disseminate,{SP}distribute{SP},{SP}copy{SP}or{SP}use{SP}this{SP}e-mail{SP}or{SP}any{SP}attachment{SP}to{SP}it.{SP}The{SP}content{SP}may{SP}be{SP}personal{SP}or{SP}contain{SP}personal{SP}opinions{SP}and{SP}unless{SP}specifically{SP}stated{SP}or{SP}followed{SP}up{SP}in{SP}writing,{SP}the{SP}content{SP}cannot{SP}be{SP}taken{SP}to{SP}form{SP}a{SP}contract{SP}or{SP}to{SP}be{SP}an{SP}expression{SP}of{SP}BT{SP}Lancashire{SP}Services'{SP}position.{SP}If{SP}you{SP}receive{SP}an{SP}email{SP}in{SP}error{SP}from{SP}BT{SP}Lancashire{SP}Services{SP}please{SP}contact{SP}the{SP}sender{SP}and{SP}delete{SP}the{SP}email{SP}from{SP}your{SP}system.{SP}BT{SP}Lancashire{SP}Services{SP}reserves{SP}the{SP}right{SP}to{SP}monitor{SP}all{SP}incoming{SP}and{SP}outgoing{SP}email.{SP}BT{SP}Lancashire{SP}Services{SP}has{SP}taken{SP}reasonable{SP}steps{SP}to{SP}ensure{SP}that{SP}outgoing{SP}communications{SP}do{SP}not{SP}contain{SP}malicious{SP}software{SP}and{SP}it{SP}is{SP}your{SP}responsibility{SP}to{SP}carry{SP}out{SP}any{SP}checks{SP}on{SP}this{SP}email{SP}before{SP}accepting{SP}the{SP}email{SP}and{SP}opening{SP}attachments.=0ABT{SP}Lancashire{SP}Services,{SP}County{SP}Hall,{SP}Fishergate,{SP}Preston,{SP}Lancashire,{SP}PR1{SP}8XJ.{SP}Company{SP}Number{SP}07444626.=0A{CR}{LF}<br>={CR}{LF}</body>{CR}{LF}</html>{CR}{LF}{CR}{LF}--_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_--{CR}{LF}PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [btlancashire.co.uk] Body bytes hashed: 4424
PDKIM [btlancashire.co.uk] bh computed: 84985faa485f6ee3cbf18cb28d66c883b93344519e786b709b1458db750b3fb2
PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
date:Thu,{SP}8{SP}Nov{SP}2018{SP}12:04:51{SP}+0000{CR}{LF}
subject:test{SP}html{SP}faile{CR}{LF}
to:"dandouglio.dd@googlemail.com"{SP}<dandouglio.dd@googlemail.com>{CR}{LF}
from:"Douglas,{SP}Daniel"{SP}<Daniel.Douglas@btlancashire.co.uk>{CR}{LF}
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>
dkim-signature:v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}d=btlancashire.co.uk;{SP}s=x;{SP}h=Date:Subject:To:From;{SP}bh=hJhfqkhfbuPL8YyyjWbIg7kzRFGeeGtwmxRY23ULP7I=;{SP}b=;
PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
PDKIM [btlancashire.co.uk] hh computed: a04cbda8e03dc0f96d0a7a60ebdb98935ae7e3ee3db5e4b4b6fd400bae6a5680
PDKIM [btlancashire.co.uk] b computed: 538776377471bdf031090c8c4ac01fabfe18acfd717f8507ae90fbff26fa65658864c031e430061559b69319615d7a94c2382a1dee4553ce3743db6c3b97b756b8bc808bf67cdc17efb6bb458d8184b5f390c22152a9d7fe3faa8878f441d5c3d3d56d1a6fda0e638da1bfc3a89be67238f842573525385e18ca84ac5d18bfcf
22484 tls_do_write(0x556cba892830, 352)




On 2018-11-07 19:12, Jasen Betts wrote:
> On 2018-11-07, Douglas, Daniel via Exim-users <exim-users@???> wrote:
> > Message classification: OFFICIAL
> >
> > Hi all
> >
>
> DKIM signing is done after the transport filter. (and headers_add etc)
> this is not the problem.
