PGRpdiBkaXI9J2F1dG8nPjxkaXYgZGlyPSJhdXRvIj48YnI+PC9kaXY+T25lIHRoaW5nIHR oYXQg ZG9lcyBvY2N1ciB0byBtZSBpcyB0aGF0IG15IGV4aW0gaGVhZGVyIGZ1ZGdlIHdpbGwgcHJ vYmFi bHkgY2F1c2UgdGhlIE1lc3NhZ2UtSUQgaGVhZGVyIHRvIG1vdmUgYXJvdW5kIGZyb20gaXR zIG9y aWdpbmFsIHBvc2l0aW9uLCBhbmQgaWYgc29tZW9uZSBpcyBkb2luZyBoYXNoaW5nIG9yIGF jdHVh bGx5IHZhbGlkYXRpbmcgKGdwZyBzaWduaW5nPykgdGhlIGhlYWRlcnMgaGF2ZW4ndCBiZWV uIHRh bXBlcmVkIHdpdGgsIHRoZW4gaXQgbWlnaHQgY29tcGxhaW4sIHNpbmNlIGFsdGhvdWdoIHR oZSBt ZXNzYWdlLWlkIGhhc24ndCBjaGFuZ2VkLCBpdCBtaWdodCBiZSBpbiBhIGRpZmZlcmVudCB wbGFj ZSBpbiB0aGUgaGVhZGVycy48ZGl2IGRpcj0iYXV0byI+PGJyPjwvZGl2PjxkaXYgZGlyPSJ hdXRv Ij5UaGVuIGFnYWluLCBtYWlsbWFuIGNhbiBtYWtlIHBsZW50eSBvZiBvdGhlciBtb2RpZml jYXRp b25zIGFuZCBhZGRpdGlvbnMgdG8gdGhlIGhlYWRlcnMgYW55d2F5LCBzbyBJJ20gbm90IHN 1cmUg aXQgbWF0dGVycy4mbmJzcDs8L2Rpdj48ZGl2IGRpcj0iYXV0byI+PGJyPjwvZGl2PjxkaXY gZGly PSJhdXRvIj5Qcm9iYWJseSB0aGUgbW9yZSBjb3JyZWN0IHdheSB0byBkbyBpdCBpcyBvbmx 5IGFk ZCBhIG5ldyBoZWFkZXIgaWYgaXQncyBtaXNzaW5nLCBhbmQgaWYgaXQncyB0aGVyZSwgbGV hdmUg aXQgYWxvbmUuPC9kaXY+PGRpdiBkaXI9ImF1dG8iPjxicj48L2Rpdj48ZGl2IGRpcj0iYXV 0byI+ VGhpcyBpcyBwcm9iYWJseSBwb3NzaWJsZSBpbiBleGltIHdpdGggc29tZSBtb3JlIHZhcml hYmxl cyBhbmQgYSBsb3Qgb2YgbmVzdGVkIGN1cmx5IGJyYWNlcy4uLiZuYnNwOzwvZGl2PjxkaXY gZGly PSJhdXRvIj48YnI+PC9kaXY+PGRpdiBkaXI9ImF1dG8iPlJvYiZuYnNwOzwvZGl2PjwvZGl 2Pjxk aXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPk9 uIDI2 IEp1bCAyMDE5IDIwOjAzLCBNYXJrIFNhcGlybyAmbHQ7bWFya0Btc2FwaXJvLm5ldCZndDs gd3Jv dGU6PGJyIHR5cGU9ImF0dHJpYnV0aW9uIiAvPjxibG9ja3F1b3RlIGNsYXNzPSJxdW90ZSI gc3R5 bGU9Im1hcmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGR pbmct bGVmdDoxZXgiPjxwIGRpcj0ibHRyIj5PbiA3LzI2LzE5IDExOjA1IEFNLCBTdGVwaGVuIEo uIFR1 cm5idWxsIHdyb3RlOiYjMTM7PGJyPgomIzEzOzxicj4KJmd0OyBUaGUgcHJvYmxlbSBpcyB 0aGF0 IE1haWxtYW4ncyBMTVRQIHNlcnZlciByZWplY3RzIG1hbGZvcm1lZCBtYWlsLiZuYnNwOyB JJiMx Mzs8YnI+CiZndDsgc2VlbSB0byByZWNhbGwgdGhhdCBpbiBNYWlsbWFuIDIsIE1haWxtYW4 gaXRz ZWxmIHdvdWxkIGFkZCBhJiMxMzs8YnI+CiZndDsgTWVzc2FnZS1JRCBmaWVsZCBpZiBvbmU gd2Fz IG5vdCBwcmVzZW50LiZuYnNwOyBJIGRvbid0IGtub3cgaG93IGVhc3kgaXQmIzEzOzxicj4 KJmd0 OyB3b3VsZCBiZSB0byBwcm92aWRlIHRoaXMgZmVhdHVyZSwgc2luY2Ugd2Ugd291bGQgaGF 2ZSB0 byBwYXRjaCB0aGUmIzEzOzxicj4KJmd0OyBMTVRQIHNlcnZlciBjb2RlIHNvIHRoZSBtZXN zYWdl IGNvdWxkIG1ha2UgaXQgdG8gTWFpbG1hbiBwcm9wZXImIzEzOzxicj4KJmd0OyAoTWFpbG1 hbiAz IGltcG9ydHMgdGhlIExNVFAgc2VydmVyIGZyb20gdGhlIHN0ZGxpYikuJiMxMzs8YnI+CiY jMTM7 PGJyPgomIzEzOzxicj4KSXQncyBhIHNpbXBsZSBwYXRjaCB0byB0aGUgbG10cCBydW5uZXI gKE1h aWxtYW4ncyBMTVRQIHNlcnZlcikuIFRoZXJlJ3MmIzEzOzxicj4KYSBjbG9zZWQgaXNzdWU