A reader on the Mailop list pointed out that the Debian Linux wiki has a page for OpenDKIM and that this page can be interpreted as offering a suggestion to implement the "l=" option when signing messages with DKIM.
I also think there's a typo in one bit (in the Important DKIM Options section) that perhaps means to say that "Unless you are running a list server (which should not be sending to other list servers) or other automated system you generally DON'T want l= on all mail." (I added the "DON'T" here.)
My recommendation is to comment out BodyLengthDB in your opendkim.conf configuration file. You don't need it and you don't want it. (And this applies to anywhere you run OpenDKIM, not just on Debian.)
Point being, I've blogged about the L= tag before and how it's bad news. Do not use it. There's no upside -- in that there's no real legitimate reason to use it nowadays -- nobody uses the "add a footer" idea and it's not necessarily easily done, depending on how messages are formatted, anyway, and bad guys can exploit it to shovel bad content to unsuspecting inboxes using somebody else's domain, if it's implemented badly. And some inbox providers are promising to treat messages as unsigned, if the DKIM signature contains the L= tag in its options.
Here's where to go to find my latest thoughts and updates on that whole DKIM L= tag thing.
A reader on the Mailop list pointed out that the Debian Linux wiki has a page for OpenDKIM and that this page can be interpreted as offering a suggestion to implement the "l=" option when signing messages with DKIM.
I also think there's a typo in one bit (in the Important DKIM Options section) that perhaps means to say that "Unless you are running a list server (which should not be sending to other list servers) or other automated system you generally DON'T want l= on all mail." (I added the "DON'T" here.)
Point being, I've blogged about the L= tag before and how it's bad news. Do not use it. There's no upside -- in that there's no real legitimate reason to use it nowadays -- nobody uses the "add a footer" idea and it's not necessarily easily done, depending on how messages are formatted, anyway, and bad guys can exploit it to shovel bad content to unsuspecting inboxes using somebody else's domain, if it's implemented badly. And some inbox providers are promising to treat messages as unsigned, if the DKIM signature contains the L= tag in its options.
Here's where to go to find my latest thoughts and updates on that whole DKIM L= tag thing.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.