Re: [exim] Exim Snapshot - DomainKeys support - Testers want…

Pàgina inicial
Delete this message
Reply to this message
Autor: Tom Kistner
Data:  
A: David Woodhouse
CC: exim-users, exiscanusers
Assumpte: Re: [exim] Exim Snapshot - DomainKeys support - Testers wanted
David Woodhouse wrote:

> Hmmm. What about the Resent-From: address? That could well be newer.


[..]

> That's why I'm asking. DK should be usable with lists if done sensibly.


[..]

> Obviosuly I'd have to be insane to reject your mail because the
> 'd=duncanthrax.net' signature is bad after it came through the mailing
> list. But the list adds its own Sender: header -- hence my question
> about what precisely is meant by the 'sending email address'. What
> happens when we see a message with two DomainKey-Signature: headers?


In principle, you are right. The draft says:

A signer MUST NOT sign an email that already contains a
"DomainKey-Signature:" header unless a "Sender:" header has been added
that was not included in the original signature. The most obvious case
where this occurs is with mailing lists.

And:

A signer SHOULD NOT remove an existing "DomainKey-Signature:" header.

So if you get two or more DomainKey-Signature: headers, the algorithm
must use the outermost one (or the one relating to the outermost
"Sender:" header).

What I meant was that the majority of deployed mailing list systems will
be slow in either being DK-aware (add headers on top, no body mangling)
or deploying DK themselves. When list systems re-sign mail, they should
obviously only do so if the original message had a good DK signature (so
they "forward" the good result).

/tom