On Sat, 2007-01-20 at 16:29 +0100, Magnus Holmgren wrote:
> In DKIM, however, the signing identity is found only in the signature field.
> This means that there can be any number of valid (and invalid) signatures.
>
> A reasonable way of handling that could be to let the ACL conditions succeed
> if any valid signature matches:
>
> dkim_sender_domains = <domain list>: Succeeds if any valid signature is made
> by a domain in the list.
> dkim_senders = <address list>,
right, so we could write
dkim_senders = ${if def:h_Sender: {${address:$h_Sender:}} \
{${address:$h_From:}}}
to get DomainKeys-like behaviour. (this ignores the possibility of From
containing more than one address. see below.)
> dkim_local_parts = <local part list>: Analogous, but note that the local
> part may be empty if the signing server can't guarantee the exact
> identity of the sender.
>
> A dkim_local_parts probably isn't very useful if it can match against any
> signature identity.
I agree, and I don't think it should be added if no one has a use case
for it.
> The expansion variables could represent the earliest valid signature. It's of
> course possible to have a $dkim_senders containing a comma-delimited list of
> all valid signature identities, but Exim has no good built-in mechanism for
> looping over comma-delimited lists of addresses, except in filters
> (foranyaddress). The best option probably is ${perl ...}. So, probably some
> new expansion conditions might be needed.
${extract can use an arbitrary delimiter, but we lack the looping
construct. perhaps a new kind of require keyword, which takes an ACL
and a list?
as for the list: both comma and space can be used validly in an e-mail
address, so we need an operator which understands quoting and dequotes
each element. consider the following list of three addresses:
set acl_m0 = foo@bar : gazonk@zot : "<\"some::weirdo\"@quux>"
I used colon as the separator in the above to mimic the normal syntax
for lists in Exim. we can extend it like so:
set acl_m0 = $acl_m0 : ${quote:$sender_address}
to loop over it, I suggest this new ACL verb:
require_list = acl_check_element $acl_m0
the ACL named acl_check_element would be called four times, with the new
variable $list_element (or somesuch) set to the dequoted element value.
this function should be made available as a more advanced ${extract for
general use, e.g.:
${extract_quoted{4}{:}{$acl_m0}}
would return
<"some::weirdo"@quux>
finally, we now have the infrastructure to make an ${address operator
which returns a list when the header contains more than one address.
given:
To: foo@bar, Frank Zot <gazonk@zot>, <"some::weirdo"@quux>
${address_list:$h_To:} should now return:
foo@bar:gazonk@zot:"\"some::weirdo\"@quux"
does this make sense to anyone else?
--
Kjetil T.