On Wed, Aug 05, 2015 at 04:54:25PM +0200, Kurt Roeckx wrote: > On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote: > > Yesterday, I was alerted by a member of the list that my emails to > > openssl-dev are ending up in their SPAM folder. After examining my > > emails as sent out by OpenSSL's mailman, I saw that it is mucking > > with the headers, causing DKIM failures. This could be because of > > one of two reasons: > > You seems to be running with "p=reject". In my opinion p=reject is > only useful for domains that don't have any users.
Yahoo adopted a reject DMARC policy back in 2014 and that caused all kinds of mailing list havoc. > > a) The version of mailman used by the OpenSSL project (2.1.18) has a > > known bug around DKIM that was fixed in 2.1.19 > > That seems to be about wrapped messages in case of moderation? Possibly referencing that 2.1.9 fixed an issue with not honoring REMOVE_DKIM_HEADERS=2. > > b) The mailman configuration is incorrect. > > You mean things like: - We change the subject to include the list > name? I interpret the comment to mean that, because OpenSSL lists modify messages (see below), they should strip DKIM headers (see above) before distribution to prevent false negatives in recipient implementations. zimbra.com includes the subject header when computing its header digest so yes, adding "[list-name]" invalidates its DKIM signature. > - We add a footer about the list? That also invalidates zimbra.com's DKIM sig because they don't use body hash length limits. > - We don't rewrite the From address? > > Error is: Authentication-Results: edge01.zimbra.com (amavisd-new); > > dkim=fail (1024-bit key) reason="fail (message has been altered)" > > header.d=zimbra.com > > You really should consider moving to at least a 2048 bit key. Good suggestion though orthogonal to the issue. --mancha (https://twitter.com/mancha140)
pgpGuFx7MTUHU.pgp
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
