summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2017-11-07 19:01:42 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2017-11-07 19:01:42 +0000
commita79d883474c84fa2a286b7797a7664b599912fcd (patch)
treedba2c8be5c8c9f90504ad157c2e2623f142de1a4
parentba86e143c7aeb0d70ea4c9d73a617a98f06f6baa (diff)
DKIM: Allow the DKIM ACL to override verification results. Bug 2186
This provides generic support, though is covers the need introduced by https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/?include_text=1 (deprecating sha-1 and RSA keys shorter than 1024 bits).
-rw-r--r--doc/doc-docbook/spec.xfpt17
-rw-r--r--doc/doc-txt/NewStuff1
-rw-r--r--src/src/acl.c51
-rw-r--r--src/src/dkim.c193
-rw-r--r--src/src/dkim.h2
-rw-r--r--src/src/expand.c4
-rw-r--r--src/src/globals.c2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/receive.c9
-rw-r--r--test/confs/450016
-rw-r--r--test/log/450013
-rw-r--r--test/log/45014
-rw-r--r--test/log/45028
-rw-r--r--test/log/45032
-rw-r--r--test/log/45068
-rw-r--r--test/log/452017
-rw-r--r--test/log/45233
-rw-r--r--test/log/45243
-rw-r--r--test/log/45502
-rw-r--r--test/scripts/4500-DKIM/450038
-rw-r--r--test/stderr/450710
21 files changed, 281 insertions, 124 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7a0841cb2..98986e032 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38731,6 +38731,19 @@ available in &%$dkim_verify_reason%&.
&%pass%&: The signature passed verification. It is valid.
.endlist
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+ warn condition = ${if eq {$dkim_algo}{rsa-sha1}}
+ condition = ${if eq {$dkim_verify_status}{pass}}
+ logwrite = NOTE: forcing dkim verify fail (was pass)
+ set dkim_verify_status = fail
+ set dkim_verify_reason = hash too weak
+.endd
+.wen
+
.vitem &%$dkim_verify_reason%&
A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
@@ -38751,6 +38764,10 @@ re-written or otherwise changed in a way which is incompatible with
DKIM verification. It may of course also mean that the signature is forged.
.endlist
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+.wen
+
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
an actual signature in the message for the current domain or identity (as
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 7e6971dde..aa2117e7e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -55,6 +55,7 @@ Version 4.90
DKIM support for multiple hashes, and for alternate-identity tags.
Builtin macro with default list of signed headers.
Better syntax for specifying oversigning.
+ The DKIM ACL can override verification results.
14. Exipick understands -C|--config for an alternative Exim
configuration file.
diff --git a/src/src/acl.c b/src/src/acl.c
index 640989997..739cd91ae 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -852,6 +852,26 @@ while ((s = (*func)()) != NULL)
compatibility. */
if (c == ACLC_SET)
+#ifndef DISABLE_DKIM
+ if ( Ustrncmp(s, "dkim_verify_status", 18) == 0
+ || Ustrncmp(s, "dkim_verify_reason", 18) == 0)
+ {
+ uschar * endptr = s+18;
+
+ if (isalnum(*endptr))
+ {
+ *error = string_sprintf("invalid variable name after \"set\" in ACL "
+ "modifier \"set %s\" "
+ "(only \"dkim_verify_status\" or \"dkim_verify_reason\" permitted)",
+ s);
+ return NULL;
+ }
+ cond->u.varname = string_copyn(s, 18);
+ s = endptr;
+ while (isspace(*s)) s++;
+ }
+ else
+#endif
{
uschar *endptr;
@@ -2899,8 +2919,19 @@ for (; cb != NULL; cb = cb->next)
if (cb->type == ACLC_SET)
{
- debug_printf("acl_%s ", cb->u.varname);
- lhswidth += 5 + Ustrlen(cb->u.varname);
+#ifndef DISABLE_DKIM
+ if ( Ustrcmp(cb->u.varname, "dkim_verify_status") == 0
+ || Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+ {
+ debug_printf("%s ", cb->u.varname);
+ lhswidth += 19;
+ }
+ else
+#endif
+ {
+ debug_printf("acl_%s ", cb->u.varname);
+ lhswidth += 5 + Ustrlen(cb->u.varname);
+ }
}
debug_printf("= %s\n", cb->arg);
@@ -3402,7 +3433,7 @@ for (; cb != NULL; cb = cb->next)
#ifndef DISABLE_DKIM
case ACLC_DKIM_SIGNER:
- if (dkim_cur_signer != NULL)
+ if (dkim_cur_signer)
rc = match_isinlist(dkim_cur_signer,
&arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
else