>
> > Is there any way to add the disclaimer before the DKIM signature is
> > generated that anyone knows of or a different way of adding disclaimers?
>
> I'm doing pretty-much what you are and it's working.
>
> --
>   When I tried casting out nines I made a hash of it.
>
>


********************

This e-mail contains information intended for the addressee only.
It may be confidential and may be the subject of legal and/or professional privilege.
If you are not the addressee you are not authorised to disseminate, distribute, copy or use this e-mail or any attachment to it.
The content may be personal or contain personal opinions and unless specifically stated or followed up in writing, the content cannot be taken to form a contract or to be an expression of the County Council's position.
Lancashire County Council reserves the right to monitor all incoming and outgoing email.
Lancashire County Council has taken reasonable steps to ensure that outgoing communications do not contain malicious software and it is your responsibility to carry out any checks on this email before accepting the email and opening attachments.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
On 2018-11-08, Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
> As I mentioned, I setup Exim *checking* if the disclaimer exists and ask
> users to configure their clients to add the disclaimer. It is IMHO there
> responsibility to add it.

Asking thirty thousand users to individually configure their mail
client (something which about twenty-nine thousand of them are
probably not competent to do) rather than having one sysadmin
configure the MTA, is something that no sane organization would
tolerate.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
On 2018-11-08, Julian Bradfield via Exim-users <exim-users@exim.org> wrote:
> On 2018-11-08, Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
>> As I mentioned, I setup Exim *checking* if the disclaimer exists and ask
>> users to configure their clients to add the disclaimer. It is IMHO there
>> responsibility to add it.
>
> Asking thirty thousand users to individually configure their mail
> client (something which about twenty-nine thousand of them are
> probably not competent to do) rather than having one sysadmin
> configure the MTA, is something that no sane organization would
> tolerate.

Sounds reasonable to me. if they deeply object to the disclaimer they can
use a different MTA.

--
When I tried casting out nines I made a hash of it.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Disclaimer and DKIM [ In reply to ]
I am following for when there is definitive way to do it.
Yes, it's better to do it at MTA level!

On Thu, 8 Nov 2018 at 15:25, Douglas, Daniel via Exim-users <
exim-users@exim.org> wrote:

> I have made some progress. The disclaimers work in plain text emails but
> not html.
>
> OS - Ubuntu 16.04.5 LTS (Xenial Xerus)
> EXIM - 4.86_2
>
> In debug mode I get the output below which shows the DKIM running after
