DKIM signature rejected

Fri Feb 21 21:21:02 UTC 2025

Sorry for the delay in replying. In light of yesterday's CVE
announcement I thought it might not be a good idea to advertise I'm
running exim until I patched it.

On Thu, Feb 20, 2025 at 06:06:59PM +0100, Matthias Apitz wrote:

> > > This email has a DKIM signature on the List- headers of the email,
> > > indicating that it is not allowed to pass this email on through a
> > > mailinglist.

> > The DKIM signature header you quote shows that you're signing over the
> > List-* headers. You -- or your SMTP server -- should not do that.

> > If you can't change that, you could try a public remailer of some sort.

> > Btw, I had exactly this problem with the postgresql-general mailing
> > list too. But I run my own mail server, so the fix was easy.

> Thanks very much for that explanation. I've access to the DNS
> configuration of my zone unixarea.de, where as I read such configurations
> must be done, but I don't know how. Please share how you have fixed
> this.

DNS stores the key, but if signing is done at all and which headers
are covered is a config item for the MTA -- in my case, exim. When I wrote
my reply to you I thought that back then I'd tweaked the list of signed
headers, but as it turns out I'd rather disabled signing completely for
messages going to lists:

remote_smtp:
  driver = smtp
  interface = <; MX6 ; MX4
  max_rcpt = 1
  return_path = ${acl{acl_sub_retpath}}
  dkim_domain = $qualify_domain
  # don't sign messages sent as aliases, those go mostly to lists
  dkim_selector = ${if def:acl_m_sender_alias {} {rsa}}
  dkim_private_key = SITECONFDIR/dkim-private/$dkim_selector
  dkim_sign_headers = DKIM_NONLIST_HEADERS
  hosts_avoid_pipelining = *
  # this prepends X-Forwarded-For header if necessary
  transport_filter = /usr/bin/env EXIM_LOCAL_RCPT=$acl_m_local_rcpt \
    SITECONFDIR/smtp-transport-filter

-- 
Ian