Re: [exim] DKIM inbound checking

Top Page
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: Re: [exim] DKIM inbound checking
If you only wish to verify particular domains, then I suggest setting in
the main section:

dkim_verify_signers = gmail.com:ebay.com:ebay.de:paypal.com

With that setting, the DKIM acl will always be called for the listed
domains, but only for those domains.

With that setting, then the dkim acl can be as simple as:

  deny     message = DKIM check failed
           dkim_status = none:invalid:fail



Or, if you want to test everything but have a more stringent test for 
the special domains, you could create a list of those domains in the 
main section:
     must_sign_domains = gmail.com:ebay.com:ebay.de:paypal.com


and also set the option:
     dkim_verify_signers = $must_sign_domains : $dkim_signers


With this setting, acl_smtp_dkim will be called for all emails from the
must_pass_dkim_domains list (whether signed or not), PLUS all domains
and identities that have signatures in the message. (ref: exim doc,
chapter 56.2)

The acl could be (among various possibilities):

  deny     message = DKIM check failed for $dkim_cur_signer
           # limit this check to the must sign list
           dkim_signers = $must_sign_domains
           dkim_status     = none:invalid:fail


  warn     log_message = DKIM check failed for $dkim_cur_signer
           # handling of all but the must sign list
           !dkim_signers = $must_sign_domains
           dkim_status     = invalid:fail