Re: [AMaViS-user] DKIM: Headers signed twice?

Mark Martinec Thu, 22 Apr 2010 07:52:45 -0700

Stefan,

> On outgoing mails, I noticed that the DKIM headers inserted by
> amavisd-new look like that:
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=incertum.net; h=
>         user-agent:in-reply-to:content-transfer-encoding
>         :content-disposition:content-type:content-type:mime-version
>         :references:message-id:subject:subject:from:from:date:date
>         :received:received:received; s=2007; t=1271446098; bh=DmklXs6cV2
>         9nE5nZkyU6E1NrclzUZQG5M3cYwm9c1rc=; b=jKiW55408hyTqQXHQiQz25VtM1
>         quWuFFyo1mrhiLKWkAjwfZkNr8ON0kNiT1ZVO/zWXoPR4DJHuKMBSTrU9cwBPFb+
>         KJednFiMuToYRmHhxaOZNh2nwHFYRI2tEgLnZoiZM4aG4pMXaw+xxVyA5qITRvjw
>         wxqjVqNQt96Zlqylg=
> 
> As you might notice, "subject", "from" and "date" appear twice. Is
> that normal? Something to worry about? My DKIM related settings are
> pretty basic: [...]
> This happens with amavisd-new 2.6.4 and Mail::DKIM 0.32.


Yes, it is normal, and it is intentional.


amavisd-new-2.6.4 release notes :

- support inclusion of null header field names in an 'h' tag of a DKIM
  signature generated by amavisd for specified header field names, thus
  preventing third parties from prepending additional occurrences of
  these header fields without breaking a signature; useful for example
  for protecting a recipient's mail reader or a filter from being tricked
  by supplying a duplicate From or Subject header fields; the protection is
  requested by specifying a value larger than 1 in %signed_header_fields,
  e.g.:
    $signed_header_fields{'from'} = 2;
    $signed_header_fields{'subject'} = 2;
    $signed_header_fields{'message-id'} = 2;
    $signed_header_fields{'content-type'} = 2;

  Please restrict values used in %signed_header_fields to 0, 1, or 2,
  consider other values reserved for future use.

  By default the following header fields are protected from duplicates by
  a DKIM signature generated by amavisd: From, Date, Subject, Content-Type.
  To revert to a classical behaviour, set their value in %signed_header_fields
  to 1, e.g.:
    $signed_header_fields{lc($_)} = 1 for qw(From Date Subject Content-Type);


See also RFC 4871 for explanation of the 'h' tag semantics.

  Mark


------------------------------------------------------------------------------
_______________________________________________
AMaViS-user mailing list
[email protected] 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/

Re: [AMaViS-user] DKIM: Headers signed twice?

Reply via email to