On 2021-08-14 05:50, raf wrote:
On Sat, Aug 14, 2021 at 01:22:43AM +0200, Benny Pedersen <m...@junc.eu>
wrote:
On 2021-08-14 01:10, raf wrote:
> h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
note 2 instances of From
i bet both is not dkim signed, or both From is not in the recieved
dkim
validator seen
It's normal for From to appear twice
maybe for milters only ?
i use fuglu that have not that double signed header
in the list of
headers to include in the signature. It doesn't mean
that there are two From: headers in the message.
if there exists a From psudo header in the milter it could be problem
for opendkim to know with one is the real one, even if it does not sign
both it makes trouble for the verifing it later
It
means that the From: header is included twice in the
data being signed. But it's odd. The extra inclusion is
as an empty From: header.
i will say this is a cleat bug to have resolved
So it's not a mistake. It's default behaviour in
OpenDKIM.
i lost intrest to stay at using milters, unrelated or not i dont know
Here's an extract from /etc/opendkim.conf that tries to
explain why:
# Always oversign From (sign using actual From and a null From to
prevent
# malicious signatures header fields (From and/or others) between the
signer
# and the verifier. From is oversigned by default in the Debian
package
# because it is often the identity key used by reputation systems and
thus
# somewhat security sensitive.
OversignHeaders From
"Oversigning" the From: header prevents an additional
From: header being added without invalidating the
signature. This is desirable because it might be that
the real From: header satisfies DKIM, but the second
malicious From: is shown to the user perhaps (or vice
versa).
this is when signing on forwarders imho, not when signing originated
mails, dkim signing on forwarding mta should imho stop being done, and
only do openARC sealing on forwarding mta hosts
Documentation for rspamd says "Oversigned headers
cannot be appended to a message". But the above makes
me think that the intent of oversigning is to say that
if an extra From: header was added, it would get
noticed, but I don't understand why you couldn't just
have 3+ From: headers, the normal signed one, then one
or more empty oversigned ones, and then a final
malicious one that doesn't affect DKIM because only the
first two were included in the signed data?
good question i dont know answer for
Hopefully,
that's not the case. I'll have to read the RFC one of
these days to understand it properly.
i only dkim sign in fuglu, wish i know how to make dkim verify with
fuglu aswell, its just low priotet from me to do so aslong spamassassin
does it
fuglu uses dkimpy, and i have created ebuild for fuglu on gentoo, its
pretty stable for what i have done without knowledge :=)
