Re: [exim-dev] [Bug 959] New: New DKIM variables which conta…

Top Page
Delete this message
Reply to this message
Author: Michael Haardt
Date:  
To: exim-dev, 959
Subject: Re: [exim-dev] [Bug 959] New: New DKIM variables which contains the flags from the policy record
> It would be nice if the DKIM implementation would also retrieve the policy
> record (_domainkey.domain.tld and the _adsp._domainkey.domain.tld) when it
> exists, and place the results in $dkim_xxxx variables.
>
> That way it would be possible to deny messages that are unsigned, but policy
> states it signs all messages. I've tried doing it myself with dnsdb lookups,
> but that became way too complex.


To me, you need two things for ADSP: Check all required signers, not
just those contained in signatures:

dkim_verify_signers = ${map{${addresses:$h_from:}}{${domain:$item}}}:$dkim_signers

And check the ADSP record:

  condition = ${if eq {$dkim_key_testing}{1} {false} {true}}
  dkim_status = none:invalid:fail
  condition = ${if match {${lookup dnsdb{txt=_adsp._domainkey.$dkim_cur_signer}}} {^dkim[    ]*=[    ]*discardable} {true} {false}}


The second is just an idea, and may be wrong, because it does not
look too complex. ;)

Of course you need to sign mails by all required signers. The patch
I offered for discussion addresses that.

Michael