.new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
.cindex DKIM "selecting signature algorithms"
This option gives a list of hash types which are acceptable in signatures,
and an order of processing.
Signatures with algorithms not in the list will be ignored.
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
.option dkim_verify_keytypes main "string list" "ed25519 : rsa"
This option gives a list of key types which are acceptable in signatures,
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
+JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
+ RFC 8301. They can still be enabled, using the dkim_verify_hashes main
+ option.
+
Exim version 4.93
-----------------
uschar *dkim_signers = NULL;
uschar *dkim_signing_domain = NULL;
uschar *dkim_signing_selector = NULL;
-uschar *dkim_verify_hashes = US"sha256:sha512:sha1";
+uschar *dkim_verify_hashes = US"sha256:sha512";
uschar *dkim_verify_keytypes = US"ed25519:rsa";
BOOL dkim_verify_minimal = FALSE;
uschar *dkim_verify_overall = NULL;
acl_smtp_data = check_data
log_selector = +dkim_verbose
+dkim_verify_hashes = sha256 : sha512 : sha1
queue_only
queue_run_in_order
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> xxx in helo_lookup_domains? no (end of list)
->>> processing "accept" (TESTSUITE/test-config 43)
+>>> processing "accept" (TESTSUITE/test-config 44)
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
>>> using ACL "check_dkim"
->>> processing "warn" (TESTSUITE/test-config 34)
+>>> processing "warn" (TESTSUITE/test-config 35)
>>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
>>> = signer: test.ex bits: 1024
LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
>>> warn: condition test succeeded in ACL "check_dkim"
->>> processing "accept" (TESTSUITE/test-config 37)
+>>> processing "accept" (TESTSUITE/test-config 38)
>>> accept: condition test succeeded in ACL "check_dkim"
>>> end of ACL "check_dkim": ACCEPT
LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
>>> using ACL "check_data"
->>> processing "accept" (TESTSUITE/test-config 41)
+>>> processing "accept" (TESTSUITE/test-config 42)
>>> check logwrite = ${authresults {$primary_hostname}}
>>> = Authentication-Results: myhost.test.ex;
>>> dkim=pass header.d=test.ex header.s=sel header.a=rsa-sha1
projects / exim.git / commitdiff