On Sat, Aug 14, 2021 at 01:22:43AM +0200, Benny Pedersen <m...@junc.eu> wrote:
> On 2021-08-14 01:10, raf wrote: > > > h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; > > note 2 instances of From > > i bet both is not dkim signed, or both From is not in the recieved dkim > validator seen It's normal for From to appear twice in the list of headers to include in the signature. It doesn't mean that there are two From: headers in the message. It means that the From: header is included twice in the data being signed. But it's odd. The extra inclusion is as an empty From: header. So it's not a mistake. It's default behaviour in OpenDKIM. Here's an extract from /etc/opendkim.conf that tries to explain why: # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From "Oversigning" the From: header prevents an additional From: header being added without invalidating the signature. This is desirable because it might be that the real From: header satisfies DKIM, but the second malicious From: is shown to the user perhaps (or vice versa). Documentation for rspamd says "Oversigned headers cannot be appended to a message". But the above makes me think that the intent of oversigning is to say that if an extra From: header was added, it would get noticed, but I don't understand why you couldn't just have 3+ From: headers, the normal signed one, then one or more empty oversigned ones, and then a final malicious one that doesn't affect DKIM because only the first two were included in the signed data? Hopefully, that's not the case. I'll have to read the RFC one of these days to understand it properly. cheers, raf