> the transport filter as you said so I guess that isn't the issue. I'll play
> around with the disclaimer and see if it's some sort of formatting issue.
>
> 22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
> 22484 read response data: size=157
> 22484 SMTP<< 250-mx.google.com at your service,
> 22484 250-SIZE 157286400
> 22484 250-8BITMIME
> 22484 250-ENHANCEDSTATUSCODES
> 22484 250-PIPELINING
> 22484 250-CHUNKING
> 22484 250 SMTPUTF8
> 22484 173.194.76.27 in hosts_avoid_pipelining? no (option unset)
> 22484 using PIPELINING
> 22484 use_dsn=0
> 22484 173.194.76.27 in hosts_require_auth? no (option unset)
> 22484 direct command:
> 22484 argv[0] = /usr/bin/altermime
> 22484 argv[1] = --verbose
> 22484 argv[2] = --log-syslog
> 22484 argv[3] = --input=-
> 22484 argv[4] =
> --disclaimer=/etc/exim4/local/disclaimers/$acl_c_disclaimer/textdisclaimer
> 22484 argv[5] =
> --disclaimer-b64=/etc/exim4/local/disclaimers/$acl_c_disclaimer/disclaimer.b64
> 22484 argv[6] =
> --disclaimer-html=/etc/exim4/local/disclaimers/$acl_c_disclaimer/htmldisclaimer
> 22484 direct command after expansion:
> 22484 argv[0] = /usr/bin/altermime
> 22484 argv[1] = --verbose
> 22484 argv[2] = --log-syslog
> 22484 argv[3] = --input=-
> 22484 argv[4] = --disclaimer=/etc/exim4/local/disclaimers/
> btlancashire.co.uk/textdisclaimer
> 22484 argv[5] = --disclaimer-b64=/etc/exim4/local/disclaimers/
> btlancashire.co.uk/disclaimer.b64
> 22484 argv[6] = --disclaimer-html=/etc/exim4/local/disclaimers/
> btlancashire.co.uk/htmldisclaimer
> 22484 SMTP>> MAIL FROM:<Daniel.Douglas@btlancashire.co.uk>
> 22484 SMTP>> RCPT TO:<dandouglio.dd@googlemail.com>
> 22484 SMTP>> DATA
> 22484 tls_do_write(0x7ffdfcc5e8f0, 93)
> 22484 gnutls_record_send(SSL, 0x7ffdfcc5e8f0, 93)
> 22484 outbytes=93
> 22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
> 22484 read response data: size=45
> 22484 SMTP<< 250 2.1.0 OK n13-v6si3772576wri.199 - gsmtp
> 22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
> 22484 read response data: size=45
> 22484 SMTP<< 250 2.1.5 OK n13-v6si3772576wri.199 - gsmtp
> 22484 Calling gnutls_record_recv(0x556cba492390, 0x7ffdfcc5d8f0, 4096)
> 22484 read response data: size=46
> 22484 SMTP<< 354 Go ahead n13-v6si3772576wri.199 - gsmtp
> 22484 SMTP>> writing message and terminating "."
> 22484 process 22485 running as transport filter: write=13 read=14
> 22484 process 22486 writing to transport filter
> 22484 copying from the filter
> 22486 added header line:
> 22486 X-disclaimer-domain: btlancashire.co.uk
> 22486 ---
> 22486 writing data block fd=13 size=4304 timeout=300
> 22484 waiting for filter process
> 22484 waiting for writing process
> 22484 writing data block fd=11 size=6646 timeout=300
> 22484 end of filtering transport writing: yield=1
