On 28 Oct 2013, at 23:21, Jaap Winius <[email protected]> wrote: > Hi folks, > > Chapter 56 of the Exim documentation includes two examples of ACLs that check > for DKIM signatures (see end of page): > > http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html > > However, these ACLs only apply to specific domains. Is it possible to > construct a general-purpose DKIM ACL?
Yes. Omit the sender_domains condition, and the dkim_signers condition. Say "dkim_status = fail". If the message isn’t signed, dkim_status will be "none", so it won’t match. You might want to include invalid signatures, too, if so say "dkim_status = fail:invalid". And, you’ll probably want to change the message. Perhaps to something like this: message = DKIM message problem: $dkim_verify_status $dkim_verify_reason. Signed by $dkim_cur_signer But, note that you might throw away messages where the signature has been broken by a mailing list. Also, note that DKIM recommends that you treat invalid signatures as if there were no signature present. Thus, DKIM is better used to whitelist good messages with trusted signing domains. > E.g. for every incoming message such an ALC would check if 1) the sender > domain has a DKIM policy record, and if so 2) whether the message headers > includes a DKIM signature, and if so 3) whether this DKIM signature is valid. > A warning would be issued if a DKIM policy record was present, but a DKIM > signature in the message headers was absent or invalid. > > Thanks, > > Jaap > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
