Re: [exim-dev] [exim] DKIM vs DomainKeys

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Kjetil Torgrim Homme
Date:  
À: Magnus Holmgren
CC: exim-dev
Sujet: Re: [exim-dev] [exim] DKIM vs DomainKeys
On Sat, 2007-01-20 at 16:29 +0100, Magnus Holmgren wrote:
> In DKIM, however, the signing identity is found only in the signature field.
> This means that there can be any number of valid (and invalid) signatures.
>
> A reasonable way of handling that could be to let the ACL conditions succeed
> if any valid signature matches:
>
>   dkim_sender_domains = <domain list>: Succeeds if any valid signature is made
>         by a domain in the list.
>   dkim_senders = <address list>,


right, so we could write

  dkim_senders = ${if def:h_Sender: {${address:$h_Sender:}} \
                                    {${address:$h_From:}}}


to get DomainKeys-like behaviour. (this ignores the possibility of From
containing more than one address. see below.)

>   dkim_local_parts = <local part list>: Analogous, but note that the local
>         part may be empty if the signing server can't guarantee the exact
>         identity of the sender.

>
> A dkim_local_parts probably isn't very useful if it can match against any
> signature identity.


I agree, and I don't think it should be added if no one has a use case
for it.

> The expansion variables could represent the earliest valid signature. It's of
> course possible to have a $dkim_senders containing a comma-delimited list of
> all valid signature identities, but Exim has no good built-in mechanism for
> looping over comma-delimited lists of addresses, except in filters
> (foranyaddress). The best option probably is ${perl ...}. So, probably some
> new expansion conditions might be needed.


${extract can use an arbitrary delimiter, but we lack the looping
construct. perhaps a new kind of require keyword, which takes an ACL
and a list?

as for the list: both comma and space can be used validly in an e-mail
address, so we need an operator which understands quoting and dequotes
each element. consider the following list of three addresses:

        set acl_m0 = foo@bar : gazonk@zot : "<\"some::weirdo\"@quux>"


I used colon as the separator in the above to mimic the normal syntax
for lists in Exim. we can extend it like so:

    set acl_m0 = $acl_m0 : ${quote:$sender_address}


to loop over it, I suggest this new ACL verb:

    require_list = acl_check_element $acl_m0


the ACL named acl_check_element would be called four times, with the new
variable $list_element (or somesuch) set to the dequoted element value.
this function should be made available as a more advanced ${extract for
general use, e.g.:

        ${extract_quoted{4}{:}{$acl_m0}}


would return

        <"some::weirdo"@quux>


finally, we now have the infrastructure to make an ${address operator
which returns a list when the header contains more than one address.
given:

        To: foo@bar, Frank Zot <gazonk@zot>, <"some::weirdo"@quux>


${address_list:$h_To:} should now return:

        foo@bar:gazonk@zot:"\"some::weirdo\"@quux"


does this make sense to anyone else?
--
Kjetil T.