Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list
On 08/12/2015 06:21 AM, Peter Bossley wrote: The MTA was configured to reject DKIM failures. This is wrong and is the cause of your issue. See RFC 6376 http://www.rfc-editor.org/rfc/rfc6376.txt sec 4.4, sec 6.1 and sec 6.3. The issue is your mail list transformations break gmail's DKIM signature and you are rejecting the outgoing mail because of the invalid signature, in spit of the fact that it may also contain a valid signature. Even if it doesn't also contain a valid signature, mail should not be rejected just because of an invalid DKIM signature. In most cases an invalid DKIM signature should be treated the same as no signature. The domain was configured to sign outgoing messages with DKIM. OK. So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well. This is not a DMARC issue per se as gmail's DMARC policy is p=none. I then attempted to set this setting to wrap message, which again did not fix the issue. Because gmail's DMARC policy is p=none, dmarc_moderation_action won't apply to this mail. At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work. Last, I tried wrap message, which did seem to work. Because the outer wrapper message only contains your DKIM signature. Gmail's is in the wrapped message which is part of the message body and not checked by your MTA. Given the functionality issues this created, however, I decided to keep investigating. It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue. No. Turning off DKIM failure rejection or at least changing it to ignore a failure if there is also a valid DKIM sig present was the correct solution. Since the initial posts were making it to the web-based archives I figured the gmail signature was fine. The sig was fine in the incoming mail, but transformations like subject prefixing and the addition of a message header or footer break the sig in the outgoing mail. I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact? All Munging the From: does is create one more failure in gmail's DKIM sig. This is not a DMARC issue. Do not reject messages just because they happen to contain one invalid DKIM sig. This is wrong. Read the RFC sections I refer to above. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list
On Wed, 12 Aug 2015 10:04:14 -0400 Barry Warsaw ba...@list.org wrote: Hello Barry, FWIW, lists.debian.org does not run Mailman. Fair enough. Seems to me to be less likely that Peter's problem is the same, as other list owners of mailman run lists would probably be reporting similar errors. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Sign away your life Tin Soldiers - Stiff Little Fingers pgpkvEgxFw_MT.pgp Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list
On 08/12/2015 06:44 AM, Brad Rogers wrote: *All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage. In order to avoid DKIM signature breakage, you also have to turn off subject prefixing, content filtering, reply-to header munging and message headers. See item 2) at http://wiki.list.org/x/17891458 although the OP's issue is not with DMARC; it is with his own outgoing MTA being too fussy about a broken sig. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan signature.asc Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list
On Wed, 12 Aug 2015 13:21:58 + Peter Bossley p...@bossley.me wrote: Hello Peter, mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact? I'm far from being an expert regarding DKIM, DKMS and mailman, but what I can say is this; *All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage. Maybe this is an option you could also explore. See https://lists.debian.org/debian-devel-announce/2015/08/msg3.html for the announcement. Sadly, very little in the way of details, but the poster of the message may be able to help you. -- Regards _ / ) The blindingly obvious is / _)radnever immediately apparent Drums quite good, bass is too loud, and I can't hear the words Sound Of The Suburbs - Members pgp1sE7iDWFNB.pgp Description: OpenPGP digital signature -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
