On Oct 7, 2009, at 6:00 AM, Ian Eiloart wrote:
As far as I recall, Mailman removes DKIM signatures, and re-signs messages.
Close, but the spirit is right. Mailman does remove DKIM headers, if configured to do so via a site-wide option. The option is turned off by default. This comment in the configuration file is useful:
# Some list posts and mail to the -owner address may contain DomainKey or # DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/ >. # Various list transformations to the message such as adding a list header or # footer or scrubbing attachments or even reply-to munging can break these # signatures. It is generally felt that these signatures have value, even if # broken and even if the outgoing message is resigned. However, some sites
# may wish to remove these headers by setting this to Yes.My own personal feeling is that Mailman should not be adding any DKIM headers, as this is the job of the outgoing MTA. Nor frankly should it be verifying DKIM headers, as that's the job of the incoming MTA. The optional removal of any existing DKIM headers a nod to practicality; without that cleansing step, ironically the mailing list appears more broken to people than with it.
You're saying that with ADSP, that's not adequate unless Mailman first rewrites the "From:" address. Some lists are configured to do this already, the question is what to do about those that don't.
Ian and Stephen have eloquently stated opinions that I agree with. / Requiring/ munging of the From or Reply-to headers is not acceptable because you are trampling on long established valid use cases (not to mention violating standards in some cases). I don't like Reply-to munging, but Mailman does not prohibit it and it's a use-case that must be preserved. Similarly, anonymizing the From header is a necessary use case for other reasons, but it cannot be required.
ISTM that Stephen has the most sensible solution when he proposes to sign the RFC 2369 headers. I still think that's something that would happen in the outgoing MTA instead of list manager. List-ID is the core identifying header for the list manager and a site administrator should be making assertions about it if they want to.
-Barry
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
