I'm experimenting with the DK ACL support, and seeing interesting
results. I'm not (yet) signing any outgoing mail, but I want to use DK
verification to support whitelisting of known problematic sending
domains - notably yahoogroups.com, which reacts badly to greylisting
and false positives.
I'm verifying DK on most incoming messages that get past the header
checks - that part is working OK. I'm logging DK verification results
so that I can see what is signed, what isn't, what verifies OK, what
doesn't. I'm seeing a good mix, all seems to be functioning.
However my initial desire to use this to whitelist yahoogroups.com is
failing because a good proportion of mail from them is reported as
'bad' - the DK verification fails. I'm wondering if this is dodgy
signing from Yahoo, or something going awry in the DK support in Exim,
or in libdomainkeys.
Before I head down the dragon-infested route elswhere - is anyone else
using DK verification in Exim with any success, for this or any other
use case? (Oh, and 'domainkeys yahoogroups' is very difficult to
Google for... try it....)
Exim 4.63, libdomainkeys 0.68, all on Linux FC6.
An extract from the DATA ACL:
warn !dk_status = no signature
message = DomainKey-Status: $dk_status
log_message = DOMAINKEYS: $dk_status for $dk_sender_domain
accept dk_status = good
dk_sender_domains = +dk_whitelist_domains
logwrite = DOMAINKEYS: Whitelisted for $dk_sender_domain
warn dk_status = good
logwrite = DOMAINKEYS: Good sig but no whitelist for $dk_sender_domain
warn !dk_status = good
dk_sender_domains = +dk_whitelist_domains
logwrite = DOMAINKEYS: Whitelisted domain but status $dk_status for
$dk_sender_domain
