[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [exim] DKIM inbound checking
From:       Phillip Carroll <postmaster () enablingsimplicity ! com>
Date:       2014-11-15 20:58:21
Message-ID: 5467BE6D.2040602 () enablingsimplicity ! com
[Download RAW message or body]

If you only wish to verify particular domains, then I suggest setting in 
the main section:

dkim_verify_signers = gmail.com:ebay.com:ebay.de:paypal.com

With that setting, the DKIM acl will always be called for the listed 
domains, but only for those domains.

With that setting, then the dkim acl can be as simple as:

  deny     message = DKIM check failed
           dkim_status = none:invalid:fail


Or, if you want to test everything but have a more stringent test for 
the special domains, you could create a list of those domains in the 
main section:
     must_sign_domains = gmail.com:ebay.com:ebay.de:paypal.com

and also set the option:
     dkim_verify_signers = $must_sign_domains : $dkim_signers

With this setting, acl_smtp_dkim will be called for all emails from the 
must_pass_dkim_domains list (whether signed or not), PLUS all domains 
and identities that have signatures in the message. (ref: exim doc, 
chapter 56.2)

The acl could be (among various possibilities):

  deny     message = DKIM check failed for $dkim_cur_signer
           # limit this check to the must sign list
           dkim_signers = $must_sign_domains
           dkim_status     = none:invalid:fail

  warn     log_message = DKIM check failed for $dkim_cur_signer
           # handling of all but the must sign list
           !dkim_signers = $must_sign_domains
           dkim_status     = invalid:fail

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]