On Thu, 31 Jul 2025, Mark Hills via Exim-users wrote:
On Wed, 23 Jul 2025, Slavko via Exim-users wrote:
Ahoj,
Dňa 23 Jul 2025 09:57:00 +0200 John Levine via Exim-users
<[email protected]> napísal:
I was tracing down a strange bug in which mail sent to a role account
in an IETF working group was forwarded to the recipient's Gmail
account and appeared with a big ugly security warning saying invalid
DKIM signature. I found that the sender's mail system adds a DKIM
signature that oversigns the Resent-xxx headers (i.e., it asserts
that they don't exist.) When the IETF forwards the mail, it
correctly adds Resent-xxx headers, which breaks the signature and
causes the warning.
...
Does Exim do that by default? If so, please don't.
AFAIK yes ;-) While i do not meet problems with Resent-* headers, the
same situation is with List-* headers, which i meet already (not caused
by my server, but noticed in my ML experiments).
[...]
I agree that Exim's default is actively harmful;
That does need fixing.
users should not be expected to change this.
RFC 6376 section 5.4 suggests that there are several strategies for
choosing which headers to sign.
I think it should not be for the exim developers to do more than
pick a default which is safe and useful to a reasonable class of users.
Users with different needs, and distributions that write their own
configs that better suit their users, *should* think about which headers
to sign and over-sign.
There is a previous thread, and it shows the headers I have been using
with much greater success:
https://lists.exim.org/lurker/message/20231103.101601.7232f2f9.en.html
Jeremy appears to have little enthusiasm for chosing DKIM headers;
if this list could agree a set of defaults which is at least safe,
I imagine that would be very helpful.
Also, on a related note, RFC 8058 makes it mandatory to sign the
List-Unsubscribe-Post header, which is in none of these. We had to change
that on a mailing list host.
I have created
https://bugs.exim.org/show_bug.cgi?id=3153
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
