Re: smtpd with dkim & mailing lists
Heho, The important part is not 'not adding an additional signature' but 'not breaking the previous signature'. As long as you do not fiddle with anything in there, things will be fine; But, as you most likely do (think: Adding a prefix for the subject like [LISTNAME]), DKIM will be an issue (mostly, if there is DMARC in play as well). What the IETF lists are doing is something along the lines of 'domain rewrite SRS' (oh, btw, SRS is also a good idea re: SPF). Seemingly, everyone who writes on a list from a DMARC enabled domain gets their From: (and envelope-from) rewritten to be localpart=40dom...@dmarc.ietf.org, stuff can be signed and originates correctly. Reply-to: should of course remain untouched/changed to list settings; Also, an X-Original-From: is added. I am not overly sure how returns/bounces are handled by them, though, as that is one of the issues around SRS (and why a key is needed for SRS). With best regards, Tobias P.S.: There is a reason this comes from tob...@reads-this-mailinglist.com -Original Message- From: owner-m...@openbsd.org On Behalf Of Martijn van Duren Sent: Tuesday, 30 August 2022 19:26 To: Alexandre Ratchov ; misc@openbsd.org Subject: Re: smtpd with dkim & mailing lists On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote: > Hi, > > For my $DAYJOB I had to please big mail corporations and configured > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC > records). This was easy using instruction in the > opensmtpd-filter-dksim port and works fine to send messages to > bigmailcorp accounts. > > The mail server is used to manage few mailing lists using mlmmj. At > first glance, things appear to work: > > - The envelope address (aka smtp "mail from:" address or retrun-path) > matches the mailing list server domain (not sender address domain), > which has the proper SPF record. This should be fine, although for DMARC to be correct the "MAIL FROM:" and From-header should be in line, or else DMARC fails. So mailing lists will fail, unless you rewrite the from-header as well. > > - The list server (mlmmj port) resends the without modifying the > DKIM-signed headers and the DKSIM-Signature header. So the signature > remains valid. In other words the receiver can verify that the mail > originated from the sender domain servers even it it's received from > the list server. > > - The list server adds its own signature which is also valid. But > AFAIU, it's irrelevant as the signing key is not the sender domain > key. That's fully dependent on what the receiver does with it. For DMARC it only looks at signatures that are domain aligned, all the others are informational. However, on advantage is that by default filter-dkimsign adds a signature to a lot of the different list-* headers. This means that people know if someone messed with these headers since mlmmj added them. > > With all this, mails between gmail and microsoft seem fly through the > lists server. > > If the sender domain add a DKIM signature, I guess the mail will be > possibly tagged as spam by bigmailcorps. > Who knows what $BIGMAILCORP does. However, I can't think of a reason why a valid signature (aligned or not) would cause a mail to be treated as spam. > But it would also be tagged > as spam if the sender did directly send to mailing list members. So, > garbage in, garbage out, no problem. > > Certain lists I'm subscribed to seem to use the same approach, others > seem to discard DKIM-Signature headers. > > - Is the reasoning correct? Am I missing something? > > - Is there a way to make smtpd(8) add the DKIM signature only if the > sender domain is the local domain? (this would avoid the extra > irrelevant DKIM signature). filter-dkimsign is complex enough as it is. I don't really want to add too much more complexity. But if you make a strong enough case I'll certainly consider it. > > Thanks > martijn@
Re: smtpd with dkim & mailing lists
On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote: > Hi, > > For my $DAYJOB I had to please big mail corporations and configured > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC > records). This was easy using instruction in the > opensmtpd-filter-dksim port and works fine to send messages to > bigmailcorp accounts. > > The mail server is used to manage few mailing lists using mlmmj. At > first glance, things appear to work: > > - The envelope address (aka smtp "mail from:" address or retrun-path) > matches the mailing list server domain (not sender address domain), > which has the proper SPF record. This should be fine, although for DMARC to be correct the "MAIL FROM:" and From-header should be in line, or else DMARC fails. So mailing lists will fail, unless you rewrite the from-header as well. > > - The list server (mlmmj port) resends the without modifying the > DKIM-signed headers and the DKSIM-Signature header. So the signature > remains valid. In other words the receiver can verify that the mail > originated from the sender domain servers even it it's received from > the list server. > > - The list server adds its own signature which is also valid. But > AFAIU, it's irrelevant as the signing key is not the sender domain > key. That's fully dependent on what the receiver does with it. For DMARC it only looks at signatures that are domain aligned, all the others are informational. However, on advantage is that by default filter-dkimsign adds a signature to a lot of the different list-* headers. This means that people know if someone messed with these headers since mlmmj added them. > > With all this, mails between gmail and microsoft seem fly through the > lists server. > > If the sender domain add a DKIM signature, I guess the mail will be > possibly tagged as spam by bigmailcorps. > Who knows what $BIGMAILCORP does. However, I can't think of a reason why a valid signature (aligned or not) would cause a mail to be treated as spam. > But it would also be tagged > as spam if the sender did directly send to mailing list members. So, > garbage in, garbage out, no problem. > > Certain lists I'm subscribed to seem to use the same approach, others > seem to discard DKIM-Signature headers. > > - Is the reasoning correct? Am I missing something? > > - Is there a way to make smtpd(8) add the DKIM signature only if the > sender domain is the local domain? (this would avoid the extra > irrelevant DKIM signature). filter-dkimsign is complex enough as it is. I don't really want to add too much more complexity. But if you make a strong enough case I'll certainly consider it. > > Thanks > martijn@
smtp relay host with two mx entries
Hi misc, i am trying to create a simple smtp client configuration, where the client should only send local mails to a relay host. the key point is that the relay host hides a redundant MX record with different priorities in the DNS. A DNS A-record (or quad A) on the other hand does not exist. As I understand it, this is not possible with a relay statement, because no MX lookup is done. How must a corresponding configuration look like to be able to use a MX lookup? this is my (still broken) configuration: table aliases file:/etc/mail/aliases listen on socket listen on lo0 action "local_mail" mbox alias action "outbound" relay smtp+tls:// match from local for local action "local_mail" match from local for any action "outbound" Many thanks!
smtpd with dkim & mailing lists
Hi, For my $DAYJOB I had to please big mail corporations and configured smtpd(8) to send DKIM-signed emails (also added SPF and DMARC records). This was easy using instruction in the opensmtpd-filter-dksim port and works fine to send messages to bigmailcorp accounts. The mail server is used to manage few mailing lists using mlmmj. At first glance, things appear to work: - The envelope address (aka smtp "mail from:" address or retrun-path) matches the mailing list server domain (not sender address domain), which has the proper SPF record. - The list server (mlmmj port) resends the without modifying the DKIM-signed headers and the DKSIM-Signature header. So the signature remains valid. In other words the receiver can verify that the mail originated from the sender domain servers even it it's received from the list server. - The list server adds its own signature which is also valid. But AFAIU, it's irrelevant as the signing key is not the sender domain key. With all this, mails between gmail and microsoft seem fly through the lists server. If the sender domain add a DKIM signature, I guess the mail will be possibly tagged as spam by bigmailcorps. But it would also be tagged as spam if the sender did directly send to mailing list members. So, garbage in, garbage out, no problem. Certain lists I'm subscribed to seem to use the same approach, others seem to discard DKIM-Signature headers. - Is the reasoning correct? Am I missing something? - Is there a way to make smtpd(8) add the DKIM signature only if the sender domain is the local domain? (this would avoid the extra irrelevant DKIM signature). Thanks