@@ -3410,7 +3441,7 @@ for (; cb != NULL; cb = cb->next)
break;
case ACLC_DKIM_STATUS:
- rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
+ rc = match_isinlist(dkim_verify_status,
&arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
break;
#endif
@@ -3609,12 +3640,22 @@ for (; cb != NULL; cb = cb->next)
{
int old_pool = store_pool;
if ( cb->u.varname[0] == 'c'
+#ifndef DISABLE_DKIM
+ || cb->u.varname[0] == 'd'
+#endif
#ifndef DISABLE_EVENT
|| event_name /* An event is being delivered */
#endif
)
store_pool = POOL_PERM;
- acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
+#ifndef DISABLE_DKIM /* Overwriteable dkim result variables */
+ if (Ustrcmp(cb->u.varname, "dkim_verify_status") == 0)
+ dkim_verify_status = string_copy(arg);
+ else if (Ustrcmp(cb->u.varname, "dkim_verify_reason") == 0)
+ dkim_verify_reason = string_copy(arg);
+ else
+#endif
+ acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
store_pool = old_pool;
}
break;
diff --git a/src/src/dkim.c b/src/src/dkim.c
index d31cae9c7..9a13e2a80 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -134,67 +134,35 @@ store_pool = dkim_verify_oldpool;
}
-void
-dkim_exim_verify_finish(void)
+/* Log the result for the given signature */
+static void
+dkim_exim_verify_log_sig(pdkim_signature * sig)
{
-pdkim_signature * sig = NULL;
-int rc;
-gstring * g = NULL;
-const uschar * errstr;
-
-store_pool = POOL_PERM;
-
-/* Delete eventual previous signature chain */
-
-dkim_signers = NULL;
-dkim_signatures = NULL;
-
-if (dkim_collect_error)
- {
- log_write(0, LOG_MAIN,
- "DKIM: Error during validation, disabling signature verification: %.100s",
- dkim_collect_error);
- dkim_disable_verify = TRUE;
- goto out;
- }
-
-dkim_collect_input = FALSE;
-
-/* Finish DKIM operation and fetch link to signatures chain */
-
-rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
-if (rc != PDKIM_OK)
- {
- log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
- errstr ? ": " : "", errstr ? errstr : US"");
- goto out;
- }
-
-for (sig = dkim_signatures; sig; sig = sig->next)
- {
- uschar * s;
- gstring * logmsg;
-
- /* Log a line for each signature */
-
- if (!(s = sig->domain)) s = US"<UNSET>";
- logmsg = string_append(NULL, 2, "d=", s);
- if (!(s = sig->selector)) s = US"<UNSET>";
- logmsg = string_append(logmsg, 2, " s=", s);
- logmsg = string_append(logmsg, 7,
- " c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
- "/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
- " a=", dkim_sig_to_a_tag(sig),
- string_sprintf(" b=" SIZE_T_FMT,
- (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
- if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
- if (sig->created > 0) logmsg = string_cat(logmsg,
- string_sprintf(" t=%lu", sig->created));
- if (sig->expires > 0) logmsg = string_cat(logmsg,
- string_sprintf(" x=%lu", sig->expires));
- if (sig->bodylength > -1) logmsg = string_cat(logmsg,
- string_sprintf(" l=%lu", sig->bodylength));
-
+gstring * logmsg = string_catn(NULL, "DKIM: ", 6);
+uschar * s;
+
+if (!(s = sig->domain)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, "d=", s);
+if (!(s = sig->selector)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, " s=", s);
+logmsg = string_append(logmsg, 7,
+" c=", sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+"/", sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+" a=", dkim_sig_to_a_tag(sig),
+string_sprintf(" b=" SIZE_T_FMT,
+ (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : 0));
+if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
+if (sig->created > 0) logmsg = string_cat(logmsg,
+ string_sprintf(" t=%lu", sig->created));
+if (sig->expires > 0) logmsg = string_cat(logmsg,
+ string_sprintf(" x=%lu", sig->expires));
+if (sig->bodylength > -1) logmsg = string_cat(logmsg,
+ string_sprintf(" l=%lu", sig->bodylength));
+
+if ( !dkim_verify_status
+ || ( dkim_verify_status == dkim_exim_expand_query(DKIM_VERIFY_STATUS)
+ && dkim_verify_reason == dkim_exim_expand_query(DKIM_VERIFY_REASON)
+ ) )
switch (sig->verify_status)
{
case PDKIM_VERIFY_NONE:
@@ -207,7 +175,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
{
case PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE:
