[exim-dev] [Bug 2706] DKIM and Received headers

Top Page
This message is part of the following thread:
M++++\the complete thread tree sorted by date
MMMMMMadmin at <-
 
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2706] DKIM and Received headers
https://bugs.exim.org/show_bug.cgi?id=2706

--- Comment #5 from Eugene Berdnikov <bd4@???> ---
(In reply to Simon Arlott from comment #2)
> I've just tested Exim 4.90 with "+Received", "=Received" and "Received" and
> it behaves as expected when checking with Mail::DKIM::Verifier (and amending
> headers to fit the signature).

Simon, thank you for reference to Mail::DKIM::Verifier, it saves time.

> Exim does DKIM validation at SMTP time while reading the incoming message so
> it doesn't have an additional Received: header yet. With "+Received",
> SpamAssassin will fail validation because this happens after another
> Received: header is added.

Yes, this a point I did not understand until reread RFC6378 carefully.

> The first two are over-signing the Received: header so it is inevitable that
> the signature will fail to validate after another one is added.

Not two. Only "+Received" form do oversigning.
The "=Received" instructs to sign all existing headers and nothing more.
The "Received" instruct to sign a single (lowermost) header.

However, I really do not like how it is documented (in Ch.58 par.2:
"A name can be prefixed with either an “=” or a “+” character.
If an “=” prefix is used, all headers that are present with this name
will be signed. If a “+” prefix if used, all headers that are present
with this name will be signed, and one signature added for a missing
header with the name will be appended.")

I propose this variant:

A name can be prefixed with either an “=” or a “+” character, instructing
Exim how many instances of the named header should be included in signature.
If name is not prefixed, only a single (lowermost) header field is signed.
If name is prefixed by "=", all existing headers are signed, from bottom
to top, and each occurance is referenced in "h=" tag of DKIM-Signature
(see RFC6376 sect 5.4 for details). If name is prefixed by "+", all
existing headers are signed like with "=" prefix, plus additional null
header instance is included into signature (and displayed in "h=" tag),
preventing from joining additional headers with this name to the message.

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification[exim-dev] [Bug 2264] DNS lookups should not chase CNAME chains->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)