[exim] Re: How to enable incoming DKIM check, ideally in Ubu…

Am 23.09.23 um 11:30 schrieb Mario Emmenlauer via Exim-users:
>
> Hi,
>
> I'd like to reject emails that are not sent from a valid DKIM-enabled

acl_smtp_dkim = acl_check_dkim

acl_check_dkim:

        # skip if it's from an authenticated user
        accept condition  = ${if eq{$authenticated_id}{} {0}{1}}

        deny sender_domains = $sender_address_domain
             dkim_signers = $sender_address_domain:$dkim_signers
             dkim_status = none:invalid:fail
             log_message = "DKIM: Mail from $sender_address_domain
rejected with $dkim_verify_status"
             message = "DKIM FAILED - SIGNATURE INVALID"

        accept

acl_check_data:
 ...
 deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
         condition = ${if eq{$authenticated_id}{} {1}{0}}
         log_message = "NO DKIM-SIGNATURE found"
         message = "NO DKIM-SIGNATURE found, but it is required by the
receiver"
...

>
> My question is slightly specific to Ubuntu/Debian, so in case there
> are some users that know which switches to flip on these distros, it's
> even more welcome. But I'm also happy with general insight into DKIM
> incoming email check.
>

you SHOULD add a condition to acl_check_data IF the domain enforces DKIM
or not.

As soon as you enforce DKIM, you really only get emails with valid DKIM
sigs, that additionally could be verified.
You have no clue how many checks end up false, because the dns server
with the sig does not answer in time or M$ screwed up in another way again.

As DKIM has been invented without a way to know upfront, if a email
shall have a sig or not, it's only usefull IF YOU ENFORCE IT.
Without Enforcement DKIM has no meaning at all, as having a valid sig
and having no sig at all, end up in the same way. A Spammer just needs
to remove the sig, so it can't fail.

Without Enforcement, the only usage for DKIM is to detect false
signatures and and those have a 99.9% chance of technically failing,
rather than failing for a spoofe approve.

Honestly: It's a fail by concept. But, "compliance fanatics" love it.

If, like with SPF, a server would now upfront that the mail must have a
sig, then it would be a game changer, in terms of being no longer a fail
by design.

best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/