base.m4: Nearly set DKIM expiry time.

[exim-config] / base.m4

diff --git a/base.m4 b/base.m4
index 7c9cdb7..d64b88b 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -128,7 +128,7 @@ SECTION(acl, misc)m4_dnl
 helo:
        ## Don't worry if this is local submission.  MUAs won't necessarily
        ## have a clear idea of their hostnames.  (For some reason.)
-       accept   condition = ${if !eq{$acl_c_mode}{submission}}
+       accept   condition = ${if eq{$acl_c_mode}{submission}}
 
        ## Check that the caller's claimed identity is actually plausible.
        ## This seems like it's a fairly effective filter on spamminess, but
@@ -424,7 +424,8 @@ m4_define(<:DKIM_SIGN_P:>,
               {!def:h_DKIM-Signature:} \
               {!def:h_List-ID:} \
               {or {{def:authenticated_id} \
-                   {def:authenticated_sender}}}}:>)
+                   {def:authenticated_sender}}} \
+              {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>)
 
 m4_define(<:DKIM_KEYS_INSTANCE:>,
        <:${lookup {${domain:$h_From:}} partial0-lsearch \
@@ -446,22 +447,37 @@ m4_define(<:DKIM_SIGN:>,
                ${if DKIM_SIGN_P \
                        {DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
        dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
+       ##dkim_timestamps = m4_eval(<:7*24*60*60:>)
        dkim_private_key = \
                DKIM_KEYS_INSTANCE(<:m4_dnl
                        {CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
        dkim_canon = relaxed
        dkim_strict = true
-       dkim_sign_headers = CONF_dkim_headers : \
-               X-CONF_header_token-DKIM-Key-Publication
+       ## The following ridiculous stunt does two important jobs.  Firstly,
+       ## and more obviously, it arranges to include one more copy of each
+       ## header name than the message actually contains, thereby causing
+       ## the signature to fail if another header with the same name is
+       ## added.  And secondly, and far more subtly, it also trims the
+       ## spaces from the header names so that they're in the format that
+       ## the signing machinery secretly wants.
+       dkim_sign_headers = \
+               ${sg {${map {CONF_dkim_headers : \
+                            X-CONF_header_token-DKIM-Key-Publication} \
+                           {$item${sg {${expand:\$h_$item:}\n} \
+                                      {((?:[^\n]+|\n\\s+)*)\n} \
+                                      {:$item}}}}} \
+                    {::}{:}}
        headers_add = \
                ${if DKIM_SIGN_P \
                        {DKIM_KEYS_INFO(<:m4_dnl
                                {X-CONF_header_token-DKIM-Key-Publication: \
-                                       DKIM signature not suitable for \
-                                       as evidence after delivery; \
+                                       DKIM signature not suitable \
+                                       as evidence after delivery;\n\t\
                                        DKIM private key KV(k) will be \
-                                       published at KV(u) on or before \
-                                       KV(tpub)}:>)}}:>)
+                                       published\n\t\
+                                       at KV(u)\n\t\
+                                       on or before KV(tpub)}:>)}}:>)
+
 
 m4_define(<:SMTP_DELIVERY:>,
        <:## Prevent sending messages with overly long lines.  The use of