Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24/8/19 7:51 pm, Andrew McGlashan wrote: > but most already email users won't have a clue. ... but most *ordinary* email users ... And an Enigmail setting gives me the confirmation before sending (not TB itself). A. -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXWEJ3AAKCRCoFmvLt+/i +9/JAP0Z5Z/PmOdaMjWy5dOnOaZAdSltACXdXAxH2B5IKukPewEAnO+yfAkR5rIj tK94+Mu7YRWGC1CZdfKsu8yql4+m33U= =r1D6 -END PGP SIGNATURE-
Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 24/8/19 7:24 pm, Reco wrote: > On Sat, Aug 24, 2019 at 03:27:09PM +1000, Andrew McGlashan wrote: >> Okay, I've changed the the DKIM_SIGN_HEADERS ... let's see if >> this is good, thanks > > This e-mail passed DKIM check for me, previous one failed it. Yes, I checked my copy from the list already; thank you. The default, I believe, is to sign all headers, I didn't have data set for DKIM_SIGN_HEADERS before, but obviously I do now and hence why the list mail is now good. Similarly for gpg signed emails, I deliberately do inline signing for mailing lists because it validates cleanly. >>> Also, "Autocrypt: prefer-encrypt=mutual" for a list mail? >> Yes, that is an Enigmail thing > > Let's hope that two users of Enigmail won't meet here, as the > result would be encrypted e-mails sent to the list. Yes. I do have "automatically encrypt" set to never at least. I also have TB present confirmation of GPG status *before* sending so I can be sure which emails are signed and/or encrypted before I let them go. >> Yes, not sure yet, but I think if the email is being "sent" by >> any mail server and even if it is being locally delivered, then >> at the "send" point, DKIM signing should take place. > > Nope. I repeat, see the macros. Exim should take a decision to > invoke a SMTP session for DKIM to trigger. I get it, but I still don't like it. For those that fully understand what they are doing with GPG signed and/or encrypted email, they can mitigate against authenticity issues due to tampering, but most already email users won't have a clue. >> One of the reasons for signing is to keep the emails fully >> authentic and to (perhaps) remove the possibility of anyone >> tampering with an email source and saying "you sent this" >> when they doctored it. This might be very important at the >> /same/ mail server level, especially within a single >> organization. > > That's true, but I see no reason why one cannot implement this > useful policy on a transit MTA. Yeah, not so sure about that, but I'm not going to worry about it too much right now. >> Yes, I think it might be a kludge that isn't worth doing; perhaps >> an adjustment to how Exim itself handles this situation would >> help. > > All I can say that I wish you luck in implementing it. I don't expect to do any kludges for this, and I still think that if an email is "submitted" for delivery, once it is accepted it should b signed immediately, then delivery can happen any which way. That is, early sign if that is possible, then it won't matter if it is locally delivered or delivered via remote SMTP. Kind Regards AndrewM -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXWEIoQAKCRCoFmvLt+/i +482AP4g0cBTrgum3PWxxhBmtX04t2WiEKt5RLECszu4GKRRZwD9HcX6gl82irdL MRiXed/+AI2IfjeYAhILpSWNs0XJouo= =cwPD -END PGP SIGNATURE-
Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
Hi. On Sat, Aug 24, 2019 at 03:27:09PM +1000, Andrew McGlashan wrote: > Okay, I've changed the the DKIM_SIGN_HEADERS ... let's see if this is > good, thanks This e-mail passed DKIM check for me, previous one failed it. > > Also, "Autocrypt: prefer-encrypt=mutual" for a list mail? > Yes, that is an Enigmail thing Let's hope that two users of Enigmail won't meet here, as the result would be encrypted e-mails sent to the list. > Yes, not sure yet, but I think if the email is being "sent" by any mail > server and even if it is being locally delivered, then at the "send" > point, DKIM signing should take place. Nope. I repeat, see the macros. Exim should take a decision to invoke a SMTP session for DKIM to trigger. > One of the reasons for signing is to keep the emails fully authentic and > to (perhaps) remove the possibility of anyone tampering with an email > source and saying "you sent this" when they doctored it. This might > be very important at the /same/ mail server level, especially within a > single organization. That's true, but I see no reason why one cannot implement this useful policy on a transit MTA. > Yes, I think it might be a kludge that isn't worth doing; perhaps an > adjustment to how Exim itself handles this situation would help. All I can say that I wish you luck in implementing it. Reco
Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 22/8/19 7:52 pm, Reco wrote: > On Thu, Aug 22, 2019 at 07:27:23PM +1000, Andrew McGlashan wrote: >> I have > DKIM setup, however, it only signs messages that are being >> delivered via SMTP to another server. > > Your DKIM policy is somewhat unusual. You sign transport headers > (Resent-From et al), headers inserted by list MTA (List-Subscribe, > List-Archive). Modification of these is something that's expected if > using any maillist, so DKIM checks are bound to fail. > > For the comparison, I use this set of headers for DKIM signing: > > DKIM_SIGN_HEADERS=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:User-Agent Okay, I've changed the the DKIM_SIGN_HEADERS ... let's see if this is good, thanks > Also, "Autocrypt: prefer-encrypt=mutual" for a list mail? Yes, that is an Enigmail thing >> Why is it not valid to sign to the same domain name and/or other >> domain >> names served by the same mail server and NOT having to make an >> SMTP outgoing connection? > > Because stock exim4 macros are supposed to do so for remote MTAs only, > see /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp*. Yes, not sure yet, but I think if the email is being "sent" by any mail server and even if it is being locally delivered, then at the "send" point, DKIM signing should take place. One of the reasons for signing is to keep the emails fully authentic and to (perhaps) remove the possibility of anyone tampering with an email source and saying "you sent this" when they doctored it. This might be very important at the /same/ mail server level, especially within a single organization. >> How can I adjust exim4 so that it will sign ALL outgoing emails, even >> if >> "outgoing" is only to the same server to another within the same >> and/or different domain name(s) ... ? > > No easy way of doing this. "Outgoing to the same server" equals "local > delivery", and local delivery is run for any inbound mail too. > You could write some kludge that calls DKIM signing by analyzing > Received header, but that's fragile at best. Yes, I think it might be a kludge that isn't worth doing; perhaps an adjustment to how Exim itself handles this situation would help. > Reco > - -- Kind Regards AndrewM -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXWDKpQAKCRCoFmvLt+/i +/PpAQC38A3AwPpAfBLTJNW+uKlRslKFo8dyg47juVbWRraUWAEAkOluh3wnekCA 9dT3VK04GLi31k5pP0dRZoQ7CMuAT0k= =mwwi -END PGP SIGNATURE-
Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
Hi. On Thu, Aug 22, 2019 at 07:27:23PM +1000, Andrew McGlashan wrote: > I have DKIM setup, however, it only signs messages that are being > delivered via SMTP to another server. Your DKIM policy is somewhat unusual. You sign transport headers (Resent-From et al), headers inserted by list MTA (List-Subscribe, List-Archive). Modification of these is something that's expected if using any maillist, so DKIM checks are bound to fail. For the comparison, I use this set of headers for DKIM signing: DKIM_SIGN_HEADERS=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:User-Agent Also, "Autocrypt: prefer-encrypt=mutual" for a list mail? > Why is it not valid to sign to the same domain name and/or other > domain names served by the same mail server and NOT having to make an > SMTP outgoing connection? Because stock exim4 macros are supposed to do so for remote MTAs only, see /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp*. > How can I adjust exim4 so that it will sign ALL outgoing emails, even > if "outgoing" is only to the same server to another within the same > and/or different domain name(s) ... ? No easy way of doing this. "Outgoing to the same server" equals "local delivery", and local delivery is run for any inbound mail too. You could write some kludge that calls DKIM signing by analyzing Received header, but that's fragile at best. Reco
Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
> Hi, > > I have DKIM setup, however, it only signs messages that are being > delivered via SMTP to another server. > > Why is it not valid to sign to the same domain name and/or other > domain names served by the same mail server and NOT having to make an > SMTP outgoing connection? > > How can I adjust exim4 so that it will sign ALL outgoing emails, even > if "outgoing" is only to the same server to another within the same > and/or different domain name(s) ... ? > > As this email is going external, it will be signed, but a local bcc > copy to myself will not be signed. > > btw all external tests for the signature work fine, but the list > interferes with the email headers in such a way that checking the DKIM > signature fails... (as evidenced from an older incoming email sent by > myself to the list and coming in via the list). > > Thanks and Kind Regards > AndrewM > Hello, I think the exim mailing list is a better place for answer this question. I also prefer a "simple" exim4.conf without all the debian stuff. /usr/share/doc/exim4-base/spec.txt.gz is a very good manual page In my opinion is enough to sign mails send via SMTP. Best Regards
DKIM, multiple domains, same server -- want to always sign, not just for remote delivery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I have DKIM setup, however, it only signs messages that are being delivered via SMTP to another server. Why is it not valid to sign to the same domain name and/or other domain names served by the same mail server and NOT having to make an SMTP outgoing connection? How can I adjust exim4 so that it will sign ALL outgoing emails, even if "outgoing" is only to the same server to another within the same and/or different domain name(s) ... ? As this email is going external, it will be signed, but a local bcc copy to myself will not be signed. btw all external tests for the signature work fine, but the list interferes with the email headers in such a way that checking the DKIM signature fails... (as evidenced from an older incoming email sent by myself to the list and coming in via the list). Thanks and Kind Regards AndrewM -BEGIN PGP SIGNATURE- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXV5f9QAKCRCoFmvLt+/i +xMJAQDAvpUKn9t22XE6g2dHlThyOPGLaMClOZB/e36g/Q8tAwEAyjw6MYDIL+1v 6W5DeyNKM7+r8AL/PZxLoThcs+OGO0E= =xsoM -END PGP SIGNATURE-
