On 24/02/2024 15:02, Laura Williamson via Exim-users wrote:
> Config question
>
> I want to enable DKIM check for some local users/domains but not all, not really sure how to do this
If you can identify the messages in ACL *before* the data time
- eg. in RCPT ACL - then the mast simple way is an ACL control "disable_dkim_verify".
>
> acl_smtp_dkim:
> #does not work
>
> #domains = /etc/mail/mylocaldomainswiththisenabled
>
> deny dkim_status = fail
> message = DKIM validation failed: $dkim_verify_status
> log_message = DKIM validation failed: $dkim_verify_status \
> (address=$sender_address, domain=$dkim_cur_signer), \
> signature is bad
> defer dkim_status = invalid
> message = DKIM signature invalid: $dkim_verify_status
> log_message = DKIM signature invalid: $dkim_verify_status \
> (address=$sender_address, domain=$dkim_cur_signer), \
> invalid signature
> accept
> # Add an X-DKIM header to the message
> add_header = :at_start: X-DKIM: DKIM validation passed: \
> (address=$sender_address domain=$dkim_cur_signer), \
> signature is good
> logwrite = DKIM validation passed
>
> Also another config question. This will not work if a user sends an email, with gmail.com as sender but via another smtp (and therefore the DKIM is not in the header). How can I enable so all gmail.com senders are validated and if no DKIM, rejected?
The DKIM ACL, if any, is run once for each signature in the message.
Then the *set of results* is left in the $dkim_verify_status variable
(a colon-sep list, if there was >1 signature).
You can check that variable in your DATA ACL, dependent on any other
condition you like.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
> Config question
>
> I want to enable DKIM check for some local users/domains but not all, not really sure how to do this
If you can identify the messages in ACL *before* the data time
- eg. in RCPT ACL - then the mast simple way is an ACL control "disable_dkim_verify".
>
> acl_smtp_dkim:
> #does not work
>
> #domains = /etc/mail/mylocaldomainswiththisenabled
>
> deny dkim_status = fail
> message = DKIM validation failed: $dkim_verify_status
> log_message = DKIM validation failed: $dkim_verify_status \
> (address=$sender_address, domain=$dkim_cur_signer), \
> signature is bad
> defer dkim_status = invalid
> message = DKIM signature invalid: $dkim_verify_status
> log_message = DKIM signature invalid: $dkim_verify_status \
> (address=$sender_address, domain=$dkim_cur_signer), \
> invalid signature
> accept
> # Add an X-DKIM header to the message
> add_header = :at_start: X-DKIM: DKIM validation passed: \
> (address=$sender_address domain=$dkim_cur_signer), \
> signature is good
> logwrite = DKIM validation passed
>
> Also another config question. This will not work if a user sends an email, with gmail.com as sender but via another smtp (and therefore the DKIM is not in the header). How can I enable so all gmail.com senders are validated and if no DKIM, rejected?
The DKIM ACL, if any, is run once for each signature in the message.
Then the *set of results* is left in the $dkim_verify_status variable
(a colon-sep list, if there was >1 signature).
You can check that variable in your DATA ACL, dependent on any other
condition you like.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/