On Sun, 22 Oct 2023, Ian Z via Exim-users wrote:
> On Sun, Oct 22, 2023 at 07:03:19PM +0200, brunoc68 via Exim-users wrote:
>
> > h=Content-Type:Message-ID:Subject:Date:MIME-Version:To:From:Sender:\
> > Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:\
> > Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:\
> > Resent-Message-ID:In-Reply-To:References:\
>
> vvv
> > List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:\
> > List-Archive
> ^^^
>
> I have just been alerted by a fellow subscriber to the
> postgresql-general mailing list that dkim-signing with the full set of
> headers as per the exim default set above is broken: the list server
> appends the list related headers which were absent in my original
> messages, thus making my signature invalid.
I've arrived at this thread also because of posting to the PostgreSQL
mailing list. Here's the actual recommendation I was given:
> This email has a DKIM signature on the List- headers of the email,
> indicating that it is not allowed to pass this email on through a
> mailinglist.
>
> Please ensure that emails you send to the list, and others hosted on the
> same server, allow re-sending on a mailinglist.
So I'm taking a little time to understand DKIM.
To date I have been using exim defaults which is _DKIM_SIGN_HEADERS [0]
on my system is:
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:\
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:\
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:\
Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:\
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive
I see it matches the RFC but is a lot more extensive than I can see in the
"wild" from other mail providers signatures, which seem quite
conservative.
I think the PostgreSQL recommendation seems reasonable, but the doc leaves
me with some questions/ambiguities.
Mainly, that I'm having trouble parsing the documentation's explanation of
dkim_sign_headers entries [0]. I can see 4 cases:
* no prefix: sign the first instance of the named header or absence of it?
* = prefix: sign all instances of the named header, only if present?
* + prefix: sign all instances of the name header or the absence of it?
* repeated header name: sign up to n instances or the absence of it?
Therefore, if following the RFC (which suggests headers "should" be signed
"if they are present" [1]) there should be a lot more use of '=' in the
default? Especially "Resent-*" fields which the default effectively kills
the use of.
The modification to List-Id also leaves me wondering about "Sender". I was
previously under the impression mailing lists used/modified this, but
apparently not.
So I'm experimenting with:
dkim_sign_headers = From:\
=Sender:\
To:\
Cc:\
Reply-To:\
Subject:\
Date:\
Message-ID:\
In-Reply-To:\
References:\
MIME-Version:\
Content-Type:\
Content-Transfer-Encoding:\
Content-ID:\
Content-Description:\
=Resent-Date:\
=Resent-From:\
=Resent-To:\
=Resent-Cc:\
=Resent-Message-ID:\
=List-Id:\
=List-Help:\
=List-Unsubscribe:\
=List-Subscribe:\
=List-Post:\
=List-Owner:\
=List-Archive
Finally (and more theoretical problem than practical...) I'm not clear of
the value of the DKIM signature if it's the message itself that defines
the extent of what is signed (not some DNS record for example)
Thanks
[0]
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dmarc.html
[1]
https://www.rfc-editor.org/rfc/rfc4871
--
Mark
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