> PDKIM >> Hashed body data, canonicalized >>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> --_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_{CR}{LF}Content-Type:{SP}text/plain;{SP}charset="us-ascii"{CR}{LF}Content-Transfer-Encoding:{SP}quoted-printable{CR}{LF}{CR}{LF}Why{SP}does{SP}this{SP}not{SP}work{CR}{LF}{CR}{LF}=0AThis{SP}e-mail{SP}and{SP}its{SP}attachments,{SP}if{SP}any,{SP}contains{SP}information{SP}intended{SP}for{SP}the{SP}addressee{SP}only.{SP}It{SP}may{SP}be{SP}confidential{SP}and{SP}may{SP}be{SP}the{SP}subject{SP}of{SP}legal{SP}and/or{SP}professional{SP}privilege.{SP}If{SP}you{SP}are{SP}not{SP}the{SP}addressee{SP}you{SP}are{SP}not{SP}authorised{SP}to{SP}disseminate,{SP}distribute{SP},{SP}copy{SP}or{SP}use{SP}this{SP}e-mail{SP}or{SP}any{SP}attachment{SP}to{SP}it.{SP}The{SP}content{SP}may{SP}be{SP}personal{SP}or{SP}contain{SP}personal{SP}opinions{SP}and{SP}unless{SP}specifically{SP}stated{SP}or{SP}followed{SP}up{SP}in{SP}writing,{SP}the{SP}content{SP}cannot{SP}be{SP}taken{SP}to{SP}form{SP}a{SP}contract{SP}or{SP}to{SP}be{SP}an{SP}expression{SP}of{SP}BT{SP}Lancashire{SP}Services'{SP}position.{SP}If{SP}you{SP}receive{SP}an{SP}email{SP}in{SP}error{SP}from{SP}BT{SP}Lancashire{SP}Services{SP}please{SP}contact{SP}the{SP}sender{SP}and{SP}delete{SP}the{SP}email{SP}from{SP}your{SP}system.{SP}BT{SP}Lancashire{SP}Services{SP}reserves{SP}the{SP}right{SP}to{SP}monitor{SP}all{SP}incoming{SP}and{SP}outgoing{SP}email.{SP}BT{SP}Lancashire{SP}Services{SP}has{SP}taken{SP}reasonable{SP}steps{SP}to{SP}ensure{SP}that{SP}outgoing{SP}communications{SP}do{SP}not{SP}contain{SP}malicious{SP}software{SP}and{SP}it{SP}is{SP}your{SP}responsibility{SP}to{SP}carry{SP}out{SP}any{SP}checks{SP}on{SP}this{SP}email{SP}before{SP}accepting{SP}the{SP}email{SP}and{SP}opening{SP}attachments.=0ABT{SP}Lancashire{SP}Services,{SP}County{SP}Hall,{SP}Fishergate,{SP}Preston,{SP}Lancashire,{SP}PR1{SP}8XJ.{SP}Company{SP}Number{SP}07444626.=0A{CR}{CR}{LF}{CR}{LF}--_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_{CR}{LF}Content-Type:{SP}text/html;{SP}charset="us-ascii"{CR}{LF}Content-Transfer-Encoding:{SP}quoted-printable{CR}{LF}{CR}{LF}<html{SP}xmlns:v=3D"urn:schemas-microsoft-com:vml"{SP}xmlns:o=3D"urn:schemas-micr={CR}{LF}osoft-com:office:office"{SP}xmlns:w=3D"urn:schemas-microsoft-com:office:word"{SP}={CR}{LF}xmlns:m=3D"
> http://schemas.microsoft.com/office/2004/12/omml
> "{SP}xmlns=3D"http:={CR}{LF}//www.w3.org/TR/REC-html40
> ">{CR}{LF}<head>{CR}{LF}<meta{SP}http-equiv=3D"Content-Type"{SP}content=3D"text/html;{SP}charset=3Dus-ascii"={CR}{LF}>{CR}{LF}<meta{SP}name=3D"Generator"{SP}content=3D"Microsoft{SP}Word{SP}15{SP}(filtered{SP}medium)">{CR}{LF}<style><!--{CR}{LF}/*{SP}Font{SP}Definitions{SP}*/{CR}{LF}@font-face
> {CR}{LF}{SP}{BO}font-family:"Cambria{SP}Math";{CR}{LF}{SP}panose-1:2{SP}4{SP}5{SP}3{SP}5{SP}4{SP}6{SP}3{SP}2{SP}4;{BC}{CR}{LF}@font-face
