Re: [exim] acl_smtp_dkim called twice

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Anton
Date:  
À: exim-users
Sujet: Re: [exim] acl_smtp_dkim called twice


On 06-01-22 16:54, Jeremy Harris via Exim-users wrote:
> On 06/01/2022 15:38, Anton via Exim-users wrote:
>> can identity check fail when domain check succeeded and vice versa?
>> Since the signature is the same, selector is the same, etc.
>
> If the values are different in the header, the result can be different.
>


I don't understand the reason to make two separate validations: one for domain and one for identity. (In other words, the reason to put identities in $dkim_signers list). And what to expect from them.

Imagine, the received DKIM signature contains d=example.com and i=bob@???

If example.com's DNS domainkey entry contains g=alice field, then "domain" validation will succeed and "identity" validation will fail?

I would say that just the "domain" validation should be enough and it must fail if the i= field in signature does not match the g= field in DNS record.
In my understanding they can't be dissociated, and the "whole thing" should validate (or not) depending on d=, i= and g= values.
Or I'm missing something?

[Jeremy, this discussion is not very important, I just try to understand. So if you don't have time, please feel free to skip it.]

Thanks!

A.