On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
> On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
> > X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
> >
> > c=relaxed/relaxed;
> > d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
> >
> > The second one has included headers which I would not expect to be present
> > on a message from a client to a mailing list. It also includes them in
> > the DKIM sig - yet they don't exist, or shouldn't, at the submission
> > stage.
> Oversigning. It gives an assertion that the header is not present.
> Exim can do it; it's not default - see the last para. in the description
> of dkim_sign_headers.
Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing
and not oversigning. I've changed the preferences for DKIM into:
dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
This choice is based on
https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html