> {CR}{LF}{SP}{BO}font-family:Calibri;{CR}{LF}{SP}panose-1:2{SP}15{SP}5{SP}2{SP}2{SP}2{SP}4{SP}3{SP}2{SP}4;{BC}{CR}{LF}/*{SP}Style{SP}Definitions{SP}*/{CR}{LF}p.MsoNormal,{SP}li.MsoNormal,{SP}div.MsoNormal{CR}{LF}{SP}{BO}margin:0cm;{CR}{LF}{SP}margin-bottom:.0001pt;{CR}{LF}{SP}font-size:11.0pt;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}mso-fareast-language:EN-US;{BC}{CR}{LF}a:link,{SP}span.MsoHyperlink{CR}{LF}{SP}{BO}mso-style-priority:99;{CR}{LF}{SP}color:#0563C1;{CR}{LF}{SP}text-decoration:underline;{BC}{CR}{LF}a:visited,{SP}span.MsoHyperlinkFollowed{CR}{LF}{SP}{BO}mso-style-priority:99;{CR}{LF}{SP}color:#954F72;{CR}{LF}{SP}text-decoration:underline;{BC}{CR}{LF}span.EmailStyle17{CR}{LF}{SP}{BO}mso-style-type:personal-compose;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}color:windowtext;{BC}{CR}{LF}.MsoChpDefault{CR}{LF}{SP}{BO}mso-style-type:export-only;{CR}{LF}{SP}font-family:"Calibri",sans-serif;{CR}{LF}{SP}mso-fareast-language:EN-US;{BC}{CR}{LF}@page{SP}WordSection1{CR}{LF}{SP}{BO}size:612.0pt{SP}792.0pt;{CR}{LF}{SP}margin:72.0pt{SP}72.0pt{SP}72.0pt{SP}72.0pt;{BC}{CR}{LF}div.WordSection1{CR}{LF}{SP}{BO}page:WordSection1;{BC}{CR}{LF}--></style><!--[if{SP}gte{SP}mso{SP}9]><xml>{CR}{LF}<o:shapedefaults{SP}v:ext=3D"edit"{SP}spidmax=3D"1026"{SP}/>{CR}{LF}</xml><![endif]--><!--[if{SP}gte{SP}mso{SP}9]><xml>{CR}{LF}<o:shapelayout{SP}v:ext=3D"edit">{CR}{LF}<o:idmap{SP}v:ext=3D"edit"{SP}data=3D"1"{SP}/>{CR}{LF}</o:shapelayout></xml><![endif]-->{CR}{LF}</head>{CR}{LF}<body{SP}lang=3D"EN-GB"{SP}link=3D"#0563C1"{SP}vlink=3D"#954F72">{CR}{LF}<div{SP}class=3D"WordSection1">{CR}{LF}<p{SP}class=3D"MsoNormal">Why{SP}does{SP}this{SP}not{SP}work<o:p></o:p></p>{CR}{LF}</div>{CR}{LF}{CR}{LF}<br>={CR}{LF}=0AThis{SP}e-mail{SP}and{SP}its{SP}attachments,{SP}if{SP}any,{SP}contains{SP}information{SP}intended{SP}for{SP}the{SP}addressee{SP}only.{SP}It{SP}may{SP}be{SP}confidential{SP}and{SP}may{SP}be{SP}the{SP}subject{SP}of{SP}legal{SP}and/or{SP}professional{SP}privilege.{SP}If{SP}you{SP}are{SP}not{SP}the{SP}addressee{SP}you{SP}are{SP}not{SP}authorised{SP}to{SP}disseminate,{SP}distribute{SP},{SP}copy{SP}or{SP}use{SP}this{SP}e-mail{SP}or{SP}any{SP}attachment{SP}to{SP}it.{SP}The{SP}content{SP}may{SP}be{SP}personal{SP}or{SP}contain{SP}personal{SP}opinions{SP}and{SP}unless{SP}specifically{SP}stated{SP}or{SP}followed{SP}up{SP}in{SP}writing,{SP}the{SP}content{SP}cannot{SP}be{SP}taken{SP}to{SP}form{SP}a{SP}contract{SP}or{SP}to{SP}be{SP}an{SP}expression{SP}of{SP}BT{SP}Lancashire{SP}Services'{SP}position.{SP}If{SP}you{SP}receive{SP}an{SP}email{SP}in{SP}error{SP}from{SP}BT{SP}Lancashire{SP}Services{SP}please{SP}contact{SP}the{SP}sender{SP}and{SP}delete{SP}the{SP}email{SP}from{SP}your{SP}system.{SP}BT{SP}Lancashire{SP}Services{SP}reserves{SP}the{SP}right{SP}to{SP}monitor{SP}all{SP}incoming{SP}and{SP}outgoing{SP}email.{SP}BT{SP}Lancashire{SP}Services{SP}has{SP}taken{SP}reasonable{SP}steps{SP}to{SP}ensure{SP}that{SP}outgoing{SP}communications{SP}do{SP}not{SP}contain{SP}malicious{SP}software{SP}and{SP}it{SP}is{SP}your{SP}responsibility{SP}to{SP}carry{SP}out{SP}any{SP}checks{SP}on{SP}this{SP}email{SP}before{SP}accepting{SP}the{SP}email{SP}and{SP}opening{SP}attachments.=0ABT{SP}Lancashire{SP}Services,{SP}County{SP}Hall,{SP}Fishergate,{SP}Preston,{SP}Lancashire,{SP}PR1{SP}8XJ.{SP}Company{SP}Number{SP}07444626.=0A{CR}{LF}<br>={CR}{LF}</body>{CR}{LF}</html>{CR}{LF}{CR}{LF}--_000_F8FE3C9E29310D4CB7531234C4EF1EB6010352DBF5EXMBX3adlancs_--{CR}{LF}PDKIM
