Autore: Jaap Winius Data: To: Ian Eiloart CC: Users Users Oggetto: Re: [exim] General-purpose DKIM ACL?
Quoting Ian Eiloart <iane@???>:
> Yes. Omit the sender_domains condition, and the dkim_signers
> condition. Say "dkim_status = fail".
If I do that I am able to receive messages from sender domains with
working DKIM configurations, but from the rest I get:
temporarily rejected after DATA: \
cannot test dkim_signers condition in DATA ACL
So, I would only want to run such an ACL on the condition that a
_domainkey record exists in the sender domain. Is it possible to check
for that?
> But, note that you might throw away messages where the signature has
> been broken by a mailing list. Also, note that DKIM recommends that
> you treat invalid signatures as if there were no signature present.
> Thus, DKIM is better used to whitelist good messages with trusted
> signing domains.
Normally you'd be right, but I'm not worried. My system would not
reject such messages when they match; only warn. Instead it counts
warnings in almost a dozen categories and only rejects messages when
they score in three or more. I also whitelist any mailing list servers
that I use.