Re: [exim] DKIM signing options - specially list of headers

Top Page
Delete this message
Reply to this message
Author: Richard James Salts
Date:  
To: exim-users
Subject: Re: [exim] DKIM signing options - specially list of headers
On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
> On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
> > X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
> >
> > c=relaxed/relaxed;
> > d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
> >
> > The second one has included headers which I would not expect to be present
> > on a message from a client to a mailing list. It also includes them in
> > the DKIM sig - yet they don't exist, or shouldn't, at the submission
> > stage.
> Oversigning. It gives an assertion that the header is not present.
> Exim can do it; it's not default - see the last para. in the description
> of dkim_sign_headers.

Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing
and not oversigning. I've changed the preferences for DKIM into:

dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive


This choice is based on https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html