[exim-dev] [Bug 2706] DKIM and Received headers

Sun, 14 Mar 2021 08:42:16 -0700 

https://bugs.exim.org/show_bug.cgi?id=2706

--- Comment #5 from Eugene Berdnikov <[email protected]> ---
(In reply to Simon Arlott from comment #2)
> I've just tested Exim 4.90 with "+Received", "=Received" and "Received" and
> it behaves as expected when checking with Mail::DKIM::Verifier (and amending
> headers to fit the signature).

 Simon, thank you for reference to Mail::DKIM::Verifier, it saves time.

> Exim does DKIM validation at SMTP time while reading the incoming message so
> it doesn't have an additional Received: header yet. With "+Received",
> SpamAssassin will fail validation because this happens after another
> Received: header is added.

 Yes, this a point I did not understand until reread RFC6378 carefully.

> The first two are over-signing the Received: header so it is inevitable that
> the signature will fail to validate after another one is added.

 Not two. Only "+Received" form do oversigning.
 The "=Received" instructs to sign all existing headers and nothing more.
 The "Received" instruct to sign a single (lowermost) header.

 However, I really do not like how it is documented (in Ch.58 par.2:
 "A name can be prefixed with either an “=” or a “+” character.
 If an “=” prefix is used, all headers that are present with this name
 will be signed. If a “+” prefix if used, all headers that are present
 with this name will be signed, and one signature added for a missing
 header with the name will be appended.")

 I propose this variant:

 A name can be prefixed with either an “=” or a “+” character, 
instructing
 Exim how many instances of the named header should be included in signature.
 If name is not prefixed, only a single (lowermost) header field is signed.
 If name is prefixed by "=", all existing headers are signed, from bottom
 to top, and each occurance is referenced in "h=" tag of DKIM-Signature
 (see RFC6376 sect 5.4 for details). If name is prefixed by "+", all
 existing headers are signed like with "=" prefix, plus additional null
 header instance is included into signature (and displayed in "h=" tag),
 preventing from joining additional headers with this name to the message.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to