On 2011-03-06 at 16:33 -0600, René Berber wrote:
> On 3/6/2011 3:55 PM, Phil Pennock wrote:
>
> > How about if you add to the deny:
> > log_message = DKIM: $dkim_cur_signer / $dkim_domain / $dkim_key_testing / $dkim_verify_status / $dkim_verify_reason
> >
> > Do you get something more useful out of $dkim_verify_reason ?
>
> No, but I seem to have stumbled into the reason why it wasn't working, I
> also had this line in the configuration:
>
> > dkim_verify_signers = gmail.com:paypal.com:ebay.com:$dkim_signers
*sigh* It took until the fourth reading of the documentation for it to
"click". The interface here is somewhat peculiar. Sorry for the
confusion, I've so far stayed out of the guts of the DKIM
implementation.
The DKIM ACL is called for each "signer" in that list; by default it's
just $dkim_signers. So the ACL is called for all those domains, always;
if the ACL fails, DKIM verification fails. Thus you need to guard
against these extra callers inside the ACL.
Ideally we'd have a way to say "if the message claims to be from
@gmail.com then call the ACL even if there's no DKIM-Signature: header
present", but that's not what this knob does.
What you *can* do is set dkim_verify_signers, just as you have done, but
add a "condition" to the ACL rule, thus:
acl_check_dkim:
deny message = DKIM: Message with invalid/missing signature
condition = ${if eq{$sender_address_domain}{$dkim_cur_signer}}
dkim_status = none:invalid:fail
log_message = DKIM: $dkim_cur_signer / $dkim_domain / $dkim_key_testing / $dkim_verify_status / $dkim_verify_reason
AIUI, that should ensure that the ACL is called for gmail.com even
without a signature, but only actually do a check as needed.
-Phil
