On Mon, 3 Mar 2014, Viktor Dukhovni wrote:
> Is the intent specifically to ensure that all mail is signed, or
> merely to authenticate the sender (in lieu of SASL AUTH).
> Mere signature of content, is not sufficient to authenticate the
> intention to transmit the envelope, so it would be unwise to attempt
> to replace SASL with content GPG. If you want asymmetric keying
> for authentication, TLS client certs would be a better approach.
> Of course if the intent is in fact to make sure that all mail is
> signed by an authorized sender, then in addition to SASL authentication,
> you can implement a filter that performs a GPG content signature
> check.
Both in effect: I cannot use client certs since the message could come
trought many levels of relaying so the machine would listen on port 25
without additional costraints.
Email that arrive to such server is only to local users, and non signed
e/mail is not acceptable. In theory one could accept everything and check
at delivery stage if it is acceptable and then drop, but it looks
unelegant.
actually the response should be:
- signed and to an existing addressee -> delivered
- signed and to a non exixting addressee -> returned with erron 550
account not existing
- not signed ... refused or dropped
> --
> Viktor.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
--
Leonardo Boselli
