X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/22a15d24a7239e23c59fff9467eb3bb98755460a..a6127611de9e7d36fecc4a59a0d1aad651e8092a:/base.m4?ds=sidebyside

diff --git a/base.m4 b/base.m4
index 7c9cdb7..4f16e20 100644
--- a/base.m4
+++ b/base.m4
@@ -128,7 +128,7 @@ SECTION(acl, misc)m4_dnl
 helo:
 	## Don't worry if this is local submission.  MUAs won't necessarily
 	## have a clear idea of their hostnames.  (For some reason.)
-	accept	 condition = ${if !eq{$acl_c_mode}{submission}}
+	accept	 condition = ${if eq{$acl_c_mode}{submission}}
 
 	## Check that the caller's claimed identity is actually plausible.
 	## This seems like it's a fairly effective filter on spamminess, but
@@ -424,7 +424,8 @@ m4_define(<:DKIM_SIGN_P:>,
 	       {!def:h_DKIM-Signature:} \
 	       {!def:h_List-ID:} \
 	       {or {{def:authenticated_id} \
-		    {def:authenticated_sender}}}}:>)
+		    {def:authenticated_sender}}} \
+	       {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>)
 
 m4_define(<:DKIM_KEYS_INSTANCE:>,
 	<:${lookup {${domain:$h_From:}} partial0-lsearch \
@@ -451,17 +452,31 @@ m4_define(<:DKIM_SIGN:>,
 			{CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
 	dkim_canon = relaxed
 	dkim_strict = true
-	dkim_sign_headers = CONF_dkim_headers : \
-		X-CONF_header_token-DKIM-Key-Publication
+	## The following ridiculous stunt does two important jobs.  Firstly,
+	## and more obviously, it arranges to include one more copy of each
+	## header name than the message actually contains, thereby causing
+	## the signature to fail if another header with the same name is
+	## added.  And secondly, and far more subtly, it also trims the
+	## spaces from the header names so that they're in the format that
+	## the signing machinery secretly wants.
+	dkim_sign_headers = \
+		${sg {${map {CONF_dkim_headers : \
+			     X-CONF_header_token-DKIM-Key-Publication} \
+			    {$item${sg {${expand:\$h_$item:}\n} \
+				       {((?:[^\n]+|\n\\s+)*)\n} \
+				       {:$item}}}}} \
+		     {::}{:}}
 	headers_add = \
 		${if DKIM_SIGN_P \
 			{DKIM_KEYS_INFO(<:m4_dnl
 				{X-CONF_header_token-DKIM-Key-Publication: \
-					DKIM signature not suitable for \
-					as evidence after delivery; \
+					DKIM signature not suitable \
+					as evidence after delivery;\n\t\
 					DKIM private key KV(k) will be \
-					published at KV(u) on or before \
-					KV(tpub)}:>)}}:>)
+					published\n\t\
+					at KV(u)\n\t\
+					on or before KV(tpub)}:>)}}:>)
+
 
 m4_define(<:SMTP_DELIVERY:>,
 	<:## Prevent sending messages with overly long lines.  The use of