> I think the PostgreSQL recommendation seems reasonable, but the doc leaves
> me with some questions/ambiguities.
>
> Mainly, that I'm having trouble parsing the documentation's explanation of
> dkim_sign_headers entries [0]. I can see 4 cases:
>
> * no prefix: sign the first instance of the named header or absence of it?
>
> * = prefix: sign all instances of the named header, only if present?
>
> * + prefix: sign all instances of the name header or the absence of it?
>
> * repeated header name: sign up to n instances or the absence of it?
>
> Therefore, if following the RFC (which suggests headers "should" be signed
> "if they are present" [1]) there should be a lot more use of '=' in the
> default? Especially "Resent-*" fields which the default effectively kills
> the use of.
My understanding of DKIM signatures is that if you sign an instance of a
header and it's not present, you are effectively signing the fact that
the header is absent (this is called 'oversigning' in some
documentation). In theory there can be multiple instances of a header
and in the DKIM-Signature header each mention covers only one instance.
So if you list a header more than once, you're signing multiple
instances of it (in a defined order); if there's only one instance of a
header in the message you're signing but an extra one in DKIM-Signature,
you're 'oversigning' the header so that no new instances of it can be
added.
(In practice it's very rare and generally alarming to see multiple
instances of most headers.)
In Exim, the no-prefix case signs the header whether or not it's
present, so for present headers you're signing the first instance and
the absent headers you're signing the absence. An '=' prefix merely
signs an existing header without oversigning an absent one to block its
addition, and a + signs existing headers *plus* one additional instance
(and absent headers are signed once), meaning that no further instances
of the header can be added.
As you note, a sensible Exim default might be to use = a lot more than
the current settings. The current Exim default appears to break the DKIM
signature if your message goes through a mailing list or a re-sending
that's polite enough to add explicit headers, but leaves it unbroken if
the mailing list or resender is silent about it, which doesn't really
seem ideal.
> The modification to List-Id also leaves me wondering about "Sender". I was
> previously under the impression mailing lists used/modified this, but
> apparently not.
My impression is that Sender is relatively obscure now. It was
originally mostly used to identify a human who had sent the message 'on
behalf of' the From: address. In practice various mail clients and MTAs
would add a Sender: if they could identify that the submitter of the
message wasn't the From:. Most mailing lists didn't set a Sender:
because they weren't acting this way (or didn't consider themselves to
be).
These days I believe most MTA setups either block unauthorized From:
alterations entirely or don't really care about it, so don't force the
addition of Sender:. A typical IMAP client will let you set your From:
to whatever you want and then generally doesn't add any sort of Sender:,
because that's not what people want. (You can probably set your IMAP
client to add one by hand if you want to.)
> Finally (and more theoretical problem than practical...) I'm not clear
> of the value of the DKIM signature if it's the message itself that
> defines the extent of what is signed (not some DNS record for example)
The signing system decides what will be signed and what key to use, but
the key must be in the DNS, so in a way the extent of what to sign is
linked to the DNS. One of the things this does is preserve the freedom
of the signing system to sign different headers in different contexts,
without having receiving systems parse various things out of DNS.
- cks
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/