On 24/02/2024 15:02, Laura Williamson via Exim-users wrote:
Config question
I want to enable DKIM check for some local users/domains but not all, not
really sure how to do this
If you can identify the messages in ACL *before* the data time
- eg. in RCPT ACL - then the mast simple way is an ACL control
"disable_dkim_verify".
acl_smtp_dkim:
#does not work
#domains = /etc/mail/mylocaldomainswiththisenabled
deny dkim_status = fail
message = DKIM validation failed: $dkim_verify_status
log_message = DKIM validation failed: $dkim_verify_status \
(address=$sender_address, domain=$dkim_cur_signer), \
signature is bad
defer dkim_status = invalid
message = DKIM signature invalid: $dkim_verify_status
log_message = DKIM signature invalid: $dkim_verify_status \
(address=$sender_address, domain=$dkim_cur_signer), \
invalid signature
accept
# Add an X-DKIM header to the message
add_header = :at_start: X-DKIM: DKIM validation passed: \
(address=$sender_address domain=$dkim_cur_signer), \
signature is good
logwrite = DKIM validation passed
Also another config question. This will not work if a user sends an email, with
gmail.com as sender but via another smtp (and therefore the DKIM is not in the
header). How can I enable so all gmail.com senders are validated and if no
DKIM, rejected?
The DKIM ACL, if any, is run once for each signature in the message.
Then the *set of results* is left in the $dkim_verify_status variable
(a colon-sep list, if there was >1 signature).
You can check that variable in your DATA ACL, dependent on any other
condition you like.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