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> PDKIM [btlancashire.co.uk] Body bytes hashed: 4424
> PDKIM [btlancashire.co.uk] bh computed:
> 84985faa485f6ee3cbf18cb28d66c883b93344519e786b709b1458db750b3fb2
> PDKIM >> Hashed header data, canonicalized, in sequence >>>>>>>>>>>>>>
> date:Thu,{SP}8{SP}Nov{SP}2018{SP}12:04:51{SP}+0000{CR}{LF}
> subject:test{SP}html{SP}faile{CR}{LF}
> to:"dandouglio.dd@googlemail.com"{SP}<dandouglio.dd@googlemail.com
> >{CR}{LF}
> from:"Douglas,{SP}Daniel"{SP}<Daniel.Douglas@btlancashire.co.uk>{CR}{LF}
> PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> PDKIM >> Signed DKIM-Signature header, canonicalized >>>>>>>>>>>>>>>>>
>
> dkim-signature:v=1;{SP}a=rsa-sha256;{SP}q=dns/txt;{SP}c=relaxed/relaxed;{SP}d=
> btlancashire.co.uk
> ;{SP}s=x;{SP}h=Date:Subject:To:From;{SP}bh=hJhfqkhfbuPL8YyyjWbIg7kzRFGeeGtwmxRY23ULP7I=;{SP}b=;
> PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> PDKIM [btlancashire.co.uk] hh computed:
> a04cbda8e03dc0f96d0a7a60ebdb98935ae7e3ee3db5e4b4b6fd400bae6a5680
> PDKIM [btlancashire.co.uk] b computed:
> 538776377471bdf031090c8c4ac01fabfe18acfd717f8507ae90fbff26fa65658864c031e430061559b69319615d7a94c2382a1dee4553ce3743db6c3b97b756b8bc808bf67cdc17efb6bb458d8184b5f390c22152a9d7fe3faa8878f441d5c3d3d56d1a6fda0e638da1bfc3a89be67238f842573525385e18ca84ac5d18bfcf
> 22484 tls_do_write(0x556cba892830, 352)
>
>
>
>
> On 2018-11-07 19:12, Jasen Betts wrote:
> > On 2018-11-07, Douglas, Daniel via Exim-users <exim-users@???> wrote:
> > > Message classification: OFFICIAL
> > >
> > > Hi all
> > >
> >
> > DKIM signing is done after the transport filter. (and headers_add etc)
> > this is not the problem.
> >
> > > Is there any way to add the disclaimer before the DKIM signature is
> > > generated that anyone knows of or a different way of adding
> disclaimers?
> >
> > I'm doing pretty-much what you are and it's working.
> >
> > --
> > When I tried casting out nines I made a hash of it.
> >
> >
>
>
> ********************
>
> This e-mail contains information intended for the addressee only.
> It may be confidential and may be the subject of legal and/or professional
> privilege.
> If you are not the addressee you are not authorised to disseminate,
> distribute, copy or use this e-mail or any attachment to it.
> The content may be personal or contain personal opinions and unless
> specifically stated or followed up in writing, the content cannot be taken
> to form a contract or to be an expression of the County Council's position.
> Lancashire County Council reserves the right to monitor all incoming and
> outgoing email.
> Lancashire County Council has taken reasonable steps to ensure that
> outgoing communications do not contain malicious software and it is your
> responsibility to carry out any checks on this email before accepting the
> email and opening attachments.
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/