Re: [exim] Strange problem with domainkeys

Top Pagina
Delete this message
Reply to this message
Auteur: Graeme Fowler
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Strange problem with domainkeys
On Mon, 2007-12-10 at 11:42 +0100, Luca Bertoncello wrote:
> Sure, but it signs always the "Received", too... And this IS altered, of
> course, by every MTA...


So that's a daft header to use for signing, then!

> Has someone a solution for this problem? Otherwise it has the same problem of
> SPF, but without a solutions... :(


Don't use "Received:" headers for the signing process, perhaps?
Otherwise, the signature could be invalidated by any number of
completely non-interactive (ie. not involving a human, like forwarding
which has to be chosen) means, like (for example) traversing a backup
MX. Or a transparent SMTP proxy, which some ISPs still use for outbound
mail. Or... or... well, any number of things.

Interestingly, the DKIM specification RFC4871 states:

The following header fields SHOULD NOT be included in the signature:

o Return-Path

o Received

o Comments, Keywords

OK, I know that DKIM isn't DomainKeys, but it does obsolete it (4871
obsoletes 4870) but that statement alone is worth many thousands of
other words.

Graeme