https://bugs.exim.org/show_bug.cgi?id=2394
--- Comment #5 from Andreas Metzler <eximusers@???> ---
Hello,
I have started looking at DKIM recently and stumbled over this report.
The current default value seems to be less than optimal, dkim_sign_headers
defaults to _DKIM_SIGN_HEADERS, i.e. it reads
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
Notably exim is not using either = or + modifiers but signs the headers no
matter whether they are present or not, therefore it is oversigning the headers
not present and /signing/ without oversigning the headers that are present.
So this offers protection
* against modification of present headers
* addition of the headers if they were not present
* but does not protect against adding e.g. another From: or Subject header.
I think this choice does not make a lot of sense, for any given header I would
want to choose either of these alternatives:
a) do not sign
b) if present sign (with oversign to prevent addition of duplicate with
different content), allow addition otherwise.
c) always sign no matter whether present or not (with oversign to prevent
addition of header or addition of a duplicate of the present header).
e.g. I would put From: in the (b)-basket and List-Subscribe into (c).
Sadly RFC 6376 does not offer a lot of hard guidance there, it essentially says
"think about it carefully, and always sign From:." However I am convinced that
most people currently need to override exim's preset for dkim_sign_headers and
would like to improve it. Please tell me if I am completely off, or if there is
some hidden, commonly accepted DKIM-best-practice document I have missed.
cu Andreas
--
You are receiving this mail because:
You are on the CC list for the bug.