Re: DKIM, multiple domains, same server -- want to always sign, not just for remote delivery

[Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 24/8/19 7:24 pm, Reco wrote:
> On Sat, Aug 24, 2019 at 03:27:09PM +1000, Andrew McGlashan wrote:
>> Okay, I've changed the the DKIM_SIGN_HEADERS ... let's see if
>> this is good, thanks
> 
> This e-mail passed DKIM check for me, previous one failed it.

Yes, I checked my copy from the list already; thank you.

The default, I believe, is to sign all headers, I didn't have data set
for DKIM_SIGN_HEADERS before, but obviously I do now and hence why the
list mail is now good.  Similarly for gpg signed emails, I
deliberately do inline signing for mailing lists because it validates
cleanly.

>>> Also, "Autocrypt: prefer-encrypt=mutual" for a list mail?
>> Yes, that is an Enigmail thing....
> 
> Let's hope that two users of Enigmail won't meet here, as the
> result would be encrypted e-mails sent to the list.

Yes.  I do have "automatically encrypt" set to never at least.  I also
have TB present confirmation of GPG status *before* sending so I can
be sure which emails are signed and/or encrypted before I let them go.

>> Yes, not sure yet, but I think if the email is being "sent" by
>> any mail server and even if it is being locally delivered, then
>> at the "send" point, DKIM signing should take place.
> 
> Nope. I repeat, see the macros. Exim should take a decision to
> invoke a SMTP session for DKIM to trigger.

I get it, but I still don't like it.  For those that fully understand
what they are doing with GPG signed and/or encrypted email, they can
mitigate against authenticity issues due to tampering, but most
already email users won't have a clue.

>> One of the reasons for signing is to keep the emails fully
>> authentic and to (perhaps) remove the possibility of anyone
>> tampering with an email source and saying "you sent this...."
>> when they doctored it.  This might be very important at the
>> /same/ mail server level, especially within a single
>> organization.
> 
> That's true, but I see no reason why one cannot implement this
> useful policy on a transit MTA.

Yeah, not so sure about that, but I'm not going to worry about it too
much right now.

>> Yes, I think it might be a kludge that isn't worth doing; perhaps
>> an adjustment to how Exim itself handles this situation would
>> help.
> 
> All I can say that I wish you luck in implementing it.

I don't expect to do any kludges for this, and I still think that if
an email is "submitted" for delivery, once it is accepted it should b
signed immediately, then delivery can happen any which way.  That is,
early sign if that is possible, then it won't matter if it is locally
delivered or delivered via remote SMTP.

Kind Regards
AndrewM

-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXWEIoQAKCRCoFmvLt+/i
+482AP4g0cBTrgum3PWxxhBmtX04t2WiEKt5RLECszu4GKRRZwD9HcX6gl82irdL
MRiXed/+AI2IfjeYAhILpSWNs0XJouo=
=cwPD
-----END PGP SIGNATURE-----