diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2017-11-07 19:01:42 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2017-11-07 19:01:42 +0000 |
| commit | a79d883474c84fa2a286b7797a7664b599912fcd (patch) | |
| tree | dba2c8be5c8c9f90504ad157c2e2623f142de1a4 /doc | |
| parent | ba86e143c7aeb0d70ea4c9d73a617a98f06f6baa (diff) | |
DKIM: Allow the DKIM ACL to override verification results. Bug 2186
This provides generic support, though is covers the need introduced
by https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/?include_text=1
(deprecating sha-1 and RSA keys shorter than 1024 bits).
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 17 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 1 |
2 files changed, 18 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 7a0841cb2..98986e032 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -38731,6 +38731,19 @@ available in &%$dkim_verify_reason%&. &%pass%&: The signature passed verification. It is valid. .endlist +.new +This variable can be overwritten using an ACL 'set' modifier. +This might, for instance, be done to enforce a policy restriction on +hash-method or key-size: +.code + warn condition = ${if eq {$dkim_algo}{rsa-sha1}} + condition = ${if eq {$dkim_verify_status}{pass}} + logwrite = NOTE: forcing dkim verify fail (was pass) + set dkim_verify_status = fail + set dkim_verify_reason = hash too weak +.endd +.wen + .vitem &%$dkim_verify_reason%& A string giving a little bit more detail when &%$dkim_verify_status%& is either "fail" or "invalid". One of @@ -38751,6 +38764,10 @@ re-written or otherwise changed in a way which is incompatible with DKIM verification. It may of course also mean that the signature is forged. .endlist +.new +This variable can be overwritten using an ACL 'set' modifier. +.wen + .vitem &%$dkim_domain%& The signing domain. IMPORTANT: This variable is only populated if there is an actual signature in the message for the current domain or identity (as diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 7e6971dde..aa2117e7e 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -55,6 +55,7 @@ Version 4.90 DKIM support for multiple hashes, and for alternate-identity tags. Builtin macro with default list of signed headers. Better syntax for specifying oversigning. + The DKIM ACL can override verification results. 14. Exipick understands -C|--config for an alternative Exim configuration file. |