X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/a698003807a8bbaed1ae1065d0a6bb2593b4400a..30fee27e8cc8a15689f5f673d217f256c3a030c9:/base.m4

diff --git a/base.m4 b/base.m4
index 21f774b..8bcf0a4 100644
--- a/base.m4
+++ b/base.m4
@@ -419,6 +419,50 @@ m4_define(<:APPLY_HEADER_CHANGES:>,
 		<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
 		$2:>):>)
 
+m4_define(<:DKIM_SIGN_P:>,
+	<:and {{exists{CONF_sysconf_dir/dkim-sign.conf}} \
+	       {!def:h_DKIM-Signature:} \
+	       {!def:h_List-ID:} \
+	       {or {{def:authenticated_id} \
+		    {def:authenticated_sender}}}}:>)
+
+m4_define(<:DKIM_KEYS_INSTANCE:>,
+	<:${lookup {${domain:$h_From:}} partial0-lsearch \
+			{CONF_sysconf_dir/dkim-sign.conf} \
+		_LOOKUP_ARGS(<:$1:>, <:$2:>)}:>)
+m4_define(<:DKIM_KEYS_STATE:>, <:${lookup {$1} lsearch \
+		{DKIM_KEYS_INSTANCE(<:{CONF_dkim_keys_dir/$value/active/dkim-keys.state}:>)} \
+	_LOOKUP_ARGS(<:$2:>, <:$3:>, <:fail:>)}:>)
+m4_define(<:DKIM_KEYS_INFO:>, <:DKIM_KEYS_STATE(<:params:>,
+	<:{${if and {{>={$tod_epoch}{KV(t0)}} \
+		    {<{$tod_epoch}{${eval:KV(t0) + KV(n)*KV(step)}}}} \
+		{DKIM_KEYS_STATE(<:info.${eval:($tod_epoch - KV(t0))/KV(step)}:>,
+			<:$1:>, <:$2:>)} \
+		m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)}}:>,
+	m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)):>)
+
+m4_define(<:DKIM_SIGN:>,
+	<:dkim_domain = \
+		${if DKIM_SIGN_P \
+			{DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
+	dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
+	dkim_private_key = \
+		DKIM_KEYS_INSTANCE(<:m4_dnl
+			CONF_dkim_keys_dir/$value/active/$dkim_selector.priv:>)
+	dkim_canon = relaxed
+	dkim_strict = true
+	dkim_sign_headers = CONF_dkim_headers : \
+		X-CONF_header_token-DKIM-Key-Publication
+	headers_add = \
+		${if DKIM_SIGN_P \
+			{DKIM_KEYS_INFO(<:m4_dnl
+				{X-CONF_header_token-DKIM-Key-Publication: \
+					DKIM signature not suitable for \
+					as evidence after delivery; \
+					DKIM private key KV(k) will be \
+					published at KV(u) on or before \
+					KV(tpub)}:>)}}:>)
+
 m4_define(<:SMTP_DELIVERY:>,
 	<:## Prevent sending messages with overly long lines.  The use of
 	## `message_size_limit' here is somewhat misleading.
@@ -435,6 +479,7 @@ smtp:
 	driver = smtp
 	SMTP_DELIVERY
 	APPLY_HEADER_CHANGES
+	DKIM_SIGN
 	tls_require_ciphers = CONF_acceptable_ciphers
 	tls_dh_min_bits = 508
 	tls_tempfail_tryclear = true
@@ -443,6 +488,7 @@ m4_define(<:SMTP_TRANS_DHBITS:>,
 	<:driver = smtp
 	SMTP_DELIVERY
 	APPLY_HEADER_CHANGES
+	DKIM_SIGN
 	hosts_try_auth = *
 	hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
 	hosts_require_auth = \