logmsg = string_cat(logmsg,
- "public key record (currently?) unavailable]");
+ "public key record (currently?) unavailable]");
break;
case PDKIM_VERIFY_INVALID_BUFFER_SIZE:
@@ -219,13 +187,13 @@ for (sig = dkim_signatures; sig; sig = sig->next)
logmsg = string_cat(logmsg, "syntax error in public key record]");
break;
- case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
- logmsg = string_cat(logmsg, "signature tag missing or invalid]");
- break;
+ case PDKIM_VERIFY_INVALID_SIGNATURE_ERROR:
+ logmsg = string_cat(logmsg, "signature tag missing or invalid]");
+ break;
- case PDKIM_VERIFY_INVALID_DKIM_VERSION:
- logmsg = string_cat(logmsg, "unsupported DKIM version]");
- break;
+ case PDKIM_VERIFY_INVALID_DKIM_VERSION:
+ logmsg = string_cat(logmsg, "unsupported DKIM version]");
+ break;
default:
logmsg = string_cat(logmsg, "unspecified problem]");
@@ -233,8 +201,7 @@ for (sig = dkim_signatures; sig; sig = sig->next)
break;
case PDKIM_VERIFY_FAIL:
- logmsg =
- string_cat(logmsg, " [verification failed - ");
+ logmsg = string_cat(logmsg, " [verification failed - ");
switch (sig->verify_ext_status)
{
case PDKIM_VERIFY_FAIL_BODY:
@@ -256,18 +223,74 @@ for (sig = dkim_signatures; sig; sig = sig->next)
logmsg = string_cat(logmsg, " [verification succeeded]");
break;
}
+else
+ logmsg = string_append(logmsg, 5,
+ US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
+
+log_write(0, LOG_MAIN, string_from_gstring(logmsg));
+return;
+}
+
+
+/* Log a line for "the current" signature */
+void
+dkim_exim_verify_log_item(void)
+{
+dkim_exim_verify_log_sig(dkim_cur_sig);
+}
+
+
+/* Log a line for each signature */
+void
+dkim_exim_verify_log_all(void)
+{
+pdkim_signature * sig;
+for (sig = dkim_signatures; sig; sig = sig->next) dkim_exim_verify_log_sig(sig);
+}
- log_write(0, LOG_MAIN, "DKIM: %s", string_from_gstring(logmsg));
- /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
+void
+dkim_exim_verify_finish(void)
+{
+pdkim_signature * sig;
+int rc;
+gstring * g = NULL;
+const uschar * errstr;
- if (sig->domain)
- g = string_append_listele(g, ':', sig->domain);
+store_pool = POOL_PERM;
- if (sig->identity)
- g = string_append_listele(g, ':', sig->identity);
+/* Delete eventual previous signature chain */
- /* Process next signature */
+dkim_signers = NULL;
+dkim_signatures = NULL;
+
+if (dkim_collect_error)
+ {
+ log_write(0, LOG_MAIN,
+ "DKIM: Error during validation, disabling signature verification: %.100s",
+ dkim_collect_error);
+ dkim_disable_verify = TRUE;
+ goto out;
+ }
+
+dkim_collect_input = FALSE;
+
+/* Finish DKIM operation and fetch link to signatures chain */
+
+rc = pdkim_feed_finish(dkim_verify_ctx, &dkim_signatures, &errstr);
+if (rc != PDKIM_OK)
+ {
+ log_write(0, LOG_MAIN, "DKIM: validation error: %.100s%s%s", pdkim_errstr(rc),
+ errstr ? ": " : "", errstr ? errstr : US"");
+ goto out;
+ }
+
+/* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */
+
+for (sig = dkim_signatures; sig; sig = sig->next)
+ {
+ if (sig->domain) g = string_append_listele(g, ':', sig->domain);
+ if (sig->identity) g = string_append_listele(g, ':', sig->identity);
}
if (g) dkim_signers = g->s;
@@ -309,6 +332,12 @@ for (sig = dkim_signatures; sig; sig = sig->next)
dkim_signing_domain = US sig->domain;
dkim_signing_selector = US sig->selector;
dkim_key_length = sig->sighash.len * 8;
+
+ /* These two return static strings, so we can compare the addr
+ later to see if the ACL overwrote them. Check that when logging */
+
+ dkim_verify_status = dkim_exim_expand_query(DKIM_VERIFY_STATUS);
+ dkim_verify_reason = dkim_exim_expand_query(DKIM_VERIFY_REASON);
return;
}
}
@@ -365,12 +394,12 @@ switch (what)
}
case DKIM_CANON_HEADERS:
- switch (dkim_cur_sig->canon_headers)
- {
- case PDKIM_CANON_RELAXED: return US"relaxed";
- case PDKIM_CANON_SIMPLE:
- default: return US"simple";
- }
+ switch (dkim_cur_sig->canon_headers)
+ {
+ case PDKIM_CANON_RELAXED: return US"relaxed";
+ case PDKIM_CANON_SIMPLE:
+ default: return US"simple";
+ }
case DKIM_COPIEDHEADERS:
return dkim_cur_sig->copiedheaders
diff --git a/src/src/dkim.h b/src/src/dkim.h
index 735a1162a..f32aa6635 100644
