README.md

@@ -80,11 +80,6 @@ Authentication-Results: trusted.dkim.validating.relay;
 [...]
 ```
 
-## More authentic with DKIM alignment and message forwarding
-From the point of view of a postmaster, message forwarding is a kind of nightmare. If DKIM alignment is enabled the DKIM SDID (Signers Domain ID = `header.d` field of *Authentication-Results* header) must be equivalent to the RFC5322.from_domain. In this mode the **EXOTA-Milter** operates in the most secure way, but with limitations in terms of usability. With DKIM alignment enabled [traditional email forwarding](https://docs.microsoft.com/de-de/microsoft-365/admin/email/configure-email-forwarding?view=o365-worldwide) cannot be guaranteed. In this case the exchange online system preserves the original RFC5322.from header and signs the forwarded email with the main tenants SDID, e.g. *tenantdomain.onmicrosoft.com*. An email that was forwarded in that way cannot pass the DKIM alignment, because the RFC5322.from_domain will never match the DKIM SDID. Further there is no policy for the RFC5322.from_domain!
-
-Nevertheless, don´t put your head in the sand, there is a way out of this dilemma! Just use outlook rules to forward messages, which is described [here](https://support.microsoft.com/en-us/office/use-rules-to-automatically-forward-messages-45aa9664-4911-4f96-9663-ece42816d746). In this case the original content gets forwarded within a new message, that carries the correct RFC5322.from as well as the correct DKIM SDID! Messages forwarded in such way will always pass DKIM alignment -> mission accomplished! Don´t forget to tell your end users ;)
-
 ## X-MS-Exchange-CrossTenant-Id header (policy binding)
 Further each Microsoft Exchange-Online tenant has a unique tenant-ID in form of a UUID ([RFC 4122](https://tools.ietf.org/html/rfc4122)). **ExOTA-Milter** extracts the tenant-ID from the *X-MS-Exchange-CrossTenant-Id* email header and uses it as a *mandatory* authentication factor.
 ```

activity_policy.puml

@@ -33,19 +33,6 @@ if (Policy found?) then (yes)
         :REJECT;
         stop
       endif
-      if (Milter: DKIM alignment checking enabled?) then (yes)
-        if (Policy has DKIM-alignment enabled?) then (yes)
-          :Checking if DKIM-signature is aligned;
-          note left: DKIM SDID must equal to RFC5322.from_domain!
-          if (Is DKIM aligned?) then (yes)
-          else (no)
-            :REJECT;
-            stop
-          endif
-        else (no)
-        endif
-      else (no)
-      endif
     else (no)
     endif
   else (no)

app/exota-milter.py

@@ -353,17 +353,10 @@ class ExOTAMilter(Milter.Base):
             "/EOM: No aligned DKIM signatures found!"
           )
           if g_milter_dkim_alignment_required:
-            if policy.is_dkim_alignment_required() == False:
+            return self.smfir_reject(
-              logging.info(self.mconn_id + "/" + str(self.getsymval('i')) +
+              queue_id = self.getsymval('i'),
-                "/EOM: Policy overrides DKIM alignment requirement to '{0}'!".format(
+              reason = 'DKIM alignment required!'
-                  policy.is_dkim_alignment_required()
+            )
-                )
-              )
-            else:
-              return self.smfir_reject(
-                queue_id = self.getsymval('i'),
-                reason = 'DKIM alignment required!'
-              )
       else:
         logging.info(self.mconn_id + "/" + str(self.getsymval('i')) +
           "/EOM: No valid DKIM authentication result found"

app/policy.py

@@ -16,15 +16,7 @@ class ExOTAPolicyInvalidException(ExOTAPolicyException):
 class ExOTAPolicy():
   def __init__(self, policy_dict):
     self.tenant_id = policy_dict['tenant_id']
-    if 'dkim_enabled' in policy_dict:
+    self.dkim_enabled = policy_dict['dkim_enabled']
-      self.dkim_enabled = policy_dict['dkim_enabled']
-    else:
-      self.dkim_enabled = True
-    if 'dkim_alignment_required' in policy_dict:
-      self.dkim_alignment_required = policy_dict['dkim_alignment_required']
-    else:
-      # DKIM alignment per policy enabled by default
-      self.dkim_alignment_required = True
 
   def get_tenant_id(self):
     return self.tenant_id
@@ -32,42 +24,31 @@ class ExOTAPolicy():
   def is_dkim_enabled(self):
     return self.dkim_enabled
 
