On 25.09.23 10:31, Jeremy Harris via Exim-users wrote:
> On 25/09/2023 08:10, Cyborg via Exim-users wrote:
>> acl_smtp_dkim = acl_check_dkim
>>
>> acl_check_dkim:
>>
>> # skip if it's from an authenticated user
>> accept condition = ${if eq{$authenticated_id}{} {0}{1}}
>>
>> deny sender_domains = $sender_address_domain
>> dkim_signers = $sender_address_domain:$dkim_signers
>> dkim_status = none:invalid:fail
>> log_message = "DKIM: Mail from $sender_address_domain rejected with $dkim_verify_status"
>> message = "DKIM FAILED - SIGNATURE INVALID"
>>
>> accept
>>
>> acl_check_data:
>> ...
>> deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
>> condition = ${if eq{$authenticated_id}{} {1}{0}}
>> log_message = "NO DKIM-SIGNATURE found"
>> message = "NO DKIM-SIGNATURE found, but it is required by the receiver"
>> ...
>
> Overkill.
>
> acl_check_mail:
> ...
> # save computation effort
> warn condition = ${if def:authenticated_id}
> control = dkim_disable_verify
> ...
>
> acl_check_data:
> ...
> deny condition = ${if !inlist {pass}{$dkim_verify_status}}
Awesome help and input, Marius and Jeremy! I understand now much better the
shortcoming of DKIM, and also how to implement it, in case I still want that.
Jeremy, could you help me one last bit, which parts of Marius's example in
acl_check_data are replaced by your acl_check_mail? Is the whole acl_check_data
unneeded with your approach?
All the best,
Mario
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
