Re: [exim] DKIM problem

Top Page
Delete this message
Reply to this message
Author: René Berber
Date:  
To: exim-users
Subject: Re: [exim] DKIM problem
On 3/6/2011 7:46 PM, Phil Pennock wrote:

>>> dkim_verify_signers = gmail.com:paypal.com:ebay.com:$dkim_signers
>
> *sigh* It took until the fourth reading of the documentation for it to
> "click". The interface here is somewhat peculiar. Sorry for the
> confusion, I've so far stayed out of the guts of the DKIM
> implementation.
>
> The DKIM ACL is called for each "signer" in that list; by default it's
> just $dkim_signers. So the ACL is called for all those domains, always;
> if the ACL fails, DKIM verification fails. Thus you need to guard
> against these extra callers inside the ACL.
>
> Ideally we'd have a way to say "if the message claims to be from
> @gmail.com then call the ACL even if there's no DKIM-Signature: header
> present", but that's not what this knob does.
>
> What you *can* do is set dkim_verify_signers, just as you have done, but
> add a "condition" to the ACL rule, thus:
>
> acl_check_dkim:
>   deny   message = DKIM: Message with invalid/missing signature
>          condition = ${if eq{$sender_address_domain}{$dkim_cur_signer}}
>          dkim_status = none:invalid:fail
>      log_message = DKIM: $dkim_cur_signer / $dkim_domain / $dkim_key_testing / $dkim_verify_status / $dkim_verify_reason

>
> AIUI, that should ensure that the ACL is called for gmail.com even
> without a signature, but only actually do a check as needed.


Excellent, that is exactly what I was trying to accomplish.

Thanks!
--
René Berber