gb24g dGhpcyBhdCYjMTM7PGJyPgombHQ7aHR0cHM6Ly9naXRsYWIuY29tL21haWxtYW4vbWFpbG1 hbi9p c3N1ZXMvNDkwJmd0OyAtIGNsb3NlZCBiZWNhdXNlIEkmIzEzOzxicj4KY29udmluY2VkIHR oZSBz dWJtaXR0ZXIgaXQgd2Fzbid0IHRoZSByaWdodCB0aGluZyB0byBkby4mIzEzOzxicj4KJiM xMzs8 YnI+CiYjMTM7PGJyPgomZ3Q7Jm5ic3A7ICZndDsgTXkgc29sdXRpb24gZm9yIG5vdyAoYXB hcnQg ZnJvbSB0ZWxsaW5nIHBlb3BsZSBub3QgdG8gdXNlIG9sZCYjMTM7PGJyPgomZ3Q7Jm5ic3A 7ICZn dDsgYnJva2VuIE91dGxvb2shKSBpcyB0byBtb2RpZnkgdGhlIGV4aW0gbWFpbG1hbjNfdHJ hbnNw b3J0IHNvIHRoYXQmIzEzOzxicj4KJmd0OyZuYnNwOyAmZ3Q7IGFueSBtZXNzYWdlIHdpdGg gYSBt aXNzaW5nIE1lc3NhZ2UtSUQ6IHdpbGwgaGF2ZSBvbmUgZ2VuZXJhdGVkIGJ5JiMxMzs8YnI +CiZn dDsmbmJzcDsgJmd0OyBleGltIGJlZm9yZSBpdCdzIHBhc3NlZCB0byBMTVRQLiBUaGlzIHJ lcHJv ZHVjZXMgdGhlIHNhbWUgYmVoYXZpb3VyJiMxMzs8YnI+CiZndDsmbmJzcDsgJmd0OyBleGl tIHVz ZXMgZm9yIGxvY2FsbHkgc3VibWl0dGVkIG1lc3NhZ2VzLiYjMTM7PGJyPgomZ3Q7ICYjMTM 7PGJy PgomZ3Q7IEknbSBub3Qgc3VyZSBpdCdzIGEgZ29vZCBpZGVhIHRvIGRvIHRoaXMgKGFuZCB jZXJ0 YWlubHkgbm90IGJ5JiMxMzs8YnI+CiZndDsgZGVmYXVsdCkuJm5ic3A7IFRoZSBvbmx5IHR pbWVz IEkndmUgc2VlbiBtZXNzYWdlcyB3aXRob3V0IGEgTWVzc2FnZS1JRCBhcmUmIzEzOzxicj4 KJmd0 OyBzcGFtIG1lc3NhZ2VzLiZuYnNwOyBJIHN1cHBvc2Ugd2UgY2FuIGFkZCB0aGlzIHRvIHR oZSBk b2N1bWVudGF0aW9uLiYjMTM7PGJyPgomIzEzOzxicj4KJiMxMzs8YnI+CkkgYWRkZWQgUm9 iZXJ0 J3Mgc29sdXRpb24gYXQmIzEzOzxicj4KJmx0O2h0dHBzOi8vbWFpbG1hbi5yZWFkdGhlZG9 jcy5p by9lbi9sYXRlc3Qvc3JjL21haWxtYW4vZG9jcy9tdGEuaHRtbCN0cm91Ymxlc2hvb3Rpbmc mZ3Q7 JiMxMzs8YnI+CiYjMTM7PGJyPgpUaGUgcmVxdWlyZW1lbnQgZm9yIGEgTWVzc2FnZS1JRDo gaXMg ZG9jdW1lbnRlZCwgYWxiZWl0IG5vdCB2ZXJ5JiMxMzs8YnI+CnByb21pbmVudGx5LCBhdCY jMTM7 PGJyPgombHQ7aHR0cHM6Ly9tYWlsbWFuLnJlYWR0aGVkb2NzLmlvL2VuL2xhdGVzdC9idWl sZC9s aWIvbWFpbG1hbi9ydW5uZXJzL2RvY3MvbG10cC5odG1sP2hpZ2hsaWdodD1tZXNzYWdlLWl kI2xt dHAtc2VydmVyJmd0Oy4mIzEzOzxicj4KJiMxMzs8YnI+Ci0tICYjMTM7PGJyPgpNYXJrIFN hcGly byAmbHQ7bWFya0Btc2FwaXJvLm5ldCZndDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJ zcDsm bmJzcDsmbmJzcDsgVGhlIGhpZ2h3YXkgaXMgZm9yIGdhbWJsZXJzLCYjMTM7PGJyPgpTYW4 gRnJh bmNpc2NvIEJheSBBcmVhLCBDYWxpZm9ybmlhJm5ic3A7Jm5ic3A7Jm5ic3A7IGJldHRlciB 1c2Ug eW91ciBzZW5zZSAtIEIuIER5bGFuJiMxMzs8YnI+Cl9fX19fX19fX19fX19fX19fX19fX19 fX19f X19fX19fX19fX19fX19fX19fX19fJiMxMzs8YnI+Ck1haWxtYW4tdXNlcnMgbWFpbGluZyB saXN0 IC0tIG1haWxtYW4tdXNlcnNAbWFpbG1hbjMub3JnJiMxMzs8YnI+ClRvIHVuc3Vic2NyaWJ lIHNl bmQgYW4gZW1haWwgdG8gbWFpbG1hbi11c2Vycy1sZWF2ZUBtYWlsbWFuMy5vcmcmIzEzOzx icj4K aHR0cHM6Ly9saXN0cy5tYWlsbWFuMy5vcmcvbWFpbG1hbjMvbGlzdHMvbWFpbG1hbi11c2V ycy5t YWlsbWFuMy5vcmcvJiMxMzs8YnI+CjwvcD4KPC9ibG9ja3F1b3RlPjwvZGl2Pjxicj48L2R pdj4=

