Re: [exim] Help sought with fairly complex DKIM set up and F…

    http://www.tubby.org/facebook/broken_email.png
>>     * enforce DKIM tests domains that are 'known signers' (google,
>> facebook, etc) and explicitly accept or deny mail based on the result of
>> the DKIM checks - to avoid faked email
>>     * allow through mail with no signatures (obvious)
>>     * support a 'DKIM whitelist' for domains that send with DKIM but
>> have a known fault/problem
>>     * skip checks on hosts/domains we relay for
>>     * skip checks on authenticated connections from MUAs (clients)
>>     * defer if a message that has a signature is not testable, eg.
>> cannot retrieve their DKIM key, key has syntax error, etc.
>>         #
>>         # start of DKIM debug message and clear macro
>>         #
>>         warn    set acl_m2 = 0
>>                 logwrite = DKIM START: domain=$sender_address_domain
>> possible_signer=$dkim_cur_signer status=$dkim_verify_status ${if
>> def:dkim_verify_reason {(reason=$dkim_verify_reason) }}
>>         #
>>         # strict checking on known signers...
>>         #
>>         deny    sender_domains = +dkim_known_signers
>> #               dkim_signers = +dkim_known_signers
>>                 dkim_status = none:invalid:fail
>>                 message = Message from $sender_address_domain (known
>> signer) with invalid or missing signature
>>                 logwrite = DKIM DENY: Rejected $sender_address_domain is
>> known signer (in database) but has invalid/missing signature
>>         accept  sender_domains = +dkim_known_signers
>> #               dkim_signers = +dkim_known_signers
>>                 dkim_status = pass
>>                 logwrite = DKIM PASS: Accepted $sender_address_domain is
>> known signer and has good signature
>>                 add_header = :after_received:X-DKIM-Result:
>> Domain=$sender_address_domain Result=Good and Known Domain
>>         #
>>         # ignore noise where we have no signature
>>         #
>>         accept  dkim_status = none
>> #               logwrite = DKIM SKIP: Skipping DKIM checks - no
>> signature for: $dkim_cur_signer
>>         #
>>         # skip DKIM if domain whitelisted for DKIM, i.e. known good
>> domain that has broken DKIM
>>         #
>>         accept  sender_domains = +dkim_whitelist_domains
>>                 logwrite = DKIM SKIP: Skipping DKIM checks for
>> whitelisted domain: $sender_address_domain
>>                 set acl_m2 = 1
>>         #
>>         # skip DKIM checks on hosts we relay for
>>         #
>>         accept  hosts = +relay_from_hosts
>>                 logwrite = DKIM SKIP: Skipping DKIM checks for relay
>> host: $sender_fullhost
>>         #
>>         # skip DKIM checks on authenticated hosts (that we also relay for)
>>         #
>>         accept  authenticated = *
>>                 logwrite = DKIM SKIP: Skipping DKIM checks for
>> authenticated host: $sender_fullhost
>>         #
>>         # defer when message not testable, e.g. can't get public key, etc.
>>         #
>>         defer   dkim_status = invalid
>>                 message = Message from $sender_address_domain cannot be
>> verified
>>                 logwrite = DKIM DEFER: domain=$sender_address_domain
>>         #
>>         # accept the message (correctly signed)
>>         #
>>         accept  dkim_status = pass
>>                 sender_domains = $sender_address_domain
>>                 dkim_signers = $sender_address_domain
>>                 logwrite = DKIM PASS: domain=$sender_address_domain
>> signer=$dkim_cur_signer status=$dkim_verify_status
>>                 add_header = :after_received:X-DKIM-Result:
>> Domain=$sender_address_domain Result=Signature OK
>>         #
>>         # accept the message EVEN IF the signature FAILS! due to white
>> listing
>>         #
>>         accept  condition = ${if eq {$acl_m2}{1}}
>>                 dkim_status = fail
>>                 sender_domains = $sender_address_domain
>>                 dkim_signers = $sender_address_domain
>>                 logwrite = DKIM FAIL (WHITELISTED):
>> domain=$sender_address_domain status=$dkim_verify_status - DKIM failed
>> but message accepted
>>                 add_header = :after_received:X-DKIM-Result:
>> Domain=$sender_address_domain Result=FAIL (but whitelisted)
>>         #
>>         # deny (strict) when message fails signature test *and* acl_m2 =
>> 0 (not whitelisted)
>>         #
>>         deny    condition = ${if eq {$acl_m2}{0}}
>>                 dkim_status = fail
>>                 sender_domains = $sender_address_domain
>>                 dkim_signers = $sender_address_domain
>>                 message = Message from has invalid DKIM signature
>>                 logwrite = DKIM FAIL (DENY):
>> domain=$sender_address_domain - message rejected!
>>         #
>>         # accept anything else (should never get here)
>>         #
>>         accept  logwrite = DKIM DEFAULT: domain=$sender_address_domain -
>> message accepted (at end of ACL)
>>     http://www.protodave.com/tools/dkim-key-checker/

This message is part of the following thread:
	the complete thread tree sorted by date
	Todd Lyons at
	Todd Lyons at