Mailing List Archive

DKIM signing options - specially list of headers
I post messages from time to time to Spamassassin mailing list, and
several members have been complaining about my DKIM setup - they say
they can't receive my emails because of it. Specifically, the complaint
is that my Exim signs the List-* headers. Now I can't really figure this
one out. There don't seem to be any fine-grained DKIM signing options in
Exim. My messages to the list arrive looking like this:


DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:
MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=d0g337Alhc+FWBBtMm7w/Hn67G4jbr0RsFSBcWDK2fc=;
b=Nhn9sI6K1G8+vOfCsguSXGA8+6
0Aap3I3NcIZ3F21rrGivbp2eS+Gz42GAn/NvYrrz9RkYL5/PIqr5a6v8QhEio6KGSO1d/RIZVQMaf
V7qqFyvU8GB3MAYavZa+MsLAOmVgxSk3rSAbE+Bk2RER08QGjwLKxEOotKSy6vXzF25s=;


(sorry for the odd line breaks - it looks ok in the actual header of the
email)

My question is, the list of headers -
"h=Content-Transfer-Encoding:Content-Type:MIME-Version ...." - where
does that get generated? Is it on my Exim box - or further down the
line? Also, why is that preventing users of the mailing list from
receiving my messages?

My setup is fairly simple - Thunderbird -> Exim -> and then direct
sending to the recipient server.

Any hints or pointers to reading material would be much appreciated

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
Hi, Sebastian -

You didn't tell us the version of Exim you're running so I can't give you
the exact chapter/section names, but if you look in the *Specification* for
the chapter on DKIM, in the section called something like *Signing outgoing
messages* you'll find the description of dkim_sign_headers.

However I'd have thought that the defulat set of headers should be OK as
the *Specification* does explain:

When unspecified, the header names listed in RFC4871 will be used, whether
or not each header is present in the message. The default list is available
for the expansion in the macro "_DKIM_SIGN_HEADERS".


I
n particular that RFC's *Recommended Signature Content
<https://tools.ietf.org/html/rfc4871#section-5.5>* explicitly recommends
DKIM-signing various List-* headers. I'd be tempted to point this out to
the people complaining and suggests they look elsewhere for the cause of
their problems.

Cheers,
Mike B-)

On Tue, 31 Jul 2018 at 09:51, Sebastian Arcus via Exim-users <
exim-users@exim.org> wrote:

> I post messages from time to time to Spamassassin mailing list, and
> several members have been complaining about my DKIM setup - they say
> they can't receive my emails because of it. Specifically, the complaint
> is that my Exim signs the List-* headers. Now I can't really figure this
> one out. There don't seem to be any fine-grained DKIM signing options in
> Exim. My messages to the list arrive looking like this:
>
>
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=open-t.co.uk; s=20170820;
> h=Content-Transfer-Encoding:Content-Type:
>
> MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID:
>
> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
>
> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
> List-Subscribe:List-Post:List-Owner:List-Archive;
> bh=d0g337Alhc+FWBBtMm7w/Hn67G4jbr0RsFSBcWDK2fc=;
> b=Nhn9sI6K1G8+vOfCsguSXGA8+6
>
> 0Aap3I3NcIZ3F21rrGivbp2eS+Gz42GAn/NvYrrz9RkYL5/PIqr5a6v8QhEio6KGSO1d/RIZVQMaf
>
> V7qqFyvU8GB3MAYavZa+MsLAOmVgxSk3rSAbE+Bk2RER08QGjwLKxEOotKSy6vXzF25s=;
>
>
> (sorry for the odd line breaks - it looks ok in the actual header of the
> email)
>
> My question is, the list of headers -
> "h=Content-Transfer-Encoding:Content-Type:MIME-Version ...." - where
> does that get generated? Is it on my Exim box - or further down the
> line? Also, why is that preventing users of the mailing list from
> receiving my messages?
>
> My setup is fairly simple - Thunderbird -> Exim -> and then direct
> sending to the recipient server.
>
> Any hints or pointers to reading material would be much appreciated
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>


--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 07/31/2018 10:18 AM, Mike Brudenell via Exim-users wrote:
> I
> n particular that RFC's *Recommended Signature Content
> <https://tools.ietf.org/html/rfc4871#section-5.5>* explicitly recommends
> DKIM-signing various List-* headers. I'd be tempted to point this out to
> the people complaining and suggests they look elsewhere for the cause of
> their problems.