Mark Sapiro writes:

Rob's reply in this thread was garbled due to https://gitlab.com/mailman/mailman/issues/616. The text of the reply is quoted below.

On 7/27/19 12:54 AM, Rob Lister wrote:

...

One thing that does occur to me is that my exim header fudge will probably cause the Message-ID header to move around from its original position, and if someone is doing hashing or actually validating (gpg signing?) the headers haven't been tampered with, then it might complain, since although the message-id hasn't changed, it might be in a different place in the headers.

I don't think this is a problem. GPG or S/MIME signing with any software I know of only signs the message body (or a MIME part). DKIM message signing isn't going to care about the order of fields because DKIM canonicalizes the order (at least for the unique fields) according to the specification in the signature field, and that will be verified on the way in. Of course adding a Message-ID will likely break DKIM for the outgoing post, but Mailman as normally used breaks DKIM anyway. This can be partly mitigated by using ARC (authenticated received chain), which is supported by Google already, and possibly some of the other usual DMARC suspects (Yahoo!, AOL).

...

Probably the more correct way to do it is only add a new header if it's missing, and if it's there, leave it alone.

True, and I think this does it:

headers_add = ${if def:h_message-id:{fail}{Message-ID: ... id generator code ...}}

If you like that and test it, I would really appreciate feedback so we can update the documentation.

One thing *I* would like to add to this recipe is logging. I'd be curious to see how frequently it happens outside of spam and junior high school hackers using netcat as their MUA. I don't see how to do this in Exim, though.

Another is using a prefix other than "E" to indicate this isn't standard Exim behavior.

Steve