Patches item #1287546, was opened at 2005-09-11 01:08 Message generated for change (Comment added) made by skyrush You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1287546&group_id=103
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: mail delivery Group: Mailman 2.1 Status: Closed Resolution: Accepted Priority: 5 Submitted By: Joe Peterson (skyrush) Assigned to: Nobody/Anonymous (nobody) Summary: Remove DomainKeys (and similar) header lines Initial Comment: This simple patch removes the header lines containing keys used in DomainKeys (Yahoo) and DKIM. The keys, if left in the header, will make the email seem forged or altered to the recipient, since Mailman alters header/body info. If the keys are removed, the MTA will generate new keys (if this is installed on the host). -Joe ---------------------------------------------------------------------- >Comment By: Joe Peterson (skyrush) Date: 2005-12-16 10:01 Message: Logged In: YES user_id=738814 Markonen, I agree that the whole DKIM/DomainKeys issue is a bit of a mess. It makes me wonder about the future of such email verification schemes. It seems that any mail list mechanism has the potential for breaking them. As to your concern, I believe we are OK in that #2 already happens. Mailman adds a "Sender:" header line, and DKIM/DomainKeys will use this as the source domain to determine if signing is expected, etc. So if the sender host re-signs the email, things should be OK. The problem here, of course, is that the receiver will only know that the email came from the mail list host - not that the original email came from the original author - less than ideal. I was enthusiastic about DKIM, but I am a little less so now due to these shortcomings. Your #1 is probably not possible, since I doubt we could expect Mailman to never modify body/headers... right? -Joe ---------------------------------------------------------------------- Comment By: Marko Karppinen (markonen) Date: 2005-12-16 08:16 Message: Logged In: YES user_id=1406492 I think this is problematic. For intra-organizational lists, removing the DomainKeys header works as advertised. However, if a person from a DomainKeys-enabled domain posts onto an external list, there is a potential for error. If the sender's domain's DomainKeys settings specify that the domain does not send unsigned mail, external MTAs can and will drop an email from that domain if the DomainKeys headers are removed. To make DomainKeys work with mailman as expected, admins have two possibilities: 1) Deliver the message as-is, without modifying the Subject header or message body (or any header indicated to be signed). The original DomainKeys signature will then work. 2) If modifying the message is necessary, the mailing list will have to rewrite the From: header in order not to claim that the message originated in the DomainKeys -protected sender domain. Removing the DomainKeys header will only be relevant in the case 2) above. For 1) -- the preferred solution for many lists -- it is actively harmful. Therefore, automatically removing the DomainKeys header is NOT the way to go. ---------------------------------------------------------------------- Comment By: Barry A. Warsaw (bwarsaw) Date: 2005-09-12 15:59 Message: Logged In: YES user_id=12800 Applied to both Mailman 2.1 branch and trunk (2.2) ---------------------------------------------------------------------- Comment By: Joe Peterson (skyrush) Date: 2005-09-11 01:09 Message: Logged In: YES user_id=738814 Attached is the patch. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1287546&group_id=103 _______________________________________________ Mailman-coders mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-coders