--- a/src/src/dkim.h
+++ b/src/src/dkim.h
@@ -10,6 +10,8 @@ gstring * dkim_exim_sign(int, off_t, uschar *, struct ob_dkim *, const uschar **
void dkim_exim_verify_init(BOOL);
void dkim_exim_verify_feed(uschar *, int);
void dkim_exim_verify_finish(void);
+void dkim_exim_verify_log_item(void);
+void dkim_exim_verify_log_all(void);
void dkim_exim_acl_setup(uschar *);
uschar *dkim_exim_expand_query(int);
diff --git a/src/src/expand.c b/src/src/expand.c
index 782467ff7..f44ddf8b8 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -508,8 +508,8 @@ static var_entry var_table[] = {
{ "dkim_key_testing", vtype_dkim, (void *)DKIM_KEY_TESTING },
{ "dkim_selector", vtype_stringptr, &dkim_signing_selector },
{ "dkim_signers", vtype_stringptr, &dkim_signers },
- { "dkim_verify_reason", vtype_dkim, (void *)DKIM_VERIFY_REASON },
- { "dkim_verify_status", vtype_dkim, (void *)DKIM_VERIFY_STATUS},
+ { "dkim_verify_reason", vtype_stringptr, &dkim_verify_reason },
+ { "dkim_verify_status", vtype_stringptr, &dkim_verify_status },
#endif
#ifdef EXPERIMENTAL_DMARC
{ "dmarc_ar_header", vtype_stringptr, &dmarc_ar_header },
diff --git a/src/src/globals.c b/src/src/globals.c
index 2a53835e9..5df84bd10 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -668,6 +668,8 @@ uschar *dkim_signers = NULL;
uschar *dkim_signing_domain = NULL;
uschar *dkim_signing_selector = NULL;
uschar *dkim_verify_signers = US"$dkim_signers";
+uschar *dkim_verify_status = NULL;
+uschar *dkim_verify_reason = NULL;
#endif
#ifdef EXPERIMENTAL_DMARC
BOOL dmarc_has_been_checked = FALSE;
diff --git a/src/src/globals.h b/src/src/globals.h
index 62336c275..37d4cada3 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -393,6 +393,8 @@ extern uschar *dkim_signers; /* Expansion variable, holds colon-separa
extern uschar *dkim_signing_domain; /* Expansion variable, domain used for signing a message. */
extern uschar *dkim_signing_selector; /* Expansion variable, selector used for signing a message. */
extern uschar *dkim_verify_signers; /* Colon-separated list of domains for each of which we call the DKIM ACL */
+extern uschar *dkim_verify_status; /* result for this signature */
+extern uschar *dkim_verify_reason; /* result for this signature */
#endif
#ifdef EXPERIMENTAL_DMARC
extern BOOL dmarc_has_been_checked; /* Global variable to check if test has been called yet */
diff --git a/src/src/receive.c b/src/src/receive.c
index 31402925d..f181f1a51 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3405,8 +3405,8 @@ else
else
{
int sep = 0;
- const uschar *ptr = dkim_verify_signers_expanded;
- uschar *item = NULL;
+ const uschar * ptr = dkim_verify_signers_expanded;
+ uschar * item = NULL;
gstring * seen_items = NULL;
/* Default to OK when no items are present */
@@ -3452,6 +3452,7 @@ else
dkim_exim_acl_setup(item);
rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
&user_msg, &log_msg);
+ dkim_exim_verify_log_item();
if (rc != OK)
{
@@ -3467,7 +3468,7 @@ else
{
recipients_count = 0;
blackholed_by = US"DKIM ACL";
- if (log_msg != NULL)
+ if (log_msg)
blackhole_log_msg = string_sprintf(": %s", log_msg);
}
else if (rc != OK)
@@ -3481,6 +3482,8 @@ else
}
}
}
+ else
+ dkim_exim_verify_log_all();
}
#endif /* DISABLE_DKIM */
diff --git a/test/confs/4500 b/test/confs/4500
index bf4f1f6ad..f2e44beff 100644
--- a/test/confs/4500
+++ b/test/confs/4500
@@ -9,9 +9,23 @@ primary_hostname = myhost.test.ex
# ----- Main settings -----
acl_smtp_rcpt = accept
-acl_smtp_dkim = accept logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+acl_smtp_dkim = check_dkim
queue_only
queue_run_in_order
+
+begin acl
+
+check_dkim:
+.ifdef OPTION
+ warn condition = ${if eq {$dkim_algo}{rsa-sha1}}
+ condition = ${if eq {$dkim_verify_status}{pass}}
+ logwrite = NOTE: forcing dkim verify fail (was pass)
+ set dkim_verify_status = fail
+ set dkim_verify_reason = hash too weak
+.endif
+ accept
+ logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+
# End
diff --git a/test/log/4500 b/test/log/4500
index ec8ef088e..347e03683 100644
--- a/test/log/4500
+++ b/test/log/4500
