On 25.09.23 10:31, Jeremy Harris via Exim-users wrote:
On 25/09/2023 08:10, Cyborg via Exim-users wrote:
acl_smtp_dkim = acl_check_dkim
acl_check_dkim:
# skip if it's from an authenticated user
accept condition = ${if eq{$authenticated_id}{} {0}{1}}
deny sender_domains = $sender_address_domain
dkim_signers = $sender_address_domain:$dkim_signers
dkim_status = none:invalid:fail
log_message = "DKIM: Mail from $sender_address_domain rejected with
$dkim_verify_status"
message = "DKIM FAILED - SIGNATURE INVALID"
accept
acl_check_data:
...
deny condition = ${if eq{$h_DKIM-Signature:}{}{1}{0}}
condition = ${if eq{$authenticated_id}{} {1}{0}}
log_message = "NO DKIM-SIGNATURE found"
message = "NO DKIM-SIGNATURE found, but it is required by the
receiver"
...
Overkill.
acl_check_mail:
...
# save computation effort
warn condition = ${if def:authenticated_id}
control = dkim_disable_verify
...
acl_check_data:
...
deny condition = ${if !inlist {pass}{$dkim_verify_status}}
Awesome help and input, Marius and Jeremy! I understand now much better the
shortcoming of DKIM, and also how to implement it, in case I still want that.
Jeremy, could you help me one last bit, which parts of Marius's example in
acl_check_data are replaced by your acl_check_mail? Is the whole acl_check_data
unneeded with your approach?
All the best,
Mario
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
