On October 25, 2018 10:56:53 PM UTC, Richard James Salts
<post...@spectralmud.org> wrote:
>Hi all,
>
>This is offtopic in regards to postfix but I bring it up because of the
>last
>few emails I've sent to the postfix mailing list.
>
>I was originally signing all the headers mentioned in rfc6376 section
>5.4,
>whether they existed or not and mails to postfix mailing list failed
>because of
>the added List-* headers. I fixed that up so that it will only sign
>those
>headers when they exist. I now oversign only the From, Sender,
>Reply-to,
>Subject, Date, Message-id, To, CC, MIME-Version, Content-Type, Content-
>Transfer-Encoding, Content-ID, Content-Description,
>Content-Disposition, In-
>Reply-To and References.
>
>This is still leading to the postfix mailing list failing DKIM once
>it's added
>a Sender header for owner-postfix-us...@postfix.org. Should I stop
>oversigning
>the Sender header? rfc5322 says the Sender header is unique if it
>exists so if
>there was a sender header would the postfix maling list strip it and
>add it's
>own? Should majordomo at russian-caravan be adding a Resent-From or
>Resent-
>Sender instead of Sender in order to prevent breaking the DKIM
>signatures for
>final recipients of people who include a signed Sender header?
>
>Your thoughts and opinions on this would be welcomed.
I think you are making are poor assumption that the RFC 6376 should sign header
fields are at related to should over sign.
I've never before heard of anyone over signing anything except From. I
wouldn't over sign anything else. Section 8.15 discusses this. As you're
discovering, over application of this mitigation brings it's own pain.
Scott K
