helo:
## Don't worry if this is local submission. MUAs won't necessarily
## have a clear idea of their hostnames. (For some reason.)
- accept condition = ${if !eq{$acl_c_mode}{submission}}
+ accept condition = ${if eq{$acl_c_mode}{submission}}
## Check that the caller's claimed identity is actually plausible.
## This seems like it's a fairly effective filter on spamminess, but
{!def:h_DKIM-Signature:} \
{!def:h_List-ID:} \
{or {{def:authenticated_id} \
- {def:authenticated_sender}}}}:>)
+ {def:authenticated_sender}}} \
+ {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>)
m4_define(<:DKIM_KEYS_INSTANCE:>,
<:${lookup {${domain:$h_From:}} partial0-lsearch \
${if DKIM_SIGN_P \
{DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
+ ##dkim_timestamps = m4_eval(<:7*24*60*60:>)
dkim_private_key = \
DKIM_KEYS_INSTANCE(<:m4_dnl
{CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
dkim_canon = relaxed
dkim_strict = true
- dkim_sign_headers = CONF_dkim_headers : \
- X-CONF_header_token-DKIM-Key-Publication
+ ## The following ridiculous stunt does two important jobs. Firstly,
+ ## and more obviously, it arranges to include one more copy of each
+ ## header name than the message actually contains, thereby causing
+ ## the signature to fail if another header with the same name is
+ ## added. And secondly, and far more subtly, it also trims the
+ ## spaces from the header names so that they're in the format that
+ ## the signing machinery secretly wants.
+ dkim_sign_headers = \
+ ${sg {${map {CONF_dkim_headers : \
+ X-CONF_header_token-DKIM-Key-Publication} \
+ {$item${sg {${expand:\$h_$item:}\n} \
+ {((?:[^\n]+|\n\\s+)*)\n} \
+ {:$item}}}}} \
+ {::}{:}}
headers_add = \
${if DKIM_SIGN_P \
{DKIM_KEYS_INFO(<:m4_dnl
{X-CONF_header_token-DKIM-Key-Publication: \
- DKIM signature not suitable for \
- as evidence after delivery; \
+ DKIM signature not suitable \
+ as evidence after delivery;\n\t\
DKIM private key KV(k) will be \
- published at KV(u) on or before \
- KV(tpub)}:>)}}:>)
+ published\n\t\
+ at KV(u)\n\t\
+ on or before KV(tpub)}:>)}}:>)
+
m4_define(<:SMTP_DELIVERY:>,
<:## Prevent sending messages with overly long lines. The use of