Re: [exim] General-purpose DKIM ACL?

Top Page

Reply to this message
Author: Ian Eiloart
Date:  
To: Jaap Winius
CC: Users Users
Subject: Re: [exim] General-purpose DKIM ACL?

On 28 Oct 2013, at 23:21, Jaap Winius <jwinius@???> wrote:

> Hi folks,
>
> Chapter 56 of the Exim documentation includes two examples of ACLs that check for DKIM signatures (see end of page):
>
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html
>
> However, these ACLs only apply to specific domains. Is it possible to construct a general-purpose DKIM ACL?


Yes. Omit the sender_domains condition, and the dkim_signers condition. Say "dkim_status = fail".

If the message isn’t signed, dkim_status will be "none", so it won’t match. You might want to include invalid signatures, too, if so say "dkim_status = fail:invalid".

And, you’ll probably want to change the message. Perhaps to something like this:

message = DKIM message problem: $dkim_verify_status $dkim_verify_reason. Signed by $dkim_cur_signer

But, note that you might throw away messages where the signature has been broken by a mailing list. Also, note that DKIM recommends that you treat invalid signatures as if there were no signature present. Thus, DKIM is better used to whitelist good messages with trusted signing domains.


> E.g. for every incoming message such an ALC would check if 1) the sender domain has a DKIM policy record, and if so 2) whether the message headers includes a DKIM signature, and if so 3) whether this DKIM signature is valid. A warning would be issued if a DKIM policy record was present, but a DKIM signature in the message headers was absent or invalid.
>
> Thanks,
>
> Jaap
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148