Re: [exim] How to include transport info

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: Todd Lyons
CC: exim-users
Sujet: Re: [exim] How to include transport info
On 2010-09-29 at 11:06 -0700, Todd Lyons wrote:
> Now this is a dkim question. My macro to set the signing domain uses
> $sender_address_domain, which is the domain portion of the _envelope_
> sender. A previous implementation that I had seen used the domain
> portion of the _header_ sender. Which is correct? Or is the answer
> "it depends" ?


AFAICT it's unspecified and up to you. The identity being asserted is
included in the DKIM signature header. It's worth noting though that
the From: header is *always* signed, and is the only header which must
be signed, so is protected, while the envelope is unsigned. Also,
MUAs tend to display the From: header but not the envelopes.

The only MUA I've dealt with that supports showing DKIM information is
Gmail [note that I'm not claiming it's the only MUA with this support,
only that it's the only one I've used]. In Gmail, the signature
information is shown as the "signed-by" pseudo-header under "more
details".

So, it makes most sense to me to match the signature to the From:
header. Against this, do remember that the From: header is allowed to
contain multiple email addresses, while the envelope contains only one,
so the envelope is easier to work with.

I haven't thought about this deeply, but: what are the circumstances
under which you'd want to sign an email where the envelope sender isn't
the same as one of the addresses in the From: header? For instance, is
it worth having the signing Router have a:

  condition = ${if eq{${lc:$sender_address}}\
               {${lc:${sg{${addresses:$h_from:}}{:.*}{}}}}\
           }


on it, so that cases where the envelope sender doesn't match the first
from address are not signed?

This appears to be an area which the RFC writers have punted upon.

-Phil