[Linux-aus] LA list errors

Russell Coker russell at coker.com.au
Tue Apr 18 16:56:02 AEST 2017 

I've attached an error from an attempted Linux Australia list delivery, it's 
one of many.

Gmail doesn't use the l= flag when DKIM signing messages, so the hash of the 
body is computed over the entire body including the list footer.  This doesn't 
match and the DKIM check fails.  Any recipient who does DKIM checks will 
reject such mail, if the checks are strict it will be rejected outright, if 
they are added to a SA score then they will be rejected sometimes.

Even when l= is used or you turn off the list footer and Subject munging there 
is no guarantee that Mailman will refrain from munging the messages.  
Sometimes it changes ASCII messages to MIME encoded and it also never 
preserves headers, it parses them and regenerates new headers based on the 
parsing.

With the version of Mailman used for that list you can edit 
"/etc/mailman/mm_cfg.py" to have the directive "REMOVE_DKIM_HEADERS = Yes", 
that will remove all headers and solve the problems for senders that don't use 
DMARC or ADSP.

In the web based configuration for Mailman there is a "dmarc_moderation_action" 
setting that can munge the From field on messages with a DMARC policy.  But 
that doesn't solve things for ADSP messages or messages that don't use DMARC 
or ADSP.

If you use the "from_is_list" setting in the web based configuration for the 
list then all mail will have a From field as done on the Tresys list which 
shows who the message is from as well as the fact that it came From a list 
server.  This combined with REMOVE_DKIM_HEADERS will allow DKIM signed mail 
sent to the list to go through correctly.

https://wiki.debian.org/OpenDKIM

Here is the Debian Wiki page about installing OpenDKIM.  It needs additions 
for MTAs other than Postfix and list servers other than Mailman.

https://wiki.list.org/DEV/DMARC
https://wiki.list.org/DEV/DKIM

Here are the Mailman wiki entries about DMARC and DKIM.


PS  If you reply to this message and you use GMAIL, Yahoo, Hotmail, or any of 
the other providers that use DKIM then make sure you CC me.  The list will 
munge your message, the DKIM signature will be broken, and my MTA will reject 
the copy of your message that came through the list.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
Apr 18 12:46:51 smtp postfix/smtpd[12111]: 63ABFECF5: client=mailhost.linux.org.au[192.55.98.181]                                                                                                                      
Apr 18 12:46:51 smtp postfix/cleanup[12694]: 63ABFECF5: message-id=<CAAOvAEXwg8RqXidn7zTOVKVHf3DqxK8wAZZ9CCOC+FXmxqGfjg at mail.gmail.com>                                                                                
Apr 18 12:46:51 smtp opendkim[10146]: 63ABFECF5: s=20161025 d=gmail.com SSL error:04091068:rsa routines:int_rsa_verify:bad signature                                                                                   
Apr 18 12:46:51 smtp opendkim[10146]: 63ABFECF5: bad signature data                                                                                                                                                    
Apr 18 12:46:51 smtp postfix/cleanup[12694]: 63ABFECF5: milter-reject: END-OF-MESSAGE from mailhost.linux.org.au[192.55.98.181]: 5.7.0 bad DKIM signature data; from=<linux-aus-bounces at lists.linux.org.au> to=<abc at coker.com.au> proto=ESMTP helo=<mailhost.linux.org.au>

More information about the linux-aus mailing list