Re: [exim] DKIM verification in 4.70 not working

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: Todd Lyons
CC: exim-users
Subject: Re: [exim] DKIM verification in 4.70 not working
Todd Lyons wrote:

> dkim_verify_signers = *


This is not correct - it should be set to a list of domains or
identities that acl_smtp_dkim is called for. When unset, this setting
defaults to

dkim_verify_signers = $dkim_signers

which causes acl_smtp_dkim to be called for all domains and identities
that have signed the message.

dkim_verify_signers is expanded each time before it is used, at a point
where header information is available. So you can do several tricks to
dynamically call the DKIM ACL based on envelope or header addresses.

At the moment, it can be useful to statically call acl_smtp_dkim for
"known" all-signers additionally, like:

dkim_verify_signers = $dkim_signers:paypal.com:gmail.com

And then in the ACL:

warn log_message = DKIM: Unsigned message from $sender_address_domain
      sender_domains = gmail.com:paypal.com
      dkim_signers = gmail.com:paypal.com
      dkim_status = none


This would catch (or in this case, only warn about) crap like:

Nov 19 01:36:04 [exim] 2009-11-19 01:36:04 1NAv0G-0005v1-Fl
H=mail.kelantan.gov.my [210.187.31.8] Warning: DKIM: Unsigned message
from gmail.com

Such a check will also be mailing-list safe, because they would not have
gmail.com as the envelope sender.

> acl_check_dkim:
> accept hosts = +relay_from_hosts
> accept authenticated = *


You can also set "control = dkim_disable_verify" somewhere in an earlier
ACL to turn off verification processing entirely. Doing it here won't
save the overhead of doing all the calculations.

Concerning the rest of the ACL code: Each message can have several
signatures. Some can be valid, some broken, some expired ... if you want
to flag message that have no valid signature whatsoever, you would need
to set a flag in acl_smtp_dkim when you find a valid signature, then
check for that flag in acl_smtp_data. If it isn't set, you know there
was no valid sig. Of course, that means that $dkim_signers must be in
the dkim_verify_signers list.

I have tried to create an API that allows for a broad range of policies.
Unfortunately that can make things quite complicated :)

/tom