On 3/6/2011 7:46 PM, Phil Pennock wrote:
>>> dkim_verify_signers = gmail.com:paypal.com:ebay.com:$dkim_signers
>
> *sigh* It took until the fourth reading of the documentation for it to
> "click". The interface here is somewhat peculiar. Sorry for the
> confusion, I've so far stayed out of the guts of the DKIM
> implementation.
>
> The DKIM ACL is called for each "signer" in that list; by default it's
> just $dkim_signers. So the ACL is called for all those domains, always;
> if the ACL fails, DKIM verification fails. Thus you need to guard
> against these extra callers inside the ACL.
>
> Ideally we'd have a way to say "if the message claims to be from
> @gmail.com then call the ACL even if there's no DKIM-Signature: header
> present", but that's not what this knob does.
>
> What you *can* do is set dkim_verify_signers, just as you have done, but
> add a "condition" to the ACL rule, thus:
>
> acl_check_dkim:
> deny message = DKIM: Message with invalid/missing signature
> condition = ${if eq{$sender_address_domain}{$dkim_cur_signer}}
> dkim_status = none:invalid:fail
> log_message = DKIM: $dkim_cur_signer / $dkim_domain / $dkim_key_testing / $dkim_verify_status / $dkim_verify_reason
>
> AIUI, that should ensure that the ACL is called for gmail.com even
> without a signature, but only actually do a check as needed.
Excellent, that is exactly what I was trying to accomplish.
Thanks!
--
René Berber