- dkim_collect_input = FALSE;
-
- /* Finish DKIM operation and fetch link to signatures chain */
- if (pdkim_feed_finish(dkim_verify_ctx,&dkim_signatures) != PDKIM_OK) return;
-
- sig = dkim_signatures;
- while (sig != NULL) {
- int size = 0;
- int ptr = 0;
- /* Log a line for each signature */
- uschar *logmsg = string_append(NULL, &size, &ptr, 5,
-
- string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
- sig->domain,
- sig->selector,
- (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
- (sig->canon_body == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
- (sig->algo == PDKIM_ALGO_RSA_SHA256)?"rsa-sha256":"rsa-sha1"
- ),
- ((sig->identity != NULL)?
- string_sprintf("i=%s ", sig->identity)
- :
- US""
- ),
- ((sig->created > 0)?
- string_sprintf("t=%lu ", sig->created)
- :
- US""
- ),
- ((sig->expires > 0)?
- string_sprintf("x=%lu ", sig->expires)
- :
- US""
- ),
- ((sig->bodylength > -1)?
- string_sprintf("l=%lu ", sig->bodylength)
- :
- US""
- )
- );
-
- switch(sig->verify_status) {
- case PDKIM_VERIFY_NONE:
- logmsg = string_append(logmsg, &size, &ptr, 1, "[not verified]");
+store_pool = dkim_verify_oldpool;
+}
+
+
+/* Log the result for the given signature */
+static void
+dkim_exim_verify_log_sig(pdkim_signature * sig)
+{
+gstring * logmsg;
+uschar * s;
+
+if (!sig) return;
+
+/* Remember the domain for the first pass result */
+
+if ( !dkim_verify_overall
+ && dkim_verify_status
+ ? Ustrcmp(dkim_verify_status, US"pass") == 0
+ : sig->verify_status == PDKIM_VERIFY_PASS
+ )
+ dkim_verify_overall = string_copy(sig->domain);
+
+/* Rewrite the sig result if the ACL overrode it. This is only
+needed because the DMARC code (sigh) peeks at the dkim sigs.
+Mark the sig for this having been done. */
+
+if ( dkim_verify_status
+ && ( dkim_verify_status != dkim_exim_expand_query(DKIM_VERIFY_STATUS)
+ || dkim_verify_reason != dkim_exim_expand_query(DKIM_VERIFY_REASON)
+ ) )
+ { /* overridden by ACL */
+ sig->verify_ext_status = -1;
+ if (Ustrcmp(dkim_verify_status, US"fail") == 0)
+ sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_FAIL;
+ else if (Ustrcmp(dkim_verify_status, US"invalid") == 0)
+ sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_INVALID;
+ else if (Ustrcmp(dkim_verify_status, US"none") == 0)
+ sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_NONE;
+ else if (Ustrcmp(dkim_verify_status, US"pass") == 0)
+ sig->verify_status = PDKIM_VERIFY_POLICY | PDKIM_VERIFY_PASS;
+ else
+ sig->verify_status = -1;
+ }
+
+if (!LOGGING(dkim_verbose)) return;
+
+
+logmsg = string_catn(NULL, US"DKIM: ", 6);
+if (!(s = sig->domain)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, "d=", s);
+if (!(s = sig->selector)) s = US"<UNSET>";
+logmsg = string_append(logmsg, 2, " s=", s);
+logmsg = string_fmt_append(logmsg, " c=%s/%s a=%s b=" SIZE_T_FMT,
+ sig->canon_headers == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+ sig->canon_body == PDKIM_CANON_SIMPLE ? "simple" : "relaxed",
+ dkim_sig_to_a_tag(sig),
+ (int)sig->sighash.len > -1 ? sig->sighash.len * 8 : (size_t)0);
+if ((s= sig->identity)) logmsg = string_append(logmsg, 2, " i=", s);
+if (sig->created > 0) logmsg = string_fmt_append(logmsg, " t=%lu",
+ sig->created);
+if (sig->expires > 0) logmsg = string_fmt_append(logmsg, " x=%lu",
+ sig->expires);
+if (sig->bodylength > -1) logmsg = string_fmt_append(logmsg, " l=%lu",
+ sig->bodylength);
+
+if (sig->verify_status & PDKIM_VERIFY_POLICY)
+ logmsg = string_append(logmsg, 5,
+ US" [", dkim_verify_status, US" - ", dkim_verify_reason, US"]");
+else
+ switch (sig->verify_status)
+ {
+ case PDKIM_VERIFY_NONE:
+ logmsg = string_cat(logmsg, US" [not verified]");