@@ -1,15 +1,20 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=ses_sha1 c=simple/simple a=rsa-sha1 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmbB-0005vi-00 NOTE: forcing dkim verify fail (was pass)
+1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [fail - hash too weak]
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4501 b/test/log/4501
index 153f6f242..654431459 100644
--- a/test/log/4501
+++ b/test/log/4501
@@ -1,9 +1,9 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 <= pass@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= fail@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4502 b/test/log/4502
index b7e4a8ddd..9aef5cb30 100644
--- a/test/log/4502
+++ b/test/log/4502
@@ -1,15 +1,15 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/simple a=rsa-sha1 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha1 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=564CFC9B.1040905@yahoo.com
diff --git a/test/log/4503 b/test/log/4503
index 7ec93a1f5..55374fa33 100644
--- a/test/log/4503
+++ b/test/log/4503
@@ -1,6 +1,6 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha512 b=1024 [verification failed - signature did not verify (headers probably modified in transit)]
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4506 b/test/log/4506
index 027169df0..07b3ee8ce 100644
--- a/test/log/4506
+++ b/test/log/4506
@@ -1,18 +1,18 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaX-0005vi-00 signer: test.ex bits: 0
+1999-03-02 09:44:33 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=0 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [invalid - signature tag missing or invalid]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaZ-0005vi-00 signer: test.ex bits: 1024
+1999-03-02 09:44:33 10HmaZ-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification failed - body hash mismatch (body probably modified in transit)]
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: validation error: RSA_LONG_LINE
1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: Error during validation, disabling signature verification: RSA_LONG_LINE
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
-1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
1999-03-02 09:44:33 10HmbB-0005vi-00 signer: test.ex bits: 512
+1999-03-02 09:44:33 10HmbB-0005vi-00 DKIM: d=test.ex s=ses_sha256 c=simple/simple a=rsa-sha1 b=512 [verification failed - unspecified reason]
1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net
diff --git a/test/log/4520 b/test/log/4520
index 7bee5d786..4617326db 100644
--- a/test/log/4520
+++ b/test/log/4520
@@ -26,51 +26,52 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024 h=From:From
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <b@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbC-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbC-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <b10@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbE-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:From
+1999-03-02 09:44:33 10HmbE-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbD-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <b12@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbG-0005vi-00 signer: test.ex bits: 1024 h=X-Mine
+1999-03-02 09:44:33 10HmbG-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbF-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <b20@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbI-0005vi-00 signer: test.ex bits: 1024 h=X-mine:X-mine:X-Mine
+1999-03-02 09:44:33 10HmbI-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbH-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbI-0005vi-00 => :blackhole: <b22@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbI-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmbK-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmbK-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmbK-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbJ-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbK-0005vi-00 Completed
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbM-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbM-0005vi-00 DKIM: d=test.ex s=sel_bad c=relaxed/relaxed a=rsa-sha256 b=1024 [invalid - syntax error in public key record]
