Matus UHLAR - fantomas via Postfix-users wrote in
<zqc5rnftyi7cw...@fantomas.sk>:
|>* Bill Cole via Postfix-users:
|>> Some systems are configured to "oversign" headers, essentially signing
|>> the non-existence.
|
|On 24.07.24 02:11, Ralph Seichter via Postfix-users wrote:
|>Shhh! We don't want to advertise that in this scenario, do we? ;-)
|>Still, you are correct to point out that the DKIM spec allows for these
|>kinds of shenanigans.
|
|in Debian/opendkim, only From: is oversigned, which is to prevent adding \
|fake
|From: header which could confuse recipient and/or its MUA.
|
|
|>> Any addition of headers that are oversigned will break a DKIM
|>> signature. Some ill-advised systems oversign List-* headers on every
|>> message.
|>
|>Ill-advised is putting it mildly. If one is messing with the headers
|>which make mailing lists work, but allows their users to subscribe to
|>mailing lists, one is more than a little cookoo.
|
|looking at RFC 6376 secion 5.4.1, it recommends signing these headers.
|
|However, together with comment above, it should be safe if you don't
|oversign them - I don't expect List-* header to appears in any mail \
|sent to
|the list, and their appearance can indicate error.
"Oversigning maximum" seems built-in (possibly off-by-default)
default, i think. (Also remembering a saying' of Scott Kitterman
on some IETF list not too long ago, this year.)
In the last version of my s-dkim-signa 0.6.2 (May 30th) i added
even more (also mostly useless combinations like content-id: that
normally not happen in the main header).
It is just that normal user email should not seal headers that
are necessarily placed by mailing-lists. Ie my own software has
(thus) several built-in sets to choose from, with the special "+"
variant to be used by mailing-lists only:
#?0|kent:src$ /usr/lib/s-dkim-sign --header-seal-show
@: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references
*: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references mime-version content-type content-transfer-encoding
content-disposition content-id content-description message-id mail-followup-to
openpgp
+: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references mime-version content-type content-transfer-encoding
content-disposition content-id content-description message-id mail-followup-to
openpgp reply-to list-id list-help list-subscribe list-unsubscribe list-post
list-owner list-archive
#?0|kent:src$ /usr/lib/s-dkim-sign --header-sign-show
@: reply-to author from subject date to cc resent-author resent-date
resent-from resent-sender resent-to resent-cc resent-reply-to resent-message-id
in-reply-to references list-id list-help list-subscribe list-unsubscribe
list-post list-owner list-archive
*: reply-to author from subject date to cc resent-author resent-date
resent-from resent-sender resent-to resent-cc resent-reply-to resent-message-id
in-reply-to references list-id list-help list-subscribe list-unsubscribe
list-post list-owner list-archive mime-version content-type
content-transfer-encoding content-disposition content-id content-description
message-id mail-followup-to openpgp
Ie i personally use
header-sign *
header-seal *
but for the mailing-lists i have a dedicated postfix master entry
which uses "+":
dkim-sign unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc
dkim-sign-list unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc
--header-seal=+
(ie via
localhost:421 inet n - n - - smtpd
-o syslog_name=lhlist
-o smtpd_milters=unix:private/dkim-sign-list
and mailman's
DELIVERY_MODULE = 'SMTPDirect'
SMTPHOST = 'localhost'
# timbuktu
SMTPPORT = 421)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
| Total war - shortest war -> Permanent war - everlasting war
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
