On 27/04/2012 14:09, Robert Wysocki wrote:
Dnia 2012-04-27, piÄ… o godzinie 14:50 +0200, Wolfgang Breyha pisze:
Robert Wysocki wrote, on 26.04.2012 13:07:
Hi there,
I'm trying to achieve configuration that would verify DKIM signatures
for known signers.
Everything works fine until envelope-from address is one of known
signers. But many spams have envelope-from set differently than From:
header, eg. [email protected] in envelope-from and
[email protected] in From: header.
This enables them to bypass DKIM signature checks and therefor to bypass
one of the anti-spam mechanisms.
DKIM has no relation to envelope from. DKIM signs and protects the From:
header (and others). Using envelope from for anything related to DKIM can only
produce false positives, eg. common forwards.
Thanks, but I know that.
I believe my question was about something else.
Regards,
In my acl_check_dkim I have these tests first:
#
# strict checking on known signers...
#
deny sender_domains = +dkim_known_signers
dkim_status = none:invalid:fail
message = Message from $sender_address_domain (known
signer) with invalid or missing signature
logwrite = DKIM DENY: Rejected $sender_address_domain
is known signer (in database) but has invalid/missing signature
accept sender_domains = +dkim_known_signers
dkim_status = pass
logwrite = DKIM PASS: Accepted $sender_address_domain
is known signer and has good signature
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good (Known Signer)
#
# rest of DKIM checking ...
#
accept
... the domainlist dkim_known_signers is populated from a mysql database
query like this:
SELECT_DKIM_KNOWN_SIGNERS = select domain from dkim_known_signers
where active=1;
domainlist dkim_known_signers = ${lookup
mysql{SELECT_DKIM_KNOWN_SIGNERS}{${sg{$value}{\\n}{ : }} }}
... and my database table has three columns id (int), active(tiny int),
domain (varchar 128).
Entries in the database include "ebay.com", "paypal.com", "gmail.com"
and many variants thereof.
Mike
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
