Re: DKIM, DMARC, Original-Authentication-Results
On Fri 11/Apr/2014 01:40:13 +0200 Scott Kitterman wrote: On April 10, 2014 7:24:54 PM EDT, LuKreme krem...@kreme.com wrote: On 10 Apr 2014, at 17:01 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: Which, IM(ns)HO is what every list should not do. I actually have procmail recipes to untagged subject lines and remove footers on some lists. For a realistic workaround, see John Levine's post list mail with a From: address @yahoo.com is re written to @yahoo.com.INVALID. http://www.ietf.org/mail-archive/web/ietf/current/msg87176.html That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn't be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. That seems like a bug in the implementation of DKIM. It was a deliberate design choice. The signature wouldn't mean much if adding arbitrary text to the message didn't invalidate the signature. It would open the protocol up to replay attacks. There is a virtually unused L tag to embed the length of signed content into the signature, but its use is strongly disrecommended. In fact, HTML allows to append changes which will show up at the beginning of a message. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. Certain headers, not all of them. Yes, but subject is generally signed (I don't recall seeing a case where it wasn't). Here is an example using both disrecommended options. That way, my DKIM signatures survive through most mailing lists. I don't recommend doing so; it is safer if a mailing list invalidates DKIM signatures, otherwise any recipient could replay those messages, as Scott pointed out. However, the only malfunction I experienced with my unusual setup is that Netease discards my signatures saying DKIM-Signature could not parse or has bad tags/values. (The DKIM spec allows such kind of verifier's policies.) Ale
DKIM, DMARC, Original-Authentication-Results
Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: DKIM, DMARC, Original-Authentication-Results
Am 10.04.2014 12:03, schrieb Miles Fidelman: Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). yes with listserver mailman, had to upgrade to version 2.1.16 and change configs perhaps see https://sys4.de/de/blog/2013/08/11/dkim-konforme-mailinglisten/ https://sys4.de/de/blog/2013/08/11/mailman-dmarc-konform-betreiben/ sorry german ( but images are english ) Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman its a general mail forward problem, spf etc breaks classical forwarding as well as strict dmarc at servers which honor this, i dont think you should/could fix this with plain postfix only one option maybe send orig mail as attach... or use alternate style forwarding via imap pop3toimap from http://code.google.com/p/imaputils/downloads/list does this Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: DKIM, DMARC, Original-Authentication-Results
Am 10.04.2014 12:47, schrieb Robert Schetterer: Am 10.04.2014 12:03, schrieb Miles Fidelman: Hi Folks, I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). yes with listserver mailman, had to upgrade to version 2.1.16 and change configs perhaps see https://sys4.de/de/blog/2013/08/11/dkim-konforme-mailinglisten/ https://sys4.de/de/blog/2013/08/11/mailman-dmarc-konform-betreiben/ sorry german ( but images are english ) Which leads to a question: Any suggestions for how to validate a DKIM signature, and apply an Original-Authentication-Results header, at the MTA level (specifically Postfix)? (And/or, any operational experience that this is a viable way to address the problem.) Thanks very much, Miles Fidelman its a general mail forward problem, spf etc breaks classical forwarding as well as strict dmarc at servers which honor this, i dont think you should/could fix this with plain postfix only one option maybe send orig mail as attach... or use alternate style forwarding via imap pop3toimap from http://code.google.com/p/imaputils/downloads/list does this Best Regards MfG Robert Schetterer forgot to add , some mailprovider use a forward service to solve the problem then sender is like forwar...@mailforward.com but there are problems with this too, like different antispam setting, so i sometimes get bounces from the forwarder *g Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: DKIM, DMARC, Original-Authentication-Results
On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Rather, the Postfix list only: * Sets a new envelope sender * Adds a Sender: header * Adds List-mumble: headers None of these should break DKIM signatures, and so my guess is that the Postfix-users list continues to work for yahoo.com posters. Some people are fond of subject tags and footers, but we seem to get along just fine without them. -- Viktor.
Re: DKIM, DMARC, Original-Authentication-Results
On 10 Apr 2014, at 09:08 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Which, IM(ns)HO is what every list should not do. I actually have procmail recipes to untagged subject lines and remove footers on some lists. That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn’t be an issue. -- Today the road all runners come/Shoulder high we bring you home. And set you at your threshold down/Townsman of a stiller town.
Re: DKIM, DMARC, Original-Authentication-Results
Am 11.04.2014 00:53, schrieb LuKreme: On 10 Apr 2014, at 09:08 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Thu, Apr 10, 2014 at 06:03:51AM -0400, Miles Fidelman wrote: I'm sure at least some of you have been bitten by the debacle associated with Yahoo turning on strict DMARC enforcement (particularly any of you who, like me, manage a list server). One option is to do what the Postfix-users list does: * Does not attach any footers or otherwise modify the message body. * Does not modify (tag) the message subject. Which, IM(ns)HO is what every list should not do. I actually have procmail recipes to untagged subject lines and remove footers on some lists. That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn’t be an issue the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop list-footers seems to be worthless, otherwise you would not have every day on several lists unsubscribe me mails
Re: DKIM, DMARC, Original-Authentication-Results
On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. -- Viktor.
Re: DKIM, DMARC, Original-Authentication-Results
On 10 Apr 2014, at 17:01 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. That seems like a bug in the implementation of DKIM. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. Certain headers, not all of them. -- Last night - you were unhinged. You were like some desperate, howling demon. You frightened me. - Do it again!
Re: DKIM, DMARC, Original-Authentication-Results
On April 10, 2014 7:24:54 PM EDT, LuKreme krem...@kreme.com wrote: On 10 Apr 2014, at 17:01 , Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: That said, I thought DKIM ignored everything after the signature delimiter, so if the lists attach the footer *properly* it shouldn?t be an issue No, the DKIM spec makes no allowance for signature delimiters. If the body is modified beyond adding removing whitespace (with relaxed canonicalization) the DKIM check fails. That seems like a bug in the implementation of DKIM. It was a deliberate design choice. The signature wouldn't mean much if adding arbitrary text to the message didn't invalidate the signature. It would open the protocol up to replay attacks. There is a virtually unused L tag to embed the length of signed content into the signature, but its use is strongly disrecommended. the subject also don't matter in case of signed messages it is a HEADER and headers are added at every hop DKIM also signs message headers. Certain headers, not all of them. Yes, but subject is generally signed (I don't recall seeing a case where it wasn't). Scott K
