[openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
mancha
mancha1 at zoho.com
Wed Aug 5 16:54:57 UTC 2015
On Wed, Aug 05, 2015 at 04:54:25PM +0200, Kurt Roeckx wrote:
> On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote:
> > Yesterday, I was alerted by a member of the list that my emails to
> > openssl-dev are ending up in their SPAM folder. After examining my
> > emails as sent out by OpenSSL's mailman, I saw that it is mucking
> > with the headers, causing DKIM failures. This could be because of
> > one of two reasons:
>
> You seems to be running with "p=reject". In my opinion p=reject is
> only useful for domains that don't have any users.
Yahoo adopted a reject DMARC policy back in 2014 and that caused all
kinds of mailing list havoc.
> > a) The version of mailman used by the OpenSSL project (2.1.18) has a
> > known bug around DKIM that was fixed in 2.1.19
>
> That seems to be about wrapped messages in case of moderation?
Possibly referencing that 2.1.9 fixed an issue with not honoring
REMOVE_DKIM_HEADERS=2.
> > b) The mailman configuration is incorrect.
>
> You mean things like: - We change the subject to include the list
> name?
I interpret the comment to mean that, because OpenSSL lists modify
messages (see below), they should strip DKIM headers (see above) before
distribution to prevent false negatives in recipient implementations.
zimbra.com includes the subject header when computing its header digest
so yes, adding "[list-name]" invalidates its DKIM signature.
> - We add a footer about the list?
That also invalidates zimbra.com's DKIM sig because they don't use body
hash length limits.
> - We don't rewrite the From address?
> > Error is: Authentication-Results: edge01.zimbra.com (amavisd-new);
> > dkim=fail (1024-bit key) reason="fail (message has been altered)"
> > header.d=zimbra.com
>
> You really should consider moving to at least a 2048 bit key.
Good suggestion though orthogonal to the issue.
--mancha (https://twitter.com/mancha140)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/f6af75ec/attachment-0001.sig>
More information about the openssl-dev
mailing list