-  def is_dkim_alignment_required(self):
-    return self.dkim_alignment_required
-
   @staticmethod
   def check_policy(policy_dict):
     if 'tenant_id' not in policy_dict:
       raise ExOTAPolicyInvalidException(
-        "Policy must have a 'tenant_id' key!"
+        "Policy must have a 'tenant_id' attribute!"
       )
-    for policy_key in policy_dict:
+    else:
-      if policy_key == 'tenant_id':
+      try:
-        try:
+        UUID(policy_dict['tenant_id'])
-          UUID(policy_dict[policy_key])
+      except ValueError as e:
-        except ValueError as e:
-          raise ExOTAPolicyInvalidException(
-            "Invalid 'tenant_id': {0}".format(str(e))
-          ) from e
-        except Exception as e:
-          raise ExOTAPolicyInvalidException(
-            "Invalid 'tenant_id': {0}".format(traceback.format_exc())
-          ) from e
-      elif policy_key == 'dkim_enabled':
-        if not isinstance(policy_dict[policy_key], bool):
-          raise ExOTAPolicyInvalidException(
-            "'dkim_enabled'({0}) must be boolean!".format(policy_dict['dkim_enabled'])
-          )
-      elif policy_key == 'dkim_alignment_required':
-        if not isinstance(policy_dict[policy_key], bool):
-          raise ExOTAPolicyInvalidException(
-            "'dkim_alignment_required'({0}) must be boolean!".format(
-              policy_dict[policy_key]
-            )
-          )
-      else:
         raise ExOTAPolicyInvalidException(
-          "Invalid policy_key '{0}'!".format(policy_key)
+          "Invalid 'tenant_id': {0}".format(str(e))
+        ) from e
+      except Exception as e:
+        raise ExOTAPolicyInvalidException(
+          "Invalid 'tenant_id': {0}".format(traceback.format_exc())
+        ) from e
+    if 'dkim_enabled' not in policy_dict:
+      raise ExOTAPolicyInvalidException(
+        "Policy must have a 'dkim_enabled' attribute!"
+      )
+    else:
+      if not isinstance(policy_dict['dkim_enabled'], bool):
+        raise ExOTAPolicyInvalidException(
+          "'dkim_enabled'({0}) must be boolean!".format(policy_dict['dkim_enabled'])
         )
 
 class ExOTAPolicyBackend():

tests/miltertest.lua

@@ -30,7 +30,7 @@ if mt.getreply(conn) ~= SMFIR_CONTINUE then
 end
 
 -- HEADER
-if mt.header(conn, "fRoM", '"Blah Blubb" <O365ConnectorValidation@yad.onmicrosoft.com>') ~= nil then
+if mt.header(conn, "fRoM", '"Blah Blubb" <O365ConnectorValidation@yad.onmicrosoft.comx>') ~= nil then
   error "mt.header(From) failed"  
 end
 if mt.header(conn, "resent-fRoM", '"Blah Blubb" <blah@yad.onmicrosoft.COM>') ~= nil then
@@ -51,7 +51,7 @@ end
 if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  exota=pass") ~= nil then
   error "mt.header(Subject) failed"  
 end
-if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.comx header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.com-blubb header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
   error "mt.header(Subject) failed"  
 end
 if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=fail header.d=yad.onmicrosoft.com header.s=selector2-asdf header.b=mmmjFpv8") ~= nil then

tests/policy.json

@@ -1,8 +1,7 @@
 {
   "yad.onmicrosoft.com": {
     "tenant_id": "1234abcd-18c5-45e8-88de-123456789abc",
-    "dkim_enabled": true,
+    "dkim_enabled": true
-    "dkim_alignment_required": true
   },
   "example.com": {
     "tenant_id": "abcd1234-18c5-45e8-88de-987654321cba",