Hi everyone. I'm trying to build my own DKIM policy, and I'm unsure if
what I would like to do it possible.
I would really love to reject invalid DKIM signatures outright, but many
mailing lists simply don't strip the original signature while changing
the body.
I've come to the conclusion that the only thing that I can really do is
check all signatures (for further steps in processing), but reject the
message if the DKIM signature for the sender envelope is broken. This
would fix mailing lists that re-sign the message (basically by checking
just the last signature - if any), but I'm wondering about side effects.
Let's take this (untested) snippet:
deny
condition = ${if eq{$sender_address_domain}{${domain:$return_path}}
{1}{0}}
sender_domains = ${domain:$return_path}
dkim_signers = ${domain:$return_path}
dkim_status = fail
so here we only consider signatures for the envelope sender's domain (if
any). If there is one, and it's broken, we reject the message. If a DKIM
signature was just appended by a mailing list which rewrote the message
by properly using VERP, this should work. Or not?
Thanks for any suggestion.
