Bug#567876: DKIM-related failures should not end up in the panic log
Andreas Metzler
ametzler at downhill.at.eu.org
Mon Feb 1 18:11:58 UTC 2010
forwarded 567876 http://mid.gmane.org/200912031200.14973.ke%40helinet.de
thanks
On 2010-01-31 Florian Weimer <fw at deneb.enyo.de> wrote:
> Package: exim4-daemon-heavy
> Version: 4.71-3
> I don't think these messages belong to the panic log:
> 2010-01-31 21:41:16 1Nbga6-0005ZL-FH DKIM: Error while running this message through validation, disabling signature verification.
Hello,
I first thought this was a "should not happen" error, so paniclog
might have been correct ...
> The error message could be more helpful, too. The message in question
> does not contain a DKIM signature, and no DKIM data is stored in DNS
> AFAICT.
[...]
This was also discussed upstream, ending with:
----------------------------------------------------------
On 2009-12-18 Kerstin Espey wrote
> Am Donnerstag, 17. Dezember 2009 schrieb Tom Kistner:
[...]
>> Looking through the code, these are the most likely causes for the
>> failures:
>> 1) The message has more than 512 headers.
>> 2) The message contains a single line longer than 16k bytes.
> That's it!
[...]
> Saving the tcp stream in wireshark as ascii, does cause line breaks. That's
> why I didn't get an error message passing the dump to exim.
> Saving the tcp stream as raw, does show the long lines.
>> Both are limits that can be tweaked in src/pdkim/pdkim.c. They are set
>> to avoid DoS scenarios.
> That does make sense. But is it necessary to look at the body, if there isn't
> any dkim-signature at all?
----------------------------------------------------------
Looks like restricting the error to main_log is the right thing to do.
cu andreas
More information about the Pkg-exim4-maintainers
mailing list