Split DKIM checks into separate rules

Now errors distinguish between missing DKIM singature,
missing DNS entry or invalid DKIM signature.
This commit is contained in:
link2xt 2024-01-15 02:36:10 +00:00
parent d575d62b18
commit 700256c273

View File

@ -1,19 +1,32 @@
rules { rules {
# Reject on missing or invalid DKIM signature. ## Reject on missing or invalid DKIM signatures.
# ##
# We require DKIM signature on incoming mails regardless of DMARC policy. ## We require DKIM signature on incoming mails regardless of DMARC policy.
#
# - R_DKIM_REJECT: DKIM reject inserted by `dkim` module. # R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
# - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found. REJECT_INVALID_DKIM {
# - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
REJECT_DKIM {
action = "reject"; action = "reject";
expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA"; expression = "R_DKIM_REJECT";
message = "Rejected due to missing or invalid DKIM signature"; message = "Rejected due to invalid DKIM signature";
} }
# Reject on SPF failure. # R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
# REJECT_PERMFAIL_DKIM {
action = "reject";
expression = "R_DKIM_PERMFAIL";
message = "Rejected due to missing DKIM DNS entry";
}
# No DKIM signature (R_DKIM_NA symbol inserted by `dkim` module).
REJECT_MISSING_DKIM {
action = "reject";
expression = "R_DKIM_NA";
message = "Rejected due to missing DKIM signature";
}
## Reject on SPF failure.
# - SPF failure (R_SPF_FAIL) # - SPF failure (R_SPF_FAIL)
# - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL) # - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
REJECT_SPF { REJECT_SPF {
@ -29,6 +42,7 @@ rules {
message = "Rejected due to DMARC policy"; message = "Rejected due to DMARC policy";
} }
# Do not reject if: # Do not reject if:
# - R_DKIM_TEMPFAIL, it is a DNS resolution failure # - R_DKIM_TEMPFAIL, it is a DNS resolution failure
# and we do not want to lose messages because of faulty network. # and we do not want to lose messages because of faulty network.