1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbL-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbM-0005vi-00 => :blackhole: <d@test.ex> R=server_dump
1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
diff --git a/test/log/4523 b/test/log/4523
index 5c07fa5a2..92bf9478f 100644
--- a/test/log/4523
+++ b/test/log/4523
@@ -5,9 +5,10 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: allheaders@test.ex bits: 1024 h=Date:Sender:Message-Id:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha512 b=1024 i=allheaders@test.ex [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server_dump
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4524 b/test/log/4524
index e0dde322a..f6e75458f 100644
--- a/test/log/4524
+++ b/test/log/4524
@@ -5,9 +5,8 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 macro: From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
-1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 signer: test.ex bits: 512 h=From:To:Subject
+1999-03-02 09:44:33 10HmaY-0005vi-00 DKIM: d=test.ex s=ses c=relaxed/relaxed a=rsa-sha256 b=512 [verification succeeded]
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <c@test.ex> R=server_dump
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
diff --git a/test/log/4550 b/test/log/4550
index 0d826ab32..bbe9841c0 100644
--- a/test/log/4550
+++ b/test/log/4550
@@ -8,8 +8,8 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 signer: test.ex bits: 1024 h=From
+1999-03-02 09:44:33 10HmbA-0005vi-00 DKIM: d=test.ex s=sel c=relaxed/relaxed a=rsa-sha256 b=1024 [verification succeeded]
1999-03-02 09:44:33 10HmbA-0005vi-00 PRDR R=<baduser@test.ex> refusal
1999-03-02 09:44:33 10HmbA-0005vi-00 PRDR R=<okuser@test.ex> acceptance
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp PRDR S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/scripts/4500-DKIM/4500 b/test/scripts/4500-DKIM/4500
index 6b3ff5fcf..3999d4988 100644
--- a/test/scripts/4500-DKIM/4500
+++ b/test/scripts/4500-DKIM/4500
@@ -136,5 +136,43 @@ QUIT
#
#
killdaemon
+#
+# A verifier that refuses sha1
+exim -DSERVER=server -DOPTION -bd -oX PORT_D
+****
+#
+# This should fail despite being a passing submission above (with the unlimited verifier).
+# - sha1, 1024b
+# Mail original in aux-fixed/4500.msg1.txt
+# Sig generated by: perl aux-fixed/dkim/sign.pl --method=simple/simple < aux-fixed/4500.msg1.txt
+client 127.0.0.1 PORT_D
+??? 220
+HELO xxx
+??? 250
+MAIL FROM:<CALLER@bloggs.com>
+??? 250
+RCPT TO:<a@test.ex>
+??? 250
+DATA
+??? 354
+DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=test.ex; h=from:to
+ :date:message-id:subject; s=sel; bh=OB9dZVu7+5/ufs3TH9leIcEpXSo=; b=
+ PeUA8iBGfStWv+9/BBKkvCEYj/AVMl4e9k+AqWOXKyuEUfHxqAnV+sPnOejpmvT8
+ 41kuM4u0bICvK371YvB/yO61vtliRhyqU76Y2e55p2uvMADb3UyDhLyzpco4+yBo
+ 1w0AuIxu0VU4TK8UmOLyCw/1hxrh1DcEInbEMEKJ7kI=
+From: mrgus@text.ex
+To: bakawolf@yahoo.com
+Date: Thu, 19 Nov 2015 17:00:07 -0700
+Message-ID: <qwerty1234@disco-zombie.net>
+Subject: simple test
+
+This is a simple test.
+.
+??? 250
+QUIT
+??? 221
+****
+killdaemon
+#
no_stdout_check
no_msglog_check
diff --git a/test/stderr/4507 b/test/stderr/4507
index 1df9537ea..4a5d4d2fa 100644
--- a/test/stderr/4507
+++ b/test/stderr/4507
@@ -13,10 +13,12 @@
>>> accept: condition test succeeded in inline ACL
>>> end of inline ACL: ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
-LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
+>>> using ACL "check_dkim"
>>> processing "accept"
->>> check logwrite = signer: test.ex bits: 1024
+>>> check logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+>>> = signer: test.ex bits: 1024
LOG: 10HmaX-0005vi-00 signer: test.ex bits: 1024
->>> accept: condition test succeeded in inline ACL
->>> end of inline ACL: ACCEPT
+>>> accept: condition test succeeded in ACL "check_dkim"
+>>> end of ACL "check_dkim": ACCEPT
+LOG: 10HmaX-0005vi-00 DKIM: d=test.ex s=sel c=simple/simple a=rsa-sha1 b=1024 [verification succeeded]
LOG: 10HmaX-0005vi-00 <= CALLER@bloggs.com H=(xxx) [127.0.0.1] P=smtp S=sss id=qwerty1234@disco-zombie.net