[exim] Unsigned messages from DKIM domains

Top Page
Delete this message
Reply to this message
Author: Ivo Truxa
Date:  
To: Exim-users
Subject: [exim] Unsigned messages from DKIM domains
Greetings to everyone, I am new to the Exim User list.

I wanted to reject or tag unsigned messages coming from domains who enforce DKIM on all their email in their DNS signing policy (DK,
DKIM, or ADSP). In the current Exim version (4.88 at the moment of writing), using 'dkim_verify_signers = $sender_address_domain'
activates the DKIM ACL for every sender, but unfortunately at messages without signatures, the result of 'dkim_status' is always
'none', regardless whether the domain owner enforces DKIM signing for all messages or not. It does not distinguish between a
neutrally unsigned message, and an unsigned message violating the domain policies.

It means that for bypassing the DKIM checks of Exim, all an abuser needs to do, is sending an email without any DKIM at all. Unless
SPF, DMARC or an external program like SpamAssassin help, the message will be accepted.

I assume that such functionality will be added sooner or later to DKIM in Exim, but I needed it now, so I wrote a simple Perl
script, and call it from the DKIM ACL. I published the script and a small "Howto" at GitHub here:

https://github.com/truxoft/dkim_policy

There is a detailed description and a sample Exim configuration in the README file (right on the title page). I do not want to
clutter the list with the details, so I won't repost it all here, hence only a small extract from the config file, calling the
script and rejecting unsinged messages violating the domains signing policies:

deny  message = DKIM signature missing!
    dkim_status = none
    !sender_domains = +dkim_domains : +local_domains
    condition = ${run{/path/to/dkim_policy.pl $sender_address_domain}{yes}{no}}


accept

In the example above I exclude domains from the domain lists dkim_domains (list of well-known and/or frequently used domains using
DKIM, such as Paypal, Ebay, Google, various banks, etc.), and local_domains (list of domains hosted on my server). This is NOT
because I want to accept unsigned messages from their addresses. In contrary - I reject unsigned messages from those domains before
the policy check. I do not need unnecessarily querying the DNS in these cases. See the GitHub page for full details.

You can download the current version directly here (I may do some modifications in near future, so you better visit the GitHub page
for the latest release):
https://github.com/truxoft/dkim_policy/archive/1.02.tar.gz

Hope it helps someone. Let me know if you have any questions, or find any problems with the script or the configuration.

Cheers,
Ivo Truxa