Autor: Marc Sherman Data: Dla: exim-users Temat: Re: [exim] Re: Sanity check: ACL to block fake sender addresses
John Jetmore wrote: >
> I implemented something like this using $tod_epoch w/ the last 3 digits
> replaced w/ zeros (modulo operator wasn't implemented when I originally
> did this), giving ~16.6 minute granularity, which was about right for what
> I was trying to do. As you point out, I also had to try the previous
> entry ($tod_epoch-1000). Seems to have worked as expected.
Include the timestamp in the signature, and also in cleartext beside it.
That way, you can use the signature to verify the timestamp, and then
use the cleartext verified timestamp to make the policy decision about
how old a signature can be before it's rejected. This way, when you
reject a timestamp that's too old, you can log it accurately instead of
just logging "signature incorrect".