[exim] DKIM ADSP (Author Domain Signing Practices) ACL

Top Page

Reply to this message
Author: Bryan Rawlins
Date:  
To: exim-users
Subject: [exim] DKIM ADSP (Author Domain Signing Practices) ACL
I've created an ACL to check DKIM ADSP policies and act accordingly.
The relevent RFC is 5617
http://tools.ietf.org/html/rfc5617

ADSP is certainly not use much currently, and I fear it'll be about as
accurate as SPF if it ever does become more widely used, but here's what
I came up with.

There are a couple caveats here. One, the RFC states that if there are
multiple addresses in the header from, then the messages is to be
considered to have multiple authors. I couldn't see any easy way to
accomplish that in the ACL. Two, this was made with a border mail
filter in mind, so there are no provisions for MUA's relaying, etc. It
should be easy enough for admins to adapt it however.

Comments, Questions, and criticisms are welcome.

---------- Start Config ---------------

main config:

dkim_verify_signers = ${if
def:h_from:{${domain:$h_from:}}{$sender_address_domain}}:$dkim_signers
acl_smtp_dkim = acl_check_dkim (or whatever is appropriate to your config)


acl_check_dkim(or whatever is appropriate to your config):

# Set the Author Domain
warn    set acl_m_AuthorDomain = ${if def:h_from: 
{${domain:$h_from:}}{$sender_address_domain}}


# Check for an ADSP record (Author Domain Signing Practices)
warn    condition  = ${if match{$dkim_cur_signer}{$acl_m_AuthorDomain}}
     set acl_m_AdspRecord = ${lookup 
dnsdb{txt=_adsp._domainkey.$acl_m_AuthorDomain}{$value}\
         {${lookup 
dnsdb{txt=_ssp._domainkey.$acl_m_AuthorDomain}{$value}{dkim=unknown}}}}
     set acl_m_AdspRecord = ${sg 
{${extract{dkim}{$acl_m_AdspRecord}}}{\N[;/]\N}{}}


deny    condition = ${if match{$dkim_cur_signer}{$acl_m_AuthorDomain}}
             condition = ${if match{$acl_m_AdspRecord}{\Ndiscardable\N}}
             !dkim_status = pass
             message = No DKIM signature present, but 
$acl_m_AuthorDomain has a 'discardable' \
                 ADSP policy
             log_message = Message Rejected, $acl_m_AuthorDomain has a 
discard policy but there \
                 is no DKIM signature.


warn    message = X-ADSP: $acl_m_AdspRecord
             !dkim_status = pass


---------- End Config ---------------

-Bryan Rawlins
Systems Administrator
OnlyMyEmail, Inc
http://www.onlymyemail.com