On Jan 25, 2022, at 8:50 AM, Benny Pedersen <m...@junc.eu> wrote:
Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
On 25.01.22 12:25, Dan Mahoney wrote:
The headers you cite are lying to you. :) The message passed DKIM on the
way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
when the message got to the mailman python scripts and then shot back out
via the MTA, they had an altered body and no longer passed, and the header
was rewritten to say "fail". (This is visible from the logging on the
servers, but nowhere else).
there were multiple headers when that mail came here:
Authentication-Results: fantomas.fantomas.sk;
dkim=fail reason="signature verification failed" (1024-bit key; secure)
header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
dkim=fail reason="signature verification failed" (1024-bit key; secure)
header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
dkim-atps=neutral
Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
obviously when the mail came to list, DKIM was fine, not so after it left
(thanks to list signature)
will my dkim fail aswell ?
it did...
Altering the body or headers at all (whch lists do) will often break the
hashing. For this reason, most recent versions of mailman have an option
to rewrite your mail from:
[...]
...but only in the event you have a restrictive DMARC policy.
this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.
I missed this part before.
I've argued that it should be possible to do so for *any* dmarc policy,
even p=none, but that option is not present in mailman 3, at least.
I agree.
spam filter is something that can use dkim fail and should not be ignored.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
