Re: DKIM fail messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 31.10.2022 15.11, Geert Hendrickx wrote:

In the chain sender => list.archlinux.org => list members, I suspect it's
Mailman (on the Arch list server) that does not support 8BITMIME; since
OpenDKIM on that server succesfully verified the DKIM signature, the mail
arrived there as 8bit, but is being distributed to list members as 7-bit.

Could the Arch listserver set "disable_mime_output_conversion=yes" in its
master.cf at the point it is handing over mail to Mailman? (not globally!)
As suggested in https://www.postfix.org/MILTER_README.html#workarounds

This way, 8-bit messages will not be converted to 7-bit QP or base64 when
going through Mailman, and arrive intact at 8BITMIME capable recipients.

(After Mailman, Postfix' smtp client will still convert messages to 7-bit
when delivering to non-8BITMIME capable recipients, which will still break
DKIM validation for them, but non-8BITMIME capable DKIM-validators will
have issues with a *lot* of mail anyway, forwarded or not.)


	Geert



On Mon, Oct 31, 2022 at 00:04:29 +0100, Jaron Kent-Dobias wrote:

On Sunday, 30 October 2022 at 23:57 (+0100), Jaron Kent-Dobias wrote:

Confirmation: when Arch Linux forwards a base8 encoded email to the
list, it mangles the DKIM. It does appear to be an Arch problem!

One last email: what the lists are specifically doing is rewriting 8bit
encoded emails in a base64 encoding.

 From the email in my sent folder:

Content-Transfer-Encoding: 8bit

 From the email I received from the list:

Content-Transfer-Encoding: base64

Rewriting the body in a new encoding breaks DKIM.

Jaron



Hi,

Thanks for investigating and reporting the issue!
Me and foutrelis[1]has been doing some debugging and after upgrading mailman3 from 3.3.5-6 -> 3.3.7-1, we are unable to reproduce the issue.
Looking at the changelog[2] for mailman3 3.3.7, we suspect the issue was fixed as part of [3] and [4].
We are aware of one open issue[5] which can break the DKIM signature and with some luck it will be fixed in the future. 

[1] https://archlinux.org/people/developers/#foutrelis
[2] https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/docs/NEWS.rst 
[3] https://gitlab.com/mailman/mailman/-/issues/965
[4] https://gitlab.com/mailman/mailman/-/issues/967
[5] https://gitlab.com/mailman/mailman/-/issues/636

P.S. Adding a emoji 😎 to verify that this is indeed fixed at your end.

Cheers,
Kristian Klausen
Arch Linux DevOps

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux