https://bugs.exim.org/show_bug.cgi?id=2394
--- Comment #5 from Andreas Metzler <eximus...@bebt.de> --- Hello, I have started looking at DKIM recently and stumbled over this report. The current default value seems to be less than optimal, dkim_sign_headers defaults to _DKIM_SIGN_HEADERS, i.e. it reads From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive Notably exim is not using either = or + modifiers but signs the headers no matter whether they are present or not, therefore it is oversigning the headers not present and /signing/ without oversigning the headers that are present. So this offers protection * against modification of present headers * addition of the headers if they were not present * but does not protect against adding e.g. another From: or Subject header. I think this choice does not make a lot of sense, for any given header I would want to choose either of these alternatives: a) do not sign b) if present sign (with oversign to prevent addition of duplicate with different content), allow addition otherwise. c) always sign no matter whether present or not (with oversign to prevent addition of header or addition of a duplicate of the present header). e.g. I would put From: in the (b)-basket and List-Subscribe into (c). Sadly RFC 6376 does not offer a lot of hard guidance there, it essentially says "think about it carefully, and always sign From:." However I am convinced that most people currently need to override exim's preset for dkim_sign_headers and would like to improve it. Please tell me if I am completely off, or if there is some hidden, commonly accepted DKIM-best-practice document I have missed. cu Andreas -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
