base.m4, config.m4: Add DKIM signing machinery.

[exim-config] / base.m4

diff --git a/base.m4 b/base.m4
index 21f774b..8bcf0a4 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -419,6 +419,50 @@ m4_define(<:APPLY_HEADER_CHANGES:>,
                <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
                $2:>):>)
 
+m4_define(<:DKIM_SIGN_P:>,
+       <:and {{exists{CONF_sysconf_dir/dkim-sign.conf}} \
+              {!def:h_DKIM-Signature:} \
+              {!def:h_List-ID:} \
+              {or {{def:authenticated_id} \
+                   {def:authenticated_sender}}}}:>)
+
+m4_define(<:DKIM_KEYS_INSTANCE:>,
+       <:${lookup {${domain:$h_From:}} partial0-lsearch \
+                       {CONF_sysconf_dir/dkim-sign.conf} \
+               _LOOKUP_ARGS(<:$1:>, <:$2:>)}:>)
+m4_define(<:DKIM_KEYS_STATE:>, <:${lookup {$1} lsearch \
+               {DKIM_KEYS_INSTANCE(<:{CONF_dkim_keys_dir/$value/active/dkim-keys.state}:>)} \
+       _LOOKUP_ARGS(<:$2:>, <:$3:>, <:fail:>)}:>)
+m4_define(<:DKIM_KEYS_INFO:>, <:DKIM_KEYS_STATE(<:params:>,
+       <:{${if and {{>={$tod_epoch}{KV(t0)}} \
+                   {<{$tod_epoch}{${eval:KV(t0) + KV(n)*KV(step)}}}} \
+               {DKIM_KEYS_STATE(<:info.${eval:($tod_epoch - KV(t0))/KV(step)}:>,
+                       <:$1:>, <:$2:>)} \
+               m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)}}:>,
+       m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)):>)
+
+m4_define(<:DKIM_SIGN:>,
+       <:dkim_domain = \
+               ${if DKIM_SIGN_P \
+                       {DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
+       dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
+       dkim_private_key = \
+               DKIM_KEYS_INSTANCE(<:m4_dnl
+                       CONF_dkim_keys_dir/$value/active/$dkim_selector.priv:>)
+       dkim_canon = relaxed
+       dkim_strict = true
+       dkim_sign_headers = CONF_dkim_headers : \
+               X-CONF_header_token-DKIM-Key-Publication
+       headers_add = \
+               ${if DKIM_SIGN_P \
+                       {DKIM_KEYS_INFO(<:m4_dnl
+                               {X-CONF_header_token-DKIM-Key-Publication: \
+                                       DKIM signature not suitable for \
+                                       as evidence after delivery; \
+                                       DKIM private key KV(k) will be \
+                                       published at KV(u) on or before \
+                                       KV(tpub)}:>)}}:>)
+
 m4_define(<:SMTP_DELIVERY:>,
        <:## Prevent sending messages with overly long lines.  The use of
        ## `message_size_limit' here is somewhat misleading.
@@ -435,6 +479,7 @@ smtp:
        driver = smtp
        SMTP_DELIVERY
        APPLY_HEADER_CHANGES
+       DKIM_SIGN
        tls_require_ciphers = CONF_acceptable_ciphers
        tls_dh_min_bits = 508
        tls_tempfail_tryclear = true
@@ -443,6 +488,7 @@ m4_define(<:SMTP_TRANS_DHBITS:>,
        <:driver = smtp
        SMTP_DELIVERY
        APPLY_HEADER_CHANGES
+       DKIM_SIGN
        hosts_try_auth = *
        hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
        hosts_require_auth = \