|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 22/8/19 7:52 pm, Reco wrote: > On Thu, Aug 22, 2019 at 07:27:23PM +1000, Andrew McGlashan wrote: >> I have DKIM setup, however, it only signs messages that are being >> delivered via SMTP to another server. > > Your DKIM policy is somewhat unusual. You sign transport headers > (Resent-From et al), headers inserted by list MTA (List-Subscribe, > List-Archive). Modification of these is something that's expected if > using any maillist, so DKIM checks are bound to fail. > > For the comparison, I use this set of headers for DKIM signing: > > DKIM_SIGN_HEADERS=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Sender:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:User-Agent Okay, I've changed the the DKIM_SIGN_HEADERS ... let's see if this is good, thanks > Also, "Autocrypt: prefer-encrypt=mutual" for a list mail? Yes, that is an Enigmail thing.... >> Why is it not valid to sign to the same domain name and/or other >> domain names served by the same mail server and NOT having to make an >> SMTP outgoing connection? > > Because stock exim4 macros are supposed to do so for remote MTAs only, > see /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp*. Yes, not sure yet, but I think if the email is being "sent" by any mail server and even if it is being locally delivered, then at the "send" point, DKIM signing should take place. One of the reasons for signing is to keep the emails fully authentic and to (perhaps) remove the possibility of anyone tampering with an email source and saying "you sent this...." when they doctored it. This might be very important at the /same/ mail server level, especially within a single organization. >> How can I adjust exim4 so that it will sign ALL outgoing emails, even >> if "outgoing" is only to the same server to another within the same >> and/or different domain name(s) ... ? > > No easy way of doing this. "Outgoing to the same server" equals "local > delivery", and local delivery is run for any inbound mail too. > You could write some kludge that calls DKIM signing by analyzing > Received header, but that's fragile at best. Yes, I think it might be a kludge that isn't worth doing; perhaps an adjustment to how Exim itself handles this situation would help. > Reco > - -- Kind Regards AndrewM -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXWDKpQAKCRCoFmvLt+/i +/PpAQC38A3AwPpAfBLTJNW+uKlRslKFo8dyg47juVbWRraUWAEAkOluh3wnekCA 9dT3VK04GLi31k5pP0dRZoQ7CMuAT0k= =mwwi -----END PGP SIGNATURE----- |