Re: [exim] General-purpose DKIM ACL?

Top Page
Delete this message
Reply to this message
Author: Jaap Winius
Date:  
To: Ian Eiloart
CC: Users Users
Subject: Re: [exim] General-purpose DKIM ACL?
Quoting Ian Eiloart <iane@???>:

> Yes. Omit the sender_domains condition, and the dkim_signers
> condition. Say "dkim_status = fail".


If I do that I am able to receive messages from sender domains with
working DKIM configurations, but from the rest I get:

temporarily rejected after DATA: \
cannot test dkim_signers condition in DATA ACL

So, I would only want to run such an ACL on the condition that a
_domainkey record exists in the sender domain. Is it possible to check
for that?

> But, note that you might throw away messages where the signature has
> been broken by a mailing list. Also, note that DKIM recommends that
> you treat invalid signatures as if there were no signature present.
> Thus, DKIM is better used to whitelist good messages with trusted
> signing domains.


Normally you'd be right, but I'm not worried. My system would not
reject such messages when they match; only warn. Instead it counts
warnings in almost a dozen categories and only rejects messages when
they score in three or more. I also whitelist any mailing list servers
that I use.

Cheers,

Jaap