From 6ce1ece9cb2b13fdc4d235146fa98835811570bd Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 23 Oct 2019 13:27:06 +0100 Subject: DKIM: disallow default acceptance of sha1 for verify --- doc/doc-docbook/spec.xfpt | 13 +++++++++---- doc/doc-txt/ChangeLog | 4 ++++ 2 files changed, 13 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index bb19e3915..c8b999c9f 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15113,15 +15113,20 @@ to handle IPv6 literal addresses. .new -.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" +.option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, and an order of processing. Signatures with algorithms not in the list will be ignored. -Note that the presence of sha1 violates RFC 8301. -Signatures using the rsa-sha1 are however (as of writing) still common. -The default inclusion of sha1 may be dropped in a future release. +Acceptable values include: +.code +sha1 +sha256 +sha512 +.endd + +Note that the acceptance of sha1 violates RFC 8301. .option dkim_verify_keytypes main "string list" "ed25519 : rsa" This option gives a list of key types which are acceptable in signatures, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 079b5a1ee..45d126ccd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -14,6 +14,10 @@ JH/01 Avoid costly startup code when not strictly needed. This reduces time JH/02 Early-pipelining support code is now included unless disabled in Makefile. +JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to + RFC 8301. They can still be enabled, using the dkim_verify_hashes main + option. + Exim version 4.93 ----------------- -- cgit v1.2.3