Re: [exim] Strange problem with domainkeys

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M++\Peter Bowyer at <-
MMMMIan Eiloart at ->
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] Strange problem with domainkeys
On Mon, 2007-12-10 at 11:42 +0100, Luca Bertoncello wrote:
> Sure, but it signs always the "Received", too... And this IS altered, of
> course, by every MTA...

So that's a daft header to use for signing, then!

> Has someone a solution for this problem? Otherwise it has the same problem of
> SPF, but without a solutions... :(

Don't use "Received:" headers for the signing process, perhaps?
Otherwise, the signature could be invalidated by any number of
completely non-interactive (ie. not involving a human, like forwarding
which has to be chosen) means, like (for example) traversing a backup
MX. Or a transparent SMTP proxy, which some ISPs still use for outbound
mail. Or... or... well, any number of things.

Interestingly, the DKIM specification RFC4871 states:

The following header fields SHOULD NOT be included in the signature:

o Return-Path

o Received

o Comments, Keywords

OK, I know that DKIM isn't DomainKeys, but it does obsolete it (4871
obsoletes 4870) but that statement alone is worth many thousands of
other words.

Graeme


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Strange problem with domainkeysRe: [exim] Fearure that Exim should have->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)