[exim] Re: How to enable incoming DKIM check, ideally in Ubuntu/Debian?

Mon, 25 Sep 2023 00:11:52 -0700 

Am 23.09.23 um 11:30 schrieb Mario Emmenlauer via Exim-users:


Hi,

I'd like to reject emails that are not sent from a valid DKIM-enabled


acl_smtp_dkim = acl_check_dkim

acl_check_dkim:

        # skip if it's from an authenticated user
        accept condition  = ${if eq{$authenticated_id}{} {0}{1}}

        deny sender_domains = $sender_address_domain
             dkim_signers = $sender_address_domain:$dkim_signers
             dkim_status = none:invalid:fail

             log_message = "DKIM: Mail from $sender_address_domain 
rejected with $dkim_verify_status"

             message = "DKIM FAILED - SIGNATURE INVALID"

        accept

acl_check_data:
 ...
 deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
         condition = ${if eq{$authenticated_id}{} {1}{0}}
         log_message = "NO DKIM-SIGNATURE found"

         message = "NO DKIM-SIGNATURE found, but it is required by the 
receiver"

...



My question is slightly specific to Ubuntu/Debian, so in case there
are some users that know which switches to flip on these distros, it's
even more welcome. But I'm also happy with general insight into DKIM
incoming email check.




you SHOULD add a condition to acl_check_data IF the domain enforces DKIM 
or not.



As soon as you enforce DKIM, you really only get emails with valid DKIM 
sigs, that additionally could be verified.
You have no clue how many checks end up false, because the dns server 
with the sig does not answer in time or M$ screwed up in another way again.



As DKIM has been invented without a way to know upfront, if a email 
shall have a sig or not, it's only usefull IF YOU ENFORCE IT.
Without Enforcement DKIM has no meaning at all, as having a valid sig 
and having no sig at all, end up in the same way. A Spammer just needs 
to remove the sig, so it can't fail.



Without Enforcement, the only usage for DKIM is to detect false 
signatures and and those have a 99.9% chance of technically failing, 
rather than failing for a spoofe approve.


Honestly: It's a fail by concept. But, "compliance fanatics" love it.


If, like with SPF, a server would now upfront that the mail must have a 
sig, then it would be a game changer, in terms of being no longer a fail 
by design.


best regards,
Marius

--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to