Skip to content

Commit

Permalink
DKIM signing must be done before ARC sealing (sympa-community#1851)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ikedas
ikedas committed Jun 16, 2024
1 parent 4f62c3a commit 3402626
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 10 deletions.
10 changes: 8 additions & 2 deletions src/lib/Sympa/Message.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -535,8 +535,14 @@ sub arc_seal {
$log->syslog('err', 'Can\'t create Mail::DKIM::ARC::Signer');
return undef;
}
# For One-Click Unsubscribe.
$arc->extended_headers({'List-Unsubscribe-Post' => '*'});
$arc->extended_headers(
{
# For any DKIM signature(s). See RFC 8617, 4.1.2.
'DKIM-Signature' => '*',
# For One-Click Unsubscribe.
'List-Unsubscribe-Post' => '*',
}
);

# $new_body will store the body as fed to Mail::DKIM to reuse it
# when returning the message as string. Line terminators must be
Expand Down
13 changes: 5 additions & 8 deletions src/lib/Sympa/Spindle/ProcessOutgoing.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,16 +351,15 @@ sub _twist {
$new_message->remove_invalid_dkim_signature
if $arc_enabled or $dkim_enabled;

my $arc_sealed = $new_message->arc_seal(%arc) if %arc;

if ($new_message->{shelved}{dkim_sign} or $arc_sealed) {
if ($new_message->{shelved}{dkim_sign} or %arc) {
# apply DKIM signature AFTER any other message
# transformation.
# Note that when ARC seal was added, DKIM signature is forced.
$new_message->dkim_sign(%dkim) if %dkim;

delete $new_message->{shelved}{dkim_sign};
}
# DKIM signing must be done before ARC sealing. See RFC 8617, 5.1.
$new_message->arc_seal(%arc) if %arc;

# trace_smime($new_message, 'dkim');

Expand Down Expand Up @@ -405,14 +404,12 @@ sub _twist {
$new_message->remove_invalid_dkim_signature
if $arc_enabled or $dkim_enabled;

my $arc_sealed = $new_message->arc_seal(%arc) if %arc;

# Initial message
if ($new_message->{shelved}{dkim_sign} or $arc_sealed) {
if ($new_message->{shelved}{dkim_sign} or %arc) {
$new_message->dkim_sign(%dkim) if %dkim;

delete $new_message->{shelved}{dkim_sign};
}
$new_message->arc_seal(%arc) if %arc;

# trace_smime($new_message,'dkim 2');

Expand Down

0 comments on commit 3402626

Please sign in to comment.