On Sun, Oct 28, 2018 at 5:30 PM Steffen Vogel <p...@steffenvogel.de> wrote:
>
> For those who are interested. Rspamd, by default, includes the sender
> address into the list of signed headers:
Ugh. That's just broken.
> There is RFC6377 which discusses this problem. On possible solution is
> a mailing list service which understands DKIM and can check/sign the
> messages.
I think that is almost purely historical.
People figured it out. The actual solution was that mailing lists just
don't rewrite headers or bodies, but they do set that "sender" line
(and add various new ones, like "List-ID" etc unsubscribe
information).
And that was exactly so that dkim would just work, without the list
having to then add its own signing that just causes even more
problems.
[ And no, lkml isn't actually great at this - it will mess up
whitespace on headers, so it only works with a relaxed/relaxed dkim
signature.
But honestly, if you use strict/strict, you're doing something
wrong. It's a bad idea. Smtp was never whitespace-strict ]
> This is actually according to RFC. Listing signed header-fields
> multiple times prohibits them from beeing modified and resigned my other
> MTAs.
Again, that is mostly historical baggage. I don't think anybody
actually does that.
So yes, you'll find a lot of "what ifs" from ten years ago when people
weren't actually using dkim and mailing lists didn't try to work with
it. Mostly theoretical "this is how it could work".
I've seen some truly horrendous suggestions for mailing lists, like
always rewriting "From" headers etc exactly so that you can then make
a new dkim signature. That would make for a really bad mailing list.
.. and yes, I'm sure such bad mailing lists exist.
Linus