Starting with "DKIM breaks mailing-lists".

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 31 Jul 2018, at 11:51, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> Starting with "DKIM breaks mailing-lists".

Indeed.

However, I'm puzzled: a post to a mailing list shouldn't have the List-*: headers until it's traversed the MLM server, as they're added by the MLM.

At that point it's the MLM's job (or its MTA) to sign the message, which should then be removing/replacing all other DKIM sigs and sending the message on with a new one - exactly as the exim.org MLM, mailman, does.

In the original message in this thread, there's:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=exim.org;
s=d201804; h=Sender:Content-Type:Content-Transfer-Encoding:..

X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
c=relaxed/relaxed;
d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...

The second one has included headers which I would not expect to be present on a message from a client to a mailing list. It also includes them in the DKIM sig - yet they don't exist, or shouldn't, at the submission stage.

To answer Sebastian's question - something in your outbound mail flow is doing that, as the headers were present on the inbound message to the exim.org listserver. Whether you've got some Thunderbird plugin or something else in your exim config doing it, only you can tell!

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
> X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
> c=relaxed/relaxed;
> d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
>
> The second one has included headers which I would not expect to be present on a message from a client to a mailing list. It also includes them in the DKIM sig - yet they don't exist, or shouldn't, at the submission stage.

Oversigning. It gives an assertion that the header is not present.
Exim can do it; it's not default - see the last para. in the description
of dkim_sign_headers.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
> On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
> > X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
> >
> > c=relaxed/relaxed;
> > d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
> >
> > The second one has included headers which I would not expect to be present
> > on a message from a client to a mailing list. It also includes them in
> > the DKIM sig - yet they don't exist, or shouldn't, at the submission
> > stage.
> Oversigning. It gives an assertion that the header is not present.
> Exim can do it; it's not default - see the last para. in the description
> of dkim_sign_headers.
Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing
and not oversigning. I've changed the preferences for DKIM into:

dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive


This choice is based on https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 31/07/18 10:18, Mike Brudenell via Exim-users wrote:
> Hi, Sebastian -
>
> You didn't tell us the version of Exim you're running so I can't give you
> the exact chapter/section names, but if you look in the *Specification* for
> the chapter on DKIM, in the section called something like *Signing outgoing
> messages* you'll find the description of dkim_sign_headers.
>
> However I'd have thought that the defulat set of headers should be OK as
> the *Specification* does explain:
>
> When unspecified, the header names listed in RFC4871 will be used, whether
> or not each header is present in the message. The default list is available
> for the expansion in the macro "_DKIM_SIGN_HEADERS".

Thank you to everybody who answered so far. My Exim version is 4.90 and
I only use the following settings for DKIM in exim.conf:

dkim_domain = open-t.co.uk
dkim_selector = 20170820
dkim_private_key = /etc/exim/open-t.co.uk-private.pem
dkim_strict = true


I don't have any other Thunderbird plugin or anything else interfering
with DKIM settings anywhere - as long as I know. So I'm a bit puzzled by
the comments about over-signing. Is it possible that Exim does that by
default?

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 31/07/18 14:02, Richard James Salts via Exim-users wrote:
> On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote:
>> On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote:
>>> X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
>>>
>>> c=relaxed/relaxed;
>>> d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:...
>>>
>>> The second one has included headers which I would not expect to be present
>>> on a message from a client to a mailing list. It also includes them in
>>> the DKIM sig - yet they don't exist, or shouldn't, at the submission
>>> stage.
>> Oversigning. It gives an assertion that the header is not present.
>> Exim can do it; it's not default - see the last para. in the description
>> of dkim_sign_headers.
> Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing
> and not oversigning. I've changed the preferences for DKIM into:
>
> dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:
> +MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-
> Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-
> To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-
> Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive
>
>
> This choice is based on https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html

Thank you for that link. I had no idea DKIM and mailing lists are such a
nightmare - or that there are so many potential holes in DKIM itself.
I'll be trying get my head around which way is best to configure it.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DKIM signing options - specially list of headers [ In reply to ]
On 2018-07-31 09:47, Sebastian Arcus wrote:

> I post messages from time to time to Spamassassin mailing list, and
> several members have been complaining about my DKIM setup - they say
> they can't receive my emails because of it. Specifically, the
> complaint is that my Exim signs the List-* headers.

FWIW, I avoid DKIM completely for mailing list posts (such as this one).

--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/