-
-
Save mrballcb/11257290 to your computer and use it in GitHub Desktop.
acl_check_dkim: | |
# Skip this whole acl if header.d contains an @ sign because exim is | |
# breaking down the header.i part (which usually is an email address) | |
# bit by bit, working towards just the domain name. | |
accept condition = ${if match{$dkim_cur_signer}{\N@\N}} | |
accept dkim_status = none | |
sender_domains = KNOWN_DKIM_SIGNERS | |
dkim_signers = KNOWN_DKIM_SIGNERS | |
condition = ${if eqi{$sender_address_domain}{$dkim_cur_signer} {yes}{no}} | |
log_message = Possible DKIM Forgery: Unsigned message from $sender_address_domain | |
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for required domain: $dkim_cur_signer) | |
accept dkim_status = none | |
!sender_domains = KNOWN_DKIM_SIGNERS | |
!dkim_signers = KNOWN_DKIM_SIGNERS | |
set acl_m_dkim_hdr = 1 | |
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for $dkim_cur_signer) | |
warn condition = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}} | |
set acl_m_dkim_hdr = 1 | |
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname | |
accept dkim_status = pass | |
add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector | |
warn dkim_status = invalid : fail | |
add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector reason="$dkim_verify_reason" | |
deny dkim_status = fail | |
sender_domains = KNOWN_DKIM_SIGNERS | |
dkim_signers = KNOWN_DKIM_SIGNERS | |
condition = ${if eq {$dkim_key_testing}{1} {no}{yes}} | |
message = Rejected: $dkim_verify_reason | |
accept |
this ACL won't even be called unless there is a DKIM signature in the email. This those two
accept dkim_status = none
sections are moot.
Ah, don't mind me, now I've found the documentation bit about setting dkim_verify_signers
for that.
For what it's worth, if like me you want to use a file for the 'known signing domains' then:
DKIM_KNOWN_SIGNERS_FILE=/etc/exim4/dkim_known_signers
# Use a DKIM ACL
acl_smtp_dkim = acl_check_dkim
dkim_verify_signers = $sender_address_domain:$dkim_signers
...
acl_check_dkim:
# Skip this whole acl if header.d contains an @ sign because exim is
# breaking down the header.i part (which usually is an email address)
# bit by bit, working towards just the domain name.
accept condition = ${if match{$dkim_cur_signer}{\N@\N}}
accept dkim_status = none
sender_domains = ${lookup {$sender_address_domain} lsearch,ret=full {DKIM_KNOWN_SIGNERS_FILE} {$sender_address_domain}}
dkim_signers = ${lookup {$sender_address_domain} lsearch,ret=full {DKIM_KNOWN_SIGNERS_FILE} {$sender_address_domain}}
condition = ${if eqi{$sender_address_domain}{$dkim_cur_signer} {yes}{no}}
log_message = Possible DKIM Forgery: Unsigned message from $sender_address_domain
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for required domain: $dkim_cur_signer)
accept dkim_status = none
!sender_domains = ${lookup {$sender_address_domain} lsearch,ret=full {DKIM_KNOWN_SIGNERS_FILE} {$sender_address_domain}}
!dkim_signers = ${lookup {$sender_address_domain} lsearch,ret=full {DKIM_KNOWN_SIGNERS_FILE} {$sender_address_domain}}
set acl_m_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname (no dkim signature for $dkim_cur_signer)
warn condition = ${if eq {$acl_m_dkim_hdr}{1} {no}{yes}}
set acl_m_dkim_hdr = 1
add_header = :at_start:X-DKIM: Exim $version_number on $primary_hostname
accept dkim_status = invalid : pass
add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector
accept dkim_status = invalid : fail
add_header = :at_start:Authentication-Results: $primary_hostname; dkim=$dkim_verify_status header.d=$dkim_cur_signer header.i=$dkim_identity header.s=$dkim_selector reason="$dkim_verify_reason"
accept
You can't just reference the file in dkim_verify_signers
, because zero expansion is done on that, ever. Try to set it to a file and you'll end up with $dkim_cur_signer
in the ACL literally being that value, i.e. the name of the file. So, work around this by just triggering the ACL for all SMTP-injected email using dkim_verify_signers = $sender_address_domain:$dkim_signers
, and then do lookups on the file in the ACL.
The exact form of the ${lookup ...}
is so that you can have a file that contains, other than comments, literally just a domain per line.
Not all of this works, but only in the sense that, as per:
this ACL won't even be called unless there is a DKIM signature in the email. This those two
accept dkim_status = none
sections are moot.