On 2015-07-29 13:08, Ben Scott wrote:
>
>   I believe mailing lists break DKIM, if they don't take special
> actions for it.  (Since mail originating from one domain, and
> cryptographically authenticated to that domain, is now originating
> from a completely different mail exchanger.)

Mailing lists sometimes break DKIM, depending on how the originating
_sender_ has it configured, but that's not how/why it breaks--
because DKIM is content-based, not origin-based.

The DKIM breakage Greg was indicating was because the googlemail sender
indicated that it wanted the message _body_ verified against the
signature, and gnhlug-discuss added a footer to the body.

When I've set up DKIM, IIRC I just told it to sign/verify
only the subset of headers that mailing-lists almost never munged
("To", "From", probably "Date", maybe a couple others; not the
 "Subject" header and definitely not the body).

On the up side, it looks like Google's DKIM settings request
that failures be _ignored_, so it shouldn't actually matter
that they're signing overzealously....

You can think of DKIM as being somewhat like PGP-signed e-mail;
they have similar (though somewhat different) failure-scenarios....
In this case, an inline ASCII PGP signature wouldn't have broken
because the mailing-list footer would have been added *after*
the PGP "END" line; DKIM has a similar `END' provision, but
Google has apparently opted not to use it, so their messages-bodies
have no predetermined END.

>   Might be we should setup DKIM on the GNHLUG server.  Anyone know how
> to do that, and have the time?  CentOS 5.x, Sendmail, and GNU Mailman.

I could, but I don't think it's actually meaningful to "set up DKIM"
for a mailing-list: the domain in the "From:" header in the message
is that one that requests (or doesn't request) DKIM verification
and specific failure-handling via either ADSP (old) or DMARC (newer);
the subscribers' original sending servers have already inserted
their own DKIM signatures for the ultimate receiving servers to check.
The only reason for the list sever to check the signatures itself
would be for it to throw mail away instead of relaying it;
and there's probably not much point in the list adding its own
signatures.

Unless you want to emulate what the yahoos at Yahoo! did
and make the mailing list actually pretend that it's
actually the original author all of the mail that passes through it....

The (non-yahoo) way you'd make the list comply with senders' overzealous signing
is to just restrict the parts of the message the the list munges--
e.g.: don't modify the "Subject:" header with the list-name
(and we're already not-doing that), and don't add the helpful
footer to the end of the message-body (but continuing to add
the helpful "List-*:" headers should be fine).


-- 
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Reply via email to