On 29/03/07, Marc Perkel <marc@???> wrote: > I think what I'm looking for is to use domain keys to reject paypal
> phishing and pther phishing of banks in particular. I found SPF to be
> less that worthless and I'm hoping that domain keys are at least
> somewhat useful.
>
> So if my goal is to get rid of at least most paypal phishing with no
> false positives, will domain keys do that? If so - does someone have
> some sample ACLs to share?
You should certainly give it a go. Here's something to get you started....
In a rcpt acl:
warn control=dk_verify
(this tells Exim to verify the DK signature of this message - you can
put conditions round it if you don't want to verify all messages)
and in a data acl:
deny !dk_status = good
dk_sender_domains = +strict_dk_domains
Set up strict_dk_domains with a list of all domains for which you want
to reject unless they pass DK.
As always, I suggest setting up passive checking + logging for your
target domains as a first step, and only moving to deny when you're
confident that it's behaving.