Hi! On Mon, 23 Oct 2023, Ian Z via Exim-users wrote:
On Mon, Oct 23, 2023 at 11:51:21AM +0200, Andreas Metzler via Exim-users wrote:
Kind of. The RFC has big fat disclaimer that it only provides very rough guidance ("The choice of which header fields to sign is non-obvious.") and is very very thin on details, afaict it does not say a thing about oversigning.Right, in the sub-section cites it says (lightly paraphrased): The following headers SHOULD be signed *if they are present* in the message. Emph mine. So, like Andreas writes, if they are *not* present, this is vacuous.
When you check out the h tag of the DKIM signature header of the large email services you'll see that they usually have only a few signed headers (less processing load) and some oversign specific headers. E.g. gmail seems to oversign from:to:cc:subject:date:message-id:reply-to, and Yahoo From:Subject:Reply-To. Based on the DKIM RFCs and the current reality I'd say that exim's default for dkim_sign_headers is simply overkill and we should add a bunch of '=' prefixes, maybe a few '+' for essential headers.
ciao Markus -- / Markus Reschke \ \ [email protected] / -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
