From: Mark Wooding Date: Tue, 7 May 2024 12:06:26 +0000 (+0100) Subject: base.m4 (dkim_sign_headers): Oversign the headers we're interested in. X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/exim-config/commitdiff_plain/d4f4bfc3ea47f8ba89db46a8b48ded19add391e1 base.m4 (dkim_sign_headers): Oversign the headers we're interested in. Adds some stunt Exim expansion to count how many instances of each header there are in the message and add extra entry for each one into the list plus an extra to catch any additional header added later. This also has the happy side-effect of trimming spaces from the incoming list items. --- diff --git a/base.m4 b/base.m4 index 0620a9b..1b671ef 100644 --- a/base.m4 +++ b/base.m4 @@ -451,8 +451,20 @@ m4_define(<:DKIM_SIGN:>, {CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>) dkim_canon = relaxed dkim_strict = true - dkim_sign_headers = CONF_dkim_headers:\ - X-CONF_header_token-DKIM-Key-Publication + ## The following ridiculous stunt does two important jobs. Firstly, + ## and more obviously, it arranges to include one more copy of each + ## header name than the message actually contains, thereby causing + ## the signature to fail if another header with the same name is + ## added. And secondly, and far more subtly, it also trims the + ## spaces from the header names so that they're in the format that + ## the signing machinery secretly wants. + dkim_sign_headers = \ + ${sg {${map {CONF_dkim_headers : \ + X-CONF_header_token-DKIM-Key-Publication} \ + {$item${sg {${expand:\$h_$item:}\n} \ + {((?:[^\n]+|\n\\s+)*)\n} \ + {:$item}}}}} \ + {::}{:}} headers_add = \ ${if DKIM_SIGN_P \ {DKIM_KEYS_INFO(<:m4_dnl