Re: [exim] Misconfigured DKIM whitelist?

Top Pagina
Delete this message
Reply to this message
Auteur: Daryl Richards
Datum:  
Aan: Raymond Norton
CC: Exim Users
Onderwerp: Re: [exim] Misconfigured DKIM whitelist?
On 01/03/2013 14:02, Raymond Norton wrote:
> I must be confused by the way my exim.conf works. I am getting DKIM
> rejects like this:
>
> 2013-03-01 12:37:52 1UBUq7-0006qM-Pn H=(mail-wi0-f169.google.com)
> [209.85.212.169] rejected DKIM : REJECTED - DKIM failure:
> pubkey_unavailable
> 2013-03-01 12:37:55 1UBUqB-0006qn-08 H=(mail-ia0-f180.google.com)
> [209.85.210.180] rejected DKIM : REJECTED - DKIM failure:
> pubkey_unavailable
>
>
> My exim.conf file has the following:
>
> acl_check_dkim:
>   accept authenticated  = *
>   accept hosts          = :
>   accept hosts          = +whitelisted_hosts
>   deny message          = REJECTED - DKIM failure: $dkim_verify_reason
>        #dkim_status      = none:invalid:fail
>        dkim_status      = none:invalid
>        condition        = ${if eq {$dkim_key_testing}{1} {no}{yes}}
>   warn add_header       = X-DKIM: Status on $received_ip_address using 
> Baruwa 2.0: dkim=$dkim_verify_status; \
>                           signing_identity="$dkim_cur_signer"
>   accept

>
>
> +whitelisted_hosts points to the following:
>
> hostlist whitelisted_hosts = WHITELISTED_HOSTS
>
> WHITELISTED_HOSTS is part of my baruwa postgres database. Google.com,
> googlemail.com and gmail.com have been added to the whitelist, yet get
> bounced for DKIM problems.

For the DKIM problem, you're saying to reject on dkim_status of none,
which means if there is no DKIM, drop the message. Pretty sure you'd
only want to drop on actual fail, possibly invalid..

As for the whitelist, doing a host whitelist would need to have the IP
addresses of their mail servers. You want to check for domains.

acl_check_dkim:
   accept authenticated  = *
   accept hosts          = :
   deny message          = REJECTED - DKIM failure: $dkim_verify_reason
        !sender_domains  = google.com : googlemail.com : gmail.com
        #dkim_status      = none:invalid:fail
        dkim_status      = invalid:fail
        condition        = ${if eq {$dkim_key_testing}{1} {no}{yes}}
   warn add_header       = X-DKIM: Status on $received_ip_address using 
Baruwa 2.0: dkim=$dkim_verify_status; \
signing_identity="$dkim_cur_signer"
   accept