Bug#500966: lists.debian.org: should sign outbound mail with DKIM
tag 500966 wontfix thanks Hi Russell, Russell Coker wrote: To prevent forgeries of mail from the lists.debian.org server I believe that we should have DKIM installed to sign all outbound mail. It really is not difficult to do in Lenny, and it shouldn't be difficult to back-port the relevant packages to Etch if necessary. I don't think it's appropriate to sign relayed mails unless we have verified some previous signature and even then it's questionable. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#500966: lists.debian.org: should sign outbound mail with DKIM
On Friday 03 October 2008 18:32, Thomas Viehmann [EMAIL PROTECTED] wrote: To prevent forgeries of mail from the lists.debian.org server I believe that we should have DKIM installed to sign all outbound mail. It really is not difficult to do in Lenny, and it shouldn't be difficult to back-port the relevant packages to Etch if necessary. I don't think it's appropriate to sign relayed mails unless we have verified some previous signature and even then it's questionable. The signature is not making any statement about the content of the message, merely about where it came from. If a message is signed as coming from a Debian list server then I can know whether it was corrupted between the Debian server and my mail server. Then if there is some issue as to the content I can contact the Debian list administrators if there is a need to track it back further. The Gmail servers sign all mail. Some of that mail is spam, and a lot of the non-spam mail is of low quality. This does not reduce the value of having a signature. Knowing that a message came from a Gmail server without corruption is useful, I can then assign a value on the message based on the reported sender. Ideally the Debian list servers would sign outgoing mail and also sign an extra header which indicates the signing status of the message when it arrived at the Debian server. The DKIM spec supports signing arbitrary headers - including X- headers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#500966: lists.debian.org: should sign outbound mail with DKIM
Russell Coker wrote: On Friday 03 October 2008 18:32, Thomas Viehmann [EMAIL PROTECTED] wrote: To prevent forgeries of mail from the lists.debian.org server I believe that we should have DKIM installed to sign all outbound mail. It really is not difficult to do in Lenny, and it shouldn't be difficult to back-port the relevant packages to Etch if necessary. I don't think it's appropriate to sign relayed mails unless we have verified some previous signature and even then it's questionable. The signature is not making any statement about the content of the message, merely about where it came from. Yeah, and the messages don't originate at lists.debian.org, they are merely forwarded. The little I read (in the discussion of the l= length field) seems to indicate that the designers of DKIM agree that forwarders should not sign messages. IMO signing arbitrary messages on forward would defeat the purpose of DKIM. For gmail, mail actually originates with them. That's a fundamental difference to lists.d.o. Kind regards T. -- Thomas Viehmann, http://thomas.viehmann.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#500966: lists.debian.org: should sign outbound mail with DKIM
On Friday 03 October 2008 22:06, Thomas Viehmann [EMAIL PROTECTED] wrote: Yeah, and the messages don't originate at lists.debian.org, they are merely forwarded. The little I read (in the discussion of the l= length field) seems to indicate that the designers of DKIM agree that forwarders should not sign messages. IMO signing arbitrary messages on forward would defeat the purpose of DKIM. For gmail, mail actually originates with them. That's a fundamental difference to lists.d.o. If you consider that there are only two levels of mail, signed and unsigned, then signing mailing list mail would be the wrong thing to do. If you consider DKIM as a way of authenticating the origin of mail independently of it's value then signing all mail is the right thing to do. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#500966: lists.debian.org: should sign outbound mail with DKIM
Package: lists.debian.org Severity: normal To prevent forgeries of mail from the lists.debian.org server I believe that we should have DKIM installed to sign all outbound mail. It really is not difficult to do in Lenny, and it shouldn't be difficult to back-port the relevant packages to Etch if necessary. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]