Autor: exim-users Data: A: exim-users Assumpte: Re: [exim] Signed header list in DKIM headers
Hi Jeremy,
thanks for the quick reply.
On 26.01.20 14:06, Jeremy Harris via Exim-users wrote: > On 26/01/2020 12:16, exim-users--- via Exim-users wrote:
>> however in case of mailing list posts, I get DKIM errors as the Exim-generated DKIM signature contains headers, which are not in my original
>> mail (those get inserted by mailing list software afterwards). > Yes. DKIM breaks mailing lists. The proponents of DKIM do
> not care about this.
I am aware of that, however I thought impact may be limited...
> This Exim behavior is fully compliant with the relevant RFCs but somewhat
>> annoying. Is there any chance to tell Exim only to list existing headers in DKIM signature (would be a feature request) instead of limiting
>> the headers which are DKIM signed in general (I could do this on a rule basis, however that config will be incomplete and would need constant
>> adaption). > I'm not clear on exactly which headers you want to sign the existence
> and content of, what headers you want to sign the non-existence of,
> and what headers you do not want to sign. Can you clarify?
The DKIM signature of my example denotes the following headers as part of the signature:
Content-Transfer-Encoding, Content-Type, In-Reply-To, MIME-Version, Date, Message-ID, From, References, To, Subject, Sender, Reply-To,
Cc, Content-ID, Content-Description, Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID, List-Id, List-Help,
List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
The original message did only contain:
Subject, To, References, From, Message-ID, Date, MIME-Version, In-Reply-To, Content-Type, Content-Transfer-Encoding
Those headers where not altered, however List-XXX-Headers where added and thus broke the initial signature (as these headers where included as). I did
assume that listing only existing headers in the signature would have been sufficient to keep the initial DKIM signature correct. But this is not guaranteed
to help, as many lists add tags to the subject (my example was a list reply, which already had this).
By checking more examples, I do not think that there is an generic approach to do this. I'll stick with a very limited lists of potential safe headers to sign
(from, date, message-id, references) whenever a mail is sent to a mailing list address.