helo:
## Don't worry if this is local submission. MUAs won't necessarily
## have a clear idea of their hostnames. (For some reason.)
- accept condition = ${if !eq{$acl_c_mode}{submission}}
+ accept condition = ${if eq{$acl_c_mode}{submission}}
## Check that the caller's claimed identity is actually plausible.
## This seems like it's a fairly effective filter on spamminess, but
{CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
dkim_canon = relaxed
dkim_strict = true
- dkim_sign_headers = CONF_dkim_headers:\
- X-CONF_header_token-DKIM-Key-Publication
+ ## The following ridiculous stunt does two important jobs. Firstly,
+ ## and more obviously, it arranges to include one more copy of each
+ ## header name than the message actually contains, thereby causing
+ ## the signature to fail if another header with the same name is
+ ## added. And secondly, and far more subtly, it also trims the
+ ## spaces from the header names so that they're in the format that
+ ## the signing machinery secretly wants.
+ dkim_sign_headers = \
+ ${sg {${map {CONF_dkim_headers : \
+ X-CONF_header_token-DKIM-Key-Publication} \
+ {$item${sg {${expand:\$h_$item:}\n} \
+ {((?:[^\n]+|\n\\s+)*)\n} \
+ {:$item}}}}} \
+ {::}{:}}
headers_add = \
${if DKIM_SIGN_P \
{DKIM_KEYS_INFO(<:m4_dnl