[exim] DomainKey signing based on Envelope or From Header

I'm rewriting the Envelope Sender in messages forwarded through one of my
machines, where senders outside of my organization send messages to a local
account, set to forward the message out to a new recipient outside our
organization.

The From: header inside the message doesn't get touched, and if there's no
existing Reply-To: header in the message, i copy the original From: hear
address, or optionally the envelope sender address (from the MAIL FROM smtp
command) into a new Reply-To header. Then for the outbound forwarded message,
the envelope sender is changed to a the email address of the local account
doing the forwarding, by setting the return_path attribute.

There's a problem with this when it comes to domainkey signing. The egress DK
signing code seems to still use the domain from the address found in the From:
header. Is this a requirement as per the domainkey specs? I wish I could
tell the DK signing code to instead use the domain for the local account as
the d= attribute in the Domainkey-signature header. It makes no sense to
include the original sender's domain in this header when it's NOT a local
domain, nor under our control.

It's very odd that we can set the selector to use for signing, but not
override the domain reported in the domainkey-signature header.

Is there a workaround for this? Perhaps a feature being worked on? Am I on
crack and just trying to break a rule in the DK spec?

- Erik Schorr
- Senior Systems Engineer
- CIS Data System, Davis, CA