Re: [exim] Default DKIM ACL?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Todd Lyons
Date:  
CC: exim-users
Sujet: Re: [exim] Default DKIM ACL?
On Fri, Nov 27, 2009 at 8:28 AM, majid alavizadeh
<majid.alavizadeh@???> wrote:
> This is my acl but sent mail dosen't have dkim:


As others have said, the ACL's are only for verifying dkim on received
messages. You have to modify other parts of your configuration to
sign outbound messages. Read section 54 of the spec file
(doc/spec.txt in the tarball IIRC).

I also see that you used a DKIM ACL section that I posted to the
mailing list when I was first figuring out how to implement it. There
are some bugs with that.

> warn condition = ${if eq {$acl_c_dkim_hdr}{1} {no}{yes}}
> set acl_c_dkim_hdr = 1
> add_header = :at_start:X-DKIM: Exim 4.70 on $primary_hostname


For example, the above logic uses an acl_c variable instead of an
acl_m variable. The acl_c variable persists for the entire
connection. So a bad guy could send one valid signed message, then
100 (signed or unsigned) messages all in the same session and that
header would not get added.

Also, you are doing this at the top of the ACL:

> acl_check_dkim:
> accept hosts = +relay_from_hosts
>
> accept authenticated = *


It is the wrong way to do it. Read the entire thread where you got
that DKIM ACL. Nigel responded to my email discussing what things
needed to change in that ACL, and specifically how to use the control
verb in the RCPT acl to tell exim not to attempt to verify any DKIM
sigs for the above two scenarios (is in +relay_from_hosts or is an
authenticated sender).

Go to the exim mailing list webpage (is at the bottom of each email
from the mailing list) and click on the "Archives" link. Just search
for DKIM and you'll see recent messages that discuss how to use it.

Also, READ SECTION 54 IN THE EXIM SPEC DOCUMENT.  I cannot emphasize
this enough.  Read it, reread it, and then reread it again.
Everything you need to know is in that section.
-- 
Regards...      Todd
The best thing about pair programming is that you have the perfect
audience for your genius.  -- Kent Beck