Sorry for the delay in replying. In light of yesterday's CVE
announcement I thought it might not be a good idea to advertise I'm
running exim until I patched it.
On Thu, Feb 20, 2025 at 06:06:59PM +0100, Matthias Apitz wrote:
> > > This email has a DKIM signature on the List- headers of the email,
> > > indicating that it is not allowed to pass this email on through a
> > > mailinglist.
> > The DKIM signature header you quote shows that you're signing over the
> > List-* headers. You -- or your SMTP server -- should not do that.
> > If you can't change that, you could try a public remailer of some sort.
> > Btw, I had exactly this problem with the postgresql-general mailing
> > list too. But I run my own mail server, so the fix was easy.
> Thanks very much for that explanation. I've access to the DNS
> configuration of my zone unixarea.de, where as I read such configurations
> must be done, but I don't know how. Please share how you have fixed
> this.
DNS stores the key, but if signing is done at all and which headers
are covered is a config item for the MTA -- in my case, exim. When I wrote
my reply to you I thought that back then I'd tweaked the list of signed
headers, but as it turns out I'd rather disabled signing completely for
messages going to lists:
remote_smtp:
driver = smtp
interface = <; MX6 ; MX4
max_rcpt = 1
return_path = ${acl{acl_sub_retpath}}
dkim_domain = $qualify_domain
# don't sign messages sent as aliases, those go mostly to lists
dkim_selector = ${if def:acl_m_sender_alias {} {rsa}}
dkim_private_key = SITECONFDIR/dkim-private/$dkim_selector
dkim_sign_headers = DKIM_NONLIST_HEADERS
hosts_avoid_pipelining = *
# this prepends X-Forwarded-For header if necessary
transport_filter = /usr/bin/env EXIM_LOCAL_RCPT=$acl_m_local_rcpt \
SITECONFDIR/smtp-transport-filter
--
Ian
