------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=959
--- Comment #1 from Michael Haardt <michael.haardt@???> 2010-01-28 11:18:20 ---
> It would be nice if the DKIM implementation would also retrieve the policy
> record (_domainkey.domain.tld and the _adsp._domainkey.domain.tld) when it
> exists, and place the results in $dkim_xxxx variables.
>
> That way it would be possible to deny messages that are unsigned, but policy
> states it signs all messages. I've tried doing it myself with dnsdb lookups,
> but that became way too complex.
To me, you need two things for ADSP: Check all required signers, not
just those contained in signatures:
dkim_verify_signers =
${map{${addresses:$h_from:}}{${domain:$item}}}:$dkim_signers
And check the ADSP record:
condition = ${if eq {$dkim_key_testing}{1} {false} {true}}
dkim_status = none:invalid:fail
condition = ${if match {${lookup
dnsdb{txt=_adsp._domainkey.$dkim_cur_signer}}} {^dkim[ ]*=[
]*discardable} {true} {false}}
The second is just an idea, and may be wrong, because it does not
look too complex. ;)
Of course you need to sign mails by all required signers. The patch
I offered for discussion addresses that.
Michael
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
