[Linux-aus] LA list errors
Russell Coker
russell at coker.com.au
Tue Apr 18 16:56:02 AEST 2017
I've attached an error from an attempted Linux Australia list delivery, it's
one of many.
Gmail doesn't use the l= flag when DKIM signing messages, so the hash of the
body is computed over the entire body including the list footer. This doesn't
match and the DKIM check fails. Any recipient who does DKIM checks will
reject such mail, if the checks are strict it will be rejected outright, if
they are added to a SA score then they will be rejected sometimes.
Even when l= is used or you turn off the list footer and Subject munging there
is no guarantee that Mailman will refrain from munging the messages.
Sometimes it changes ASCII messages to MIME encoded and it also never
preserves headers, it parses them and regenerates new headers based on the
parsing.
With the version of Mailman used for that list you can edit
"/etc/mailman/mm_cfg.py" to have the directive "REMOVE_DKIM_HEADERS = Yes",
that will remove all headers and solve the problems for senders that don't use
DMARC or ADSP.
In the web based configuration for Mailman there is a "dmarc_moderation_action"
setting that can munge the From field on messages with a DMARC policy. But
that doesn't solve things for ADSP messages or messages that don't use DMARC
or ADSP.
If you use the "from_is_list" setting in the web based configuration for the
list then all mail will have a From field as done on the Tresys list which
shows who the message is from as well as the fact that it came From a list
server. This combined with REMOVE_DKIM_HEADERS will allow DKIM signed mail
sent to the list to go through correctly.
https://wiki.debian.org/OpenDKIM
Here is the Debian Wiki page about installing OpenDKIM. It needs additions
for MTAs other than Postfix and list servers other than Mailman.
https://wiki.list.org/DEV/DMARC
https://wiki.list.org/DEV/DKIM
Here are the Mailman wiki entries about DMARC and DKIM.
PS If you reply to this message and you use GMAIL, Yahoo, Hotmail, or any of
the other providers that use DKIM then make sure you CC me. The list will
munge your message, the DKIM signature will be broken, and my MTA will reject
the copy of your message that came through the list.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
Apr 18 12:46:51 smtp postfix/smtpd[12111]: 63ABFECF5: client=mailhost.linux.org.au[192.55.98.181]
Apr 18 12:46:51 smtp postfix/cleanup[12694]: 63ABFECF5: message-id=<CAAOvAEXwg8RqXidn7zTOVKVHf3DqxK8wAZZ9CCOC+FXmxqGfjg at mail.gmail.com>
Apr 18 12:46:51 smtp opendkim[10146]: 63ABFECF5: s=20161025 d=gmail.com SSL error:04091068:rsa routines:int_rsa_verify:bad signature
Apr 18 12:46:51 smtp opendkim[10146]: 63ABFECF5: bad signature data
Apr 18 12:46:51 smtp postfix/cleanup[12694]: 63ABFECF5: milter-reject: END-OF-MESSAGE from mailhost.linux.org.au[192.55.98.181]: 5.7.0 bad DKIM signature data; from=<linux-aus-bounces at lists.linux.org.au> to=<abc at coker.com.au> proto=ESMTP helo=<mailhost.linux.org.au>
More information about the linux-aus
mailing list