[exim] Re: How to enable incoming DKIM check, ideally in Ubu…

Góra strony
Delete this message
Reply to this message
Autor: Mario Emmenlauer
Data:  
Dla: exim-users
Temat: [exim] Re: How to enable incoming DKIM check, ideally in Ubuntu/Debian?

On 25.09.23 10:31, Jeremy Harris via Exim-users wrote:
> On 25/09/2023 08:10, Cyborg via Exim-users wrote:
>> acl_smtp_dkim = acl_check_dkim
>>
>> acl_check_dkim:
>>
>>          # skip if it's from an authenticated user
>>          accept condition  = ${if eq{$authenticated_id}{} {0}{1}}
>>
>>          deny sender_domains = $sender_address_domain
>>               dkim_signers = $sender_address_domain:$dkim_signers
>>               dkim_status = none:invalid:fail
>>               log_message = "DKIM: Mail from $sender_address_domain rejected with $dkim_verify_status"
>>               message = "DKIM FAILED - SIGNATURE INVALID"
>>
>>          accept
>>
>> acl_check_data:
>>   ...
>>   deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
>>           condition = ${if eq{$authenticated_id}{} {1}{0}}
>>           log_message = "NO DKIM-SIGNATURE found"
>>           message = "NO DKIM-SIGNATURE found, but it is required by the receiver"
>> ...
>
> Overkill.
>
> acl_check_mail:
>             ...
>             # save computation effort
>             warn condition = ${if def:authenticated_id}
>                  control = dkim_disable_verify
>             ...
>
> acl_check_data:
>            ...
>            deny condition = ${if !inlist {pass}{$dkim_verify_status}}



Awesome help and input, Marius and Jeremy! I understand now much better the
shortcoming of DKIM, and also how to implement it, in case I still want that.

Jeremy, could you help me one last bit, which parts of Marius's example in
acl_check_data are replaced by your acl_check_mail? Is the whole acl_check_data
unneeded with your approach?

All the best,

    Mario




--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/