Re: [exim] DKIM verification and envelope-from

Top Page

Reply to this message
Author: Michael J. Tubby B.Sc G8TIC
Date:  
To: Robert Wysocki
CC: Wolfgang Breyha, exim-users
Subject: Re: [exim] DKIM verification and envelope-from
On 27/04/2012 14:09, Robert Wysocki wrote:
> Dnia 2012-04-27, pią o godzinie 14:50 +0200, Wolfgang Breyha pisze:
>> Robert Wysocki wrote, on 26.04.2012 13:07:
>>> Hi there,
>>>
>>> I'm trying to achieve configuration that would verify DKIM signatures
>>> for known signers.
>>> Everything works fine until envelope-from address is one of known
>>> signers. But many spams have envelope-from set differently than From:
>>> header, eg. injectingy472@??? in envelope-from and
>>> something@??? in From: header.
>>> This enables them to bypass DKIM signature checks and therefor to bypass
>>> one of the anti-spam mechanisms.
>> DKIM has no relation to envelope from. DKIM signs and protects the From:
>> header (and others). Using envelope from for anything related to DKIM can only
>> produce false positives, eg. common forwards.
> Thanks, but I know that.
> I believe my question was about something else.
>
> Regards,



In my acl_check_dkim I have these tests first:

         #
         # strict checking on known signers...
         #
         deny    sender_domains = +dkim_known_signers
                 dkim_status = none:invalid:fail
                 message = Message from $sender_address_domain (known 
signer) with invalid or missing signature
                 logwrite = DKIM DENY: Rejected $sender_address_domain 
is known signer (in database) but has invalid/missing signature


         accept  sender_domains = +dkim_known_signers
                 dkim_status = pass
                 logwrite = DKIM PASS: Accepted $sender_address_domain 
is known signer and has good signature
                 add_header = :after_received:X-DKIM-Result: 
Domain=$sender_address_domain Result=Good (Known Signer)


         #
         # rest of DKIM checking ...
         #


         accept





... the domainlist dkim_known_signers is populated from a mysql database
query like this:

     SELECT_DKIM_KNOWN_SIGNERS = select domain from dkim_known_signers 
where active=1;
     domainlist dkim_known_signers = ${lookup 
mysql{SELECT_DKIM_KNOWN_SIGNERS}{${sg{$value}{\\n}{ : }} }}


... and my database table has three columns id (int), active(tiny int),
domain (varchar 128).

Entries in the database include "ebay.com", "paypal.com", "gmail.com"
and many variants thereof.



Mike