On Mon, Dec 17, 2007 at 10:29:35AM +0300, Odhiambo Washington wrote: > I'd very much love to see the relevant parts of your config if they > are significantly different than those on the url I am referring to, > or if they apply to a situation like mine.
Fair enough. Of course, you'll have to adjust some of the addresslist bits
below.
Step 1: Pick a secret:
PRVS_SECRET=some-secret-goes-here
Step 2: Decode any incoming prvs addresses (there won't be any yet, because
you're not signing your outgoing mail; but you want this to be in place by the
time you /do/ start signing, in step 3).
addresslist prvs_check_signed = [EMAIL PROTECTED]
begin routers
# prvs redirect
prvs:
condition = ${if [EMAIL PROTECTED]
driver = redirect
allow_fail
data = ${prvscheck [EMAIL PROTECTED]
{${if eq{$prvscheck_result}{1} {$prvscheck_address}{:fail:Unrouteable
address}}}\
}
Step 3: Sign outgoing mail:
addresslist prvs_sign_outgoing = [EMAIL PROTECTED]
begin transports
remote_smtp:
driver = smtp
return_path = ${if match_address{$return_path}{+prvs_sign_outgoing} \
{${prvs {$return_path} {PRVS_SECRET}}}\
fail\
}
Step 4: Deny bounces to non-signed addresses:
addresslist prvs_require_signed = [EMAIL PROTECTED]
acl_check_predata:
# Deny if it's a bounce to a bad address
# This is so that callouts here work, but bogus bounces are rejected
deny
senders = :
# !acl = acl_prvs_exceptions - you might want some exceptions to
apply...
condition = ${if !eq {${prvscheck
{$recipients}{PRVS_SECRET}{$prvscheck_result}}}{1}}
condition = ${if match_address{$recipients}{+prvs_require_signed}}
message = Bounces to $recipients are rejected - this address does not
send mail
Step 5: Deny outsiders claiming to be me:
(in acl_check_mail):
# Deny outsiders claiming to be me, without PRVS
deny
# !acl = acl_prvs_exceptions - you might want some exceptions to
apply...
senders = +prvs_require_signed
condition = ${if !eq {${prvscheck
{$sender_address}{PRVS_SECRET}{$prvscheck_result}}}{1}}
message = This address does not send mail
And that's it. Take it slowly, in order. In particular, leave a gap of
a good couple of weeks between steps 3 and 4.
I read the other day someone saying that prvs had problems with casefulness.
They might be right - I only send with lower case local parts, and don't have a
caseful configuration, and it works for me.
Of course if anyone spots anything hideously wrong with the above... :-)
--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey
signature.asc
Description: Digital signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
