Re: [exim] DKIM verification and envelope-from

Top Page
Delete this message
Reply to this message
Author: Michael J. Tubby B.Sc G8TIC
Date:  
To: Wolfgang Breyha
CC: exim-users
Subject: Re: [exim] DKIM verification and envelope-from
On 30/04/2012 23:37, Wolfgang Breyha wrote:
> On 2012-04-30 09:18, Robert Wysocki wrote:
>> Thanks for the conditions, but if I read the documentation right,
>> acl_smtp_dkim is evaluated based on envelope-from, so including this
>> condition won't do me any good.
> Which part of the documentation are you referring to?
>
> Reading
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch54.html
> 2. Verifying DKIM signatures in incoming mail
> clearly says:
> "The global option dkim_verify_signers can be set to a colon-separated list
> of DKIM domains or identities for which the ACL acl_smtp_dkim is called."
>
> So...
>> For example when I have a mail:
>>
>> From somebogusaddress@???
>> .
>> .
>> .
>> From:<somename@???>
>>
>> and I have:
>>
>> dkim_verify_signers = mydomain.tld:$dkim_signer
> ... acl_smtp_dkim will be called for every domain you include in
> dkim_verify_signers. mydomain.tld, too. And if you include spammydomain.tld
> it will be checked, too.
>
> Neither From: nor the envelope_from are automatically included in
> dkim_verify_signers. It defaults to:
> dkim_verify_signers = $dkim_signers
>
> $dkim_signers is the list of domains found in DKIM signatures.
>
>> acl_smtp_dkim won't be called for this message (since spammydomain.tld
>> isn't included in dkim_verify_signers) and the condition you provided
>> won't be checked.
> acl_smtp_dkim is called for each domain in dkim_verify_signers. My
> condition checks for the From:. Since mydomain.tld, the From: domain, is
> included, it will trigger.
>
> Wolfgang


Which is why I have a database of "known signers" that I check first
(strict checking) and then I apply a looser set of heuristics to the rest.

For me the real problem is DKIM signed messages lists that may re-sign
the message and cause confusion.


Mike