From: Jeremy Harris Date: Sun, 5 Jan 2014 21:22:06 +0000 (+0000) Subject: Document (and enforce) that DKIM-signing is not supported in cobination with cutthrou... X-Git-Tag: exim-4_83_RC1~87 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/6e62c454 Document (and enforce) that DKIM-signing is not supported in cobination with cutthrough routing --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 88308ba23..1ba0a10dd 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27295,6 +27295,9 @@ after the ACL completes. Note that routers are used in verify mode. Note also that headers cannot be modified by any of the post-data ACLs (DATA, MIME and DKIM). +Cutthrough delivery is not supported via transport-filters or when DKIM signing +of outgoing messages is done, because it sends data to the ultimate destination +before the entire message has been received from the source. Should the ultimate destination system positively accept or reject the mail, a corresponding indication is given to the source system and nothing is queued. @@ -27305,7 +27308,6 @@ line. Delivery in this mode avoids the generation of a bounce mail to a (possibly faked) sender when the destination system is doing content-scan based rejection. -Cutthrough delivery is not supported via transport-filters. .vitem &*control&~=&~debug/*&<&'options'&> @@ -36347,7 +36349,9 @@ disabled by setting DISABLE_DKIM=yes in Local/Makefile. Exim's DKIM implementation allows to .olist Sign outgoing messages: This function is implemented in the SMTP transport. -It can co-exist with all other Exim features, including transport filters. +It can co-exist with all other Exim features +(including transport filters) +except cutthrough delivery. .next Verify signatures in incoming messages: This is implemented by an additional ACL (acl_smtp_dkim), which can be called several times per message, with @@ -36438,6 +36442,10 @@ used. Verification of DKIM signatures in incoming email is implemented via the &%acl_smtp_dkim%& ACL. By default, this ACL is called once for each syntactically(!) correct signature in the incoming message. +A missing ACL definition defaults to accept. +If any ACL call does not acccept, the message is not accepted. +If a cutthrough delivery was in progress for the message it is +summarily dropped (having wasted the transmission effort). To evaluate the signature in the ACL a large number of expansion variables containing the signature status and its details are set up during the diff --git a/src/src/verify.c b/src/src/verify.c index 911d67227..c103f592f 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -698,10 +698,18 @@ else /* For now, transport_filter by cutthrough-delivery is not supported */ /* Need proper integration with the proper transport mechanism. */ - if (cutthrough_delivery && addr->transport->filter_command) + if (cutthrough_delivery) { - cutthrough_delivery= FALSE; - HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); + if (addr->transport->filter_command) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); + } + if (ob->dkim_domain) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n"); + } } SEND_FAILED: