I've created an ACL to check DKIM ADSP policies and act accordingly.
The relevent RFC is 5617
http://tools.ietf.org/html/rfc5617
ADSP is certainly not use much currently, and I fear it'll be about as
accurate as SPF if it ever does become more widely used, but here's what
I came up with.
There are a couple caveats here. One, the RFC states that if there are
multiple addresses in the header from, then the messages is to be
considered to have multiple authors. I couldn't see any easy way to
accomplish that in the ACL. Two, this was made with a border mail
filter in mind, so there are no provisions for MUA's relaying, etc. It
should be easy enough for admins to adapt it however.
Comments, Questions, and criticisms are welcome.
---------- Start Config ---------------
main config:
dkim_verify_signers = ${if
def:h_from:{${domain:$h_from:}}{$sender_address_domain}}:$dkim_signers
acl_smtp_dkim = acl_check_dkim (or whatever is appropriate to your config)
acl_check_dkim(or whatever is appropriate to your config):
# Set the Author Domain
warn set acl_m_AuthorDomain = ${if def:h_from:
{${domain:$h_from:}}{$sender_address_domain}}
# Check for an ADSP record (Author Domain Signing Practices)
warn condition = ${if match{$dkim_cur_signer}{$acl_m_AuthorDomain}}
set acl_m_AdspRecord = ${lookup
dnsdb{txt=_adsp._domainkey.$acl_m_AuthorDomain}{$value}\
{${lookup
dnsdb{txt=_ssp._domainkey.$acl_m_AuthorDomain}{$value}{dkim=unknown}}}}
set acl_m_AdspRecord = ${sg
{${extract{dkim}{$acl_m_AdspRecord}}}{\N[;/]\N}{}}
deny condition = ${if match{$dkim_cur_signer}{$acl_m_AuthorDomain}}
condition = ${if match{$acl_m_AdspRecord}{\Ndiscardable\N}}
!dkim_status = pass
message = No DKIM signature present, but
$acl_m_AuthorDomain has a 'discardable' \
ADSP policy
log_message = Message Rejected, $acl_m_AuthorDomain has a
discard policy but there \
is no DKIM signature.
warn message = X-ADSP: $acl_m_AdspRecord
!dkim_status = pass
---------- End Config ---------------
-Bryan Rawlins
Systems Administrator
OnlyMyEmail, Inc
http://www.onlymyemail.com
