Re: [exim] DKIM signing and header choices?

Sun, 15 Aug 2021 04:46:39 -0700 

Evgeniy Berdnikov via Exim-users <[email protected]> writes:

>  The built-in value could be changed with dkim_sign_headers, but
>  this patch gives much more reasonable default, IMHO.

I'm now running with this local config instead:

DKIM_SIGN_HEADERS = 
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:=In-Reply-To:=References:=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive

Reviewing modern exim source makes me suggest the patch below.  This
makes DKIM signature not cover any non-existing List-* headers in the
message to be signed, which seems reasonable to me, and consistent with
RFC 4871:

   The following header fields SHOULD be included in the signature, if
   they are present in the message being signed:
...
   o  List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
      List-Owner, List-Archive

RFC 6376 does not contain the same wording, so maybe this is a complex
area.  Perhaps a review of what other DKIM signing software is using
would be useful?  In case there is any established best practice out
there.

/Simon

From 203f6e74ef669080afbc9f1adc45f64269fba3a0 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <[email protected]>
Date: Fri, 13 Aug 2021 17:38:47 +0200
Subject: [PATCH] DKIM: Make List-* headers optional in
 PDKIM_DEFAULT_SIGN_HEADERS.

---
 src/src/pdkim/pdkim.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/src/pdkim/pdkim.h b/src/src/pdkim/pdkim.h
index f6ff78251..4a6ff820a 100644
--- a/src/src/pdkim/pdkim.h
+++ b/src/src/pdkim/pdkim.h
@@ -32,8 +32,8 @@
                              "Content-Description:Resent-Date:Resent-From:"\
                              "Resent-Sender:Resent-To:Resent-Cc:"\
                              "Resent-Message-ID:In-Reply-To:References:"\
-                             "List-Id:List-Help:List-Unsubscribe:"\
-                             "List-Subscribe:List-Post:List-Owner:List-Archive"
+                             "=List-Id:=List-Help:=List-Unsubscribe:"\
+                             "=List-Subscribe:=List-Post:=List-Owner:=List-Archive"
 
 #define PDKIM_OVERSIGN_HEADERS "+From:+Sender:+Reply-To:+Subject:+Date:"\
                              "+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:"\
-- 
2.30.2

Attachment: signature.asc
Description: PGP signature

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to