Bug#939808: exim4: Very problematic default DKIM_SIGN_HEADERS
Guillem Jover
guillem at debian.org
Mon Sep 9 03:10:33 BST 2019
Source: exim4
Source-Version: 4.92.2-2
Severity: important
Tags: patch
Hi!
The default DKIM_SIGN_HEADERS macro contains many headers that make
sending mails to mailing lists or (re)sending mails on someone's
behalf pretty much infeasible. This has big impact on systems with
strict DKIM and DMARC policies.
There are several of the listed fields that are intended to be set by the
system resending a mail, be that a mailing list or a third-party. If these
fields are listed in the default set it means any mail going through those
systems will contain a signature for an empty header, which will then be
filled and fail signature validatation. Moreover the RFC4871 and RFC6376
in their ยง5.4 section mentions that signing missing fields should be done
carefully.
Mark Sender and all Resent-* and List-* fields to only be signed if
present.
Add also duplicate entries for the From and Subject fields, to reject
appended fields.
There's a related write up at
<https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html>.
I'm attaching a patch that should fix this.
Thanks,
Guillem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Fix-default-dkim-sign-headers.patch
Type: text/x-diff
Size: 2060 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20190909/42ee2443/attachment.patch>
More information about the Pkg-exim4-maintainers
mailing list