X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/30fee27e8cc8a15689f5f673d217f256c3a030c9..d4f4bfc3ea47f8ba89db46a8b48ded19add391e1:/base.m4

diff --git a/base.m4 b/base.m4
index 8bcf0a4..1b671ef 100644
--- a/base.m4
+++ b/base.m4
@@ -128,7 +128,7 @@ SECTION(acl, misc)m4_dnl
 helo:
 	## Don't worry if this is local submission.  MUAs won't necessarily
 	## have a clear idea of their hostnames.  (For some reason.)
-	accept	 condition = ${if !eq{$acl_c_mode}{submission}}
+	accept	 condition = ${if eq{$acl_c_mode}{submission}}
 
 	## Check that the caller's claimed identity is actually plausible.
 	## This seems like it's a fairly effective filter on spamminess, but
@@ -448,11 +448,23 @@ m4_define(<:DKIM_SIGN:>,
 	dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
 	dkim_private_key = \
 		DKIM_KEYS_INSTANCE(<:m4_dnl
-			CONF_dkim_keys_dir/$value/active/$dkim_selector.priv:>)
+			{CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
 	dkim_canon = relaxed
 	dkim_strict = true
-	dkim_sign_headers = CONF_dkim_headers : \
-		X-CONF_header_token-DKIM-Key-Publication
+	## The following ridiculous stunt does two important jobs.  Firstly,
+	## and more obviously, it arranges to include one more copy of each
+	## header name than the message actually contains, thereby causing
+	## the signature to fail if another header with the same name is
+	## added.  And secondly, and far more subtly, it also trims the
+	## spaces from the header names so that they're in the format that
+	## the signing machinery secretly wants.
+	dkim_sign_headers = \
+		${sg {${map {CONF_dkim_headers : \
+			     X-CONF_header_token-DKIM-Key-Publication} \
+			    {$item${sg {${expand:\$h_$item:}\n} \
+				       {((?:[^\n]+|\n\\s+)*)\n} \
+				       {:$item}}}}} \
+		     {::}{:}}
 	headers_add = \
 		${if DKIM_SIGN_P \
 			{DKIM_KEYS_INFO(<:m4_dnl