Re: [exim] DKIM signing options - specially list of headers

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: exim-users
Subject: Re: [exim] DKIM signing options - specially list of headers

On 31/07/18 14:02, Richard James Salts via Exim-users wrote:
> On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
>> On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
>>> X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
>>>
>>> c=relaxed/relaxed;
>>> d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
>>>
>>> The second one has included headers which I would not expect to be present
>>> on a message from a client to a mailing list. It also includes them in
>>> the DKIM sig - yet they don't exist, or shouldn't, at the submission
>>> stage.
>> Oversigning. It gives an assertion that the header is not present.
>> Exim can do it; it's not default - see the last para. in the description
>> of dkim_sign_headers.
> Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing
> and not oversigning. I've changed the preferences for DKIM into:
>
> dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
> +MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
> Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
> To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
> Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
>
>
> This choice is based on https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html


Thank you for that link. I had no idea DKIM and mailing lists are such a
nightmare - or that there are so many potential holes in DKIM itself.
I'll be trying get my head around which way is best to configure it.