On 31/07/18 14:02, Richard James Salts via Exim-users wrote:
On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
c=relaxed/relaxed;
d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
The second one has included headers which I would not expect to be present
on a message from a client to a mailing list. It also includes them in
the DKIM sig - yet they don't exist, or shouldn't, at the submission
stage.
Oversigning. It gives an assertion that the header is not present.
Exim can do it; it's not default - see the last para. in the description
of dkim_sign_headers.
Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about
signing
and not oversigning. I've changed the preferences for DKIM into:
dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
This choice is based on
https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
Thank you for that link. I had no idea DKIM and mailing lists are such a
nightmare - or that there are so many potential holes in DKIM itself.
I'll be trying get my head around which way is best to configure it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
