Gerard Seibert via Postfix-users wrote in
<CAEX3GthUm5jBtqJbzf_uMQ5o1e1=bhoicje9qvik4xkbxyf...@mail.gmail.com>:
i cannot answer your question (happy with LMDB but for simple
purposes only), but i want to state, and in public,
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seibercom.net;
s=google; t=1759588917; x=1760193717; darn=postfix.org;
h=to:subject:message-id:date:from:mime-version:
from:to:cc:subject:date:message-id:reply-to;
that you *too* (it is a trend that fosters happiness on the
arrival of a future DKIM healing bearer, for the wrong reasons)
only sign MIME-Version, but not Content-Type:, which is, well,
pretty useless, aka insecure (searching "noxxi dkim attack" should
give results).
reply-to was either not sealed ("oversigned") or unprotected,
shall it have been part of the original email, too.
Mailing-Lists must mitigate if they break signatures, therefore
the only premise can be -- not only to me -- to sign as much as
goes. Note some broken mailing-lists (the one of the IETF, for
example) do not care if the original signature arrives in a broken
state downstream, so an explicit DMARC DNS record may be
beneficial to you.
Here are the default sets of protection for the dkim-sign-only
thing i had written, which is (the sets are) pretty much state of
the art:
$ /usr/lib/s-dkim-sign --header-sign-show
@: reply-to author from subject date to cc resent-author resent-date
resent-from resent-sender resent-to resent-cc resent-reply-to resent-message-id
in-reply-to references list-id list-help list-subscribe list-unsubscribe
list-post list-owner list-archive
*: reply-to author from subject date to cc resent-author resent-date
resent-from resent-sender resent-to resent-cc resent-reply-to resent-message-id
in-reply-to references list-id list-help list-subscribe list-unsubscribe
list-post list-owner list-archive mime-version content-type
content-transfer-encoding content-disposition content-id content-description
message-id mail-followup-to openpgp
^ These are signed if present.
$ /usr/lib/s-dkim-sign --header-seal-show
@: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references
*: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references mime-version content-type content-transfer-encoding
content-disposition content-id content-description message-id mail-followup-to
openpgp
+: author from subject date to cc resent-author resent-date resent-from
resent-sender resent-to resent-cc resent-reply-to resent-message-id in-reply-to
references mime-version content-type content-transfer-encoding
content-disposition content-id content-description message-id mail-followup-to
openpgp reply-to list-id list-help list-subscribe list-unsubscribe list-post
list-owner list-archive
^ These are sealed ("oversigned") regardless of presence.
Note the last here ("+") is a dedicated mailing-list default set,
my oww config is
header-sign *, BlahBlahBlah
header-seal *, BlahBlahBlah
One could add more as necessary, like Disposition-Notification-To,
for example.
Ciao!
P.S.: unfortunately i was stupid and have not implemented
a "family trigger" thing, ie, "mail uses MIME" -> sign and seal
the MIME family, "mail has List- headers", ".. has resent-" ..
you get the idea.
What i hate about DKIM v1, by the way, the lengthy headers; all
the well known ones could very well have been abbreviated. Sigh.
P.P.S.: since i do not have these families, i need a dedicated
postfix listener for the mailing-lists, which thankfully is super
easy and pretty cheap:
localhost:421 inet n - n - - smtpd
-o syslog_name=lhlist
-o smtpd_milters=unix:private/dkim-sign-list
dkim-sign-list unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc
--header-seal=+
For completeness sake.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
