[Rspamd-Users] DKIM oversign headers duplicated?

Jesse Norell jesse at kci.net
Thu Jun 10 16:21:56 UTC 2021 

On Fri, 2021-06-04 at 12:01 -0700, Tom via Users wrote:
> I am using the rspamd DKIM signing module. With it, I am signing with
> two keys. an RSA and an Ed25519 key. The dkim headers rspamd is
> attaching to emails appears to duplicate the elements in the h= tag
> as
> follows:
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nuegia.net;
> s=mail2; t=1622831171;
> 	h=from:from:reply-to:subject:subject:date:date:message-
> id:message-id:
> 	 to:to:cc:mime-version:mime-version:content-type:content-type:
> 	 content-transfer-encoding:content-transfer-encoding;
> 	bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
> 	b=bUjVCA0KwQOvC5uxgclGIHVSXkAxd1V6vQjmT9fLQRVgLs/Kry3Xn1/+5HS+9
> imik+jfu6
> 	3MlLJnhy3Nc25b8ekW7GC8/29ecDSiF8pIHv0xYZfzdQeXkSIaiZQTy8d2SP5OK
> wxg+saE
> 	+D7sE/mAiDffwpAS8V+eu3yYwS8mxOc=
> DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
> d=nuegia.net;
> 	s=mail2-edward; t=1622831171;
> 	h=from:from:reply-to:subject:subject:date:date:message-
> id:message-id:
> 	 to:to:cc:mime-version:mime-version:content-type:content-type:
> 	 content-transfer-encoding:content-transfer-encoding;
> 	bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
> 	b=pGo7uzFm902KdUkKOjlqPMwhvChJbFr/swVKg4qO9UNS9FafyO1k0g6je5WxV
> 51vTpdYst
> 	t7vhA1YU/iiajmCQ==
> 
> and in this email. There are two 'to' headers, subject, date,
> message-id, mime-version, content-type, and content-transfer encoding
> oversigns specified. 
> 
> Is this normal or is this a bug in rspamd? Could this have an effect
> on
> email deliver-ability?


It is normal.  From rfc6376:

      INFORMATIVE NOTE: A header field name need only be listed once
      more than the actual number of that header field in a message at
      the time of signing in order to prevent any further additions.
      For example, if there is a single Comments header field at the
      time of signing, listing Comments twice in the "h=" tag is
      sufficient to prevent any number of Comments header fields from
      being appended; it is not necessary (but is legal) to list
      Comments three or more times in the "h=" tag.

So seeing to:to means the actual To: header is signed, as is the non-
existence of a second To: header; if someone adds another To: header
later it will break the signature.


-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net

More information about the Users mailing list