Re: [exim] Domainkey support lacking a little

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: Peter Carah
CC: exim-users
Subject: Re: [exim] Domainkey support lacking a little
Peter Carah wrote:

> One of the outcomes that is needed is to be able to treat "no signature" as a
> bad signature error if the domain has a key and the message has no domainkey
> headers.


Only if the domain has set SIGNSALL and !TESTING. (while I think the
combination of TESTING and SIGNSALL is pretty weird).

> This could be detected by looking for DK_FLAG_SET and no signature,
> since I note by the comments (and looking in the library) that non-participant
> isn't an explicit outcome of the library (but such a domain would lack
> DK_FLAG_SET).


You should be able to construct your own logic for such cases, the Exim
DK implementation simply grabs all the interesting bits from the lib and
sticks them into the ACL system (as queryable conditions or expansion
variables).

deny message = DK: unsigned message or missing key from SIGNSALL domain
      dk_policy = signsall
      dk_status = no signature:no key


> Admittedly if o=~ this isn't a "terrible" error, but "no signature" has
> different meaning for domains with no _domainkey resources at all;


If SIGNSALL is unset, there should be no difference in treatment for the
"no resources" and "no signature" cases.

If SIGNSALL is set, "no resources" would be a remote configuration error
and "no signature" would be a cause for rejection (see above).

Or did I miss something? :)

/tom