EximWiki: BATV signed address

Guide to implementing Bounce Address Tag Validation.

1) Define a BATV key:
BATVKEY=s3cr3ts3cr1t

2) Define a list of domains to use BATV for:

domainlist use_batv_domains = foo.com : bar.com

3) Define ACLs to check/reject bounces for these domains:

• deny
  

  • domains = +use_batv_domains
    message = invalid or expired BATV signature
    senders = :
    control = caseful_local_part
    condition = ${prvscheck{$local_part@$domain}{BATVKEY}{1}}
    !condition = $prvscheck_result
    

  deny
  

  • domains = +use_batv_domains
    message = bounce messages must be returned to a BATV signed address
    senders = :
    !condition = ${prvscheck {$local_part@$domain}{BATVKEY}{true}}
    #Hosts that should be exempt from the requirement
    #hosts = ! 192.168.1.20
    

4) Define a router for outgoing mail sent from these domains:

relay_batv:

• driver = dnslookup
  transport = remote_smtp_batv
  condition = ${if match_domain{$sender_address_domain}{+use_batv_domains}{yes}{no}}
  
  

5) And a transport to match:

remote_smtp_batv:

• driver = smtp
  return_path = ${if match_address{$return_path}{*@*} {${prvs {$return_path} {BATVKEY}}} fail }
  
  

6) Define a router for incoming mail to undo the PRVS-encoding ahead of any local delivery:
batv_redirect:

• driver = redirect
  data = ${prvscheck{$local_part@$domain}{BATVKEY}{$value}}
  allow_fail
  domains = +use_batv_domains