On 2015-07-29 13:08, Ben Scott wrote: > > I believe mailing lists break DKIM, if they don't take special > actions for it. (Since mail originating from one domain, and > cryptographically authenticated to that domain, is now originating > from a completely different mail exchanger.)
Mailing lists sometimes break DKIM, depending on how the originating _sender_ has it configured, but that's not how/why it breaks-- because DKIM is content-based, not origin-based. The DKIM breakage Greg was indicating was because the googlemail sender indicated that it wanted the message _body_ verified against the signature, and gnhlug-discuss added a footer to the body. When I've set up DKIM, IIRC I just told it to sign/verify only the subset of headers that mailing-lists almost never munged ("To", "From", probably "Date", maybe a couple others; not the "Subject" header and definitely not the body). On the up side, it looks like Google's DKIM settings request that failures be _ignored_, so it shouldn't actually matter that they're signing overzealously.... You can think of DKIM as being somewhat like PGP-signed e-mail; they have similar (though somewhat different) failure-scenarios.... In this case, an inline ASCII PGP signature wouldn't have broken because the mailing-list footer would have been added *after* the PGP "END" line; DKIM has a similar `END' provision, but Google has apparently opted not to use it, so their messages-bodies have no predetermined END. > Might be we should setup DKIM on the GNHLUG server. Anyone know how > to do that, and have the time? CentOS 5.x, Sendmail, and GNU Mailman. I could, but I don't think it's actually meaningful to "set up DKIM" for a mailing-list: the domain in the "From:" header in the message is that one that requests (or doesn't request) DKIM verification and specific failure-handling via either ADSP (old) or DMARC (newer); the subscribers' original sending servers have already inserted their own DKIM signatures for the ultimate receiving servers to check. The only reason for the list sever to check the signatures itself would be for it to throw mail away instead of relaying it; and there's probably not much point in the list adding its own signatures. Unless you want to emulate what the yahoos at Yahoo! did and make the mailing list actually pretend that it's actually the original author all of the mail that passes through it.... The (non-yahoo) way you'd make the list comply with senders' overzealous signing is to just restrict the parts of the message the the list munges-- e.g.: don't modify the "Subject:" header with the list-name (and we're already not-doing that), and don't add the helpful footer to the end of the message-body (but continuing to add the helpful "List-*:" headers should be fine). -- "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))." _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/