Re: [exim] Understanding DKIM examples

Top Page
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Understanding DKIM examples
> From: Yuri D'Elia <wavexx@???>

> I would really love to reject invalid DKIM signatures outright,


What for - for spam filtering? Did you ever see a DKIM signature present
in a spam (not through a legitimate mailing list) but broken?
Spammers do make DKIM signatures, but for domains they control,
correct signatures.

> but many
> mailing lists simply don't strip the original signature while changing
> the body.
>
> I've come to the conclusion that the only thing that I can really do is
> check all signatures (for further steps in processing), but reject the
> message if the DKIM signature for the sender envelope is broken. This
> would fix mailing lists that re-sign the message (basically by checking
> just the last signature - if any), but I'm wondering about side effects.
>
> Let's take this (untested) snippet:
>
>    deny
>      condition = ${if eq{$sender_address_domain}{${domain:$return_path}} 
> {1}{0}}
>      sender_domains = ${domain:$return_path}
>      dkim_signers = ${domain:$return_path}
>      dkim_status = fail


The $return_path variable is for sending messages, not receiving.

  deny dkim_signers = $sender_address_domain
       dkim_status = fail


> so here we only consider signatures for the envelope sender's domain (if
> any). If there is one, and it's broken, we reject the message. If a DKIM
> signature was just appended by a mailing list which rewrote the message
> by properly using VERP, this should work. Or not?


If a mailing list of a forwarder doesn't alter envelope-from but
changes something then you'll reject legitimate mail. For example,
if a forwarder wrongly suspected that the forwarded letter is spam
and marked it in Subject.

I think that this check can cause only harm without any benefit.