On Wed, 23 Jul 2025, Slavko via Exim-users wrote: > Ahoj, > > Dňa 23 Jul 2025 09:57:00 +0200 John Levine via Exim-users > <[email protected]> napísal: > > > I was tracing down a strange bug in which mail sent to a role account > > in an IETF working group was forwarded to the recipient's Gmail > > account and appeared with a big ugly security warning saying invalid > > DKIM signature. I found that the sender's mail system adds a DKIM > > signature that oversigns the Resent-xxx headers (i.e., it asserts > > that they don't exist.) When the IETF forwards the mail, it > > correctly adds Resent-xxx headers, which breaks the signature and > > causes the warning. > > > ... > > > Does Exim do that by default? If so, please don't. > > AFAIK yes ;-) While i do not meet problems with Resent-* headers, the > same situation is with List-* headers, which i meet already (not caused > by my server, but noticed in my ML experiments). [...]
I agree that Exim's default is actively harmful; users should not bebe expected to change this. There is a previous thread, and it shows the headers I have been using with much greater success: https://lists.exim.org/lurker/message/20231103.101601.7232f2f9.en.html Also, on a related note, RFC 8058 makes it mandatory to sign the List-Unsubscribe-Post header, which is in none of these. We had to change that on a mailing list host. -- Mark -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
