Hi!
On Mon, 23 Oct 2023, Ian Z via Exim-users wrote:
> On Mon, Oct 23, 2023 at 11:51:21AM +0200, Andreas Metzler via Exim-users wrote:
>> Kind of. The RFC has big fat disclaimer that it only provides very
>> rough guidance ("The choice of which header fields to sign is
>> non-obvious.") and is very very thin on details, afaict it does not
>> say a thing about oversigning.
>
> Right, in the sub-section cites it says (lightly paraphrased):
>
> The following headers SHOULD be signed *if they are present* in the
> message.
>
> Emph mine. So, like Andreas writes, if they are *not* present, this is
> vacuous.
When you check out the h tag of the DKIM signature header of the large
email services you'll see that they usually have only a few signed headers
(less processing load) and some oversign specific headers. E.g. gmail
seems to oversign from:to:cc:subject:date:message-id:reply-to, and Yahoo
From:Subject:Reply-To. Based on the DKIM RFCs and the current reality I'd
say that exim's default for dkim_sign_headers is simply overkill and we
should add a bunch of '=' prefixes, maybe a few '+' for essential headers.
ciao
Markus
--
/ Markus Reschke \
\ madires@??? /
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/