Ahoj,
Dňa 23 Jul 2025 09:57:00 +0200 John Levine via Exim-users
<[email protected]> napísal:
> I was tracing down a strange bug in which mail sent to a role account
> in an IETF working group was forwarded to the recipient's Gmail
> account and appeared with a big ugly security warning saying invalid
> DKIM signature. I found that the sender's mail system adds a DKIM
> signature that oversigns the Resent-xxx headers (i.e., it asserts
> that they don't exist.) When the IETF forwards the mail, it
> correctly adds Resent-xxx headers, which breaks the signature and
> causes the warning.
> ...
> Does Exim do that by default? If so, please don't.
AFAIK yes ;-) While i do not meet problems with Resent-* headers, the
same situation is with List-* headers, which i meet already (not caused
by my server, but noticed in my ML experiments).
The docs says, that when dkim_sign_headers is not specified, **the
header names listed in RFC4871 will be used, whether or not each header
is present in the message**, that includes (from RFC, i didn't check
code):
+ From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc,
MIME-Version
+ Content-Type, Content-Transfer-Encoding, Content-ID,
Content-Description
+ Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc,
Resent-Message-ID
+ In-Reply-To, References
+ List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
List-Owner, List-Archive
Beside the fact, that RFC4871 is obsoleted by RFC6376 (which removed
whole that list), exim implements it wrongly, as the RFC4871 mentions
**SHOULD be included in the signature, if they are present in the
message** (only From is required to sign always), but exim signs them
(by default) all, despite if they are in message or not.
exim has two macros for that, one is _DKIM_SIGN_HEADERS, which contains
that list from RFC4871 and sign all existing headers from it and
over-sign all missing headers from it (no prefix). Second macro is
_DKIM_OVERSIGN_HEADERS, which contains the same headers list, but all
of them are unconditionally over-signed, despite if they are in message
or not (prefixed by +).
IMO, to be strict RFC4871 compliant, the default headers list have to
include From headers without prefix and all others headers with = prefix
(wrapped):
_DKIM_RFC4871_HEADERS=
From:=Sender:=Reply-To:=Subject:=Date:=Message-ID:=To:=Cc:=MIME-Version:
=Content-Type:=Content-Transfer-Encoding:=Content-ID:=Content-Description:
=In-Reply-To:=References:
=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:
=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
But that can be too little (nowadays) and i would use = prefix only for
Resent-* and List-* headers only in default list and with the same
logic for second macro, over-sign all headers in list, but leave = for
Resent-* and List-* headers. In other words, i would suggest (just in
case that my English is too bad) to change these macros (and defaults)
to (wrapped):
_DKIM_SIGN_HEADERS=
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
In-Reply-To:References:
=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:
=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
_DKIM_OVERSIGN_HEADERS=
+From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:
+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:
+In-Reply-To:+References:
=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:
=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
Beside of list changes, i would suggest to add into docs, that
admins are encouraged to inspect and customize list of signed headers
(or so).
regards
--
Slavko
https://www.slavino.sk
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
