https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34927
--- Comment #8 from Thomas Dukleth <[email protected]> --- 1. DKIM Not Working Properly for the Mailing List. For DMARC which is dependent upon SPF and DKIM, the DKIM signature should be re-signed using the mailing list sender, such as [email protected] . DKIM signatures from the message author should not validate because we change the From header, moving the original From header to Reply-To , adding "[koha-devel]" to the subject header, and add a mailing list footer to the body. I wrote about the issue on the koha-devel mailing list, "[Koha-devel] DMARC testing for koha-devel" - https://lists.koha-community.org/pipermail/koha-devel/2023-November/048405.html . It is currently evident as probably expected that the DKIM signatures in the message headers are not being re-signed for lists.koha-community.org . Messages retain the DKIM signature of the original author and would not validate properly even without DMARC changes because every message is altered slightly for the mailing list. Such a DKIM signature problem may have been more of an issue in past years where popular mail systems had adopted excessive strictness in rejecting messages. Mailman 3 has code which might address the issue better when setting remove_dkim_headers to yes but removing the header does not ensure that the SMTP server will supply an appropriate DKIM header for the mailing list. Re-signing the outgoing message can be fixed by forcing Mailman to send to a special port for which messages are designated as originating from the system and re-signed. The mailing lists are also not DKIM signing the monthly mailing list membership messages despite a DKIM signature reported for lists.koha-community.org . I have communicated with people at BibLibre in recent weeks about the configuration details for fixing DKIM signing and mailing list message re-signing. The most important details of how to fix such a system as I sent it to people at BibLibre follow below but I have not had confirmation confirmation that Postfix as the Mailman default and most likely choice is what they are actually using. I had sent other details about fixing DKIM signing more generally for lists.koha-community.org which is broken. Priority had been low but I have discovered announcements from Google and Yahoo about changes coming in February 2024 which raise priority. 2. Settings for Mailing List DKIM Re-Signing. Postfix can be forced to re-sign mailing list messages by having Mailman send them to an additional Postfix listening port listening only on localhost set in /etc/postfix/master.cf and /etc/mailman/mm_cfg.py. Using a special port for assuring that messages are originating from the system and marked as such for DKIM using " -o milter_macro_daemon_name=ORIGINATING". Getting DKIM to work with Mailman and Postfix - https://groups.google.com/g/mailing.postfix.users/c/6xtGQNnfEWA . 2.1. Postfix master.cf Settings for Mailing List DKIM Re-Signing. In /etc/postfix/master.cf # Default smtp listening on port 25 unchanged. smtp inet n - - - - smtpd # Additional smtp listening port for resubmitting from Mailman to allow DKIM # re-signing. Connection over localhost 127.0.0.1:26 inet n - - - - smtpd # Mailman 2.1.26 running for lists.koha-community.org may # have sufficient authentication support that disabling Mailman authentication # for Postfix port 26 on localhost is not necessary # Use mailman authentication only if it is already being used. # Mailman 3 has much better authentication support # Uncomment if Mailman authentication fails. # -o smtpd_tls_security_level=none # Uncomment if Mailman authentication fails. # -o smtpd_sasl_auth_enable=no # Uncomment if Mailman authentication fails. # -o smtpd_client_restrictions= # Uncomment if Mailman authentication fails. # -o smtpd_helo_restrictions= # Uncomment if Mailman authentication fails. # -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject # Uncomment if Mailman authentication fails. # -o smtpd_data_restrictions= -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix/p26 2.2. Mailman mm_cfg.py Settings for Mailing List DKIM Re-Signing. In /etc/mailman/mm_cfg.py HOST = 'localhost' SMTPPORT = 26 # Changed to 26 for resubmitting to Postfix. MTA = 'Postfix' # Probably Postfix which may be the default if not set. # Check the configuration for authentication options if any. 2.3. OpenDKIM opendkim.cfg Settings for Mailing List DKIM Re-Signing. In /etc/opendkim.cfg # Sets the expected designation from the MTA to force signing of messages. MTA ORIGINATING -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
