Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Mon, Aug 17, 2015 at 10:55:53AM -0700, Quanah Gibson-Mount wrote: However, there are two solutions to that allow adding a footer when list subscribers may have DKIM signed email: a) As noted in the OpenDKIM README, in the Mailing Lists section, if the list traffic is itself has DKIM signing in place, it will override the DKIM signing done by the sender. This allows the footer modification to the message to no longer be an issue. This fixed the DKIM problem, not the DMARC issue. For DMARC the signature should come from the same as the From address. Since SPF is going to fail with your From, the receiver will need to see DKIM that matches the From. For DMARC either SPF or DKIM should be valid and match the From field, while for SPF and DKIM itself the From doesn't matter. So really the only options for DMARC are: - Do not touch either the signed headers or body at all, leave From intact, keep the DKIM signatures. But even then it might break. - Change the From. You can leave the DKIM signature in tact or remove it, it doesn't change anything. - Do not allow people with a p=reject DMARC policy on the list b) Mailman can be configured to strip DKIM headers entirely from incoming email. This is generally considered bad practice, but it does allow the emails to get delivered to all list members w/o issue. No it doesn't, see above. The DMARC test should always fail if you do that. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
--On Tuesday, August 18, 2015 11:30 AM +0200 Kurt Roeckx k...@roeckx.be wrote: On Mon, Aug 17, 2015 at 10:55:53AM -0700, Quanah Gibson-Mount wrote: However, there are two solutions to that allow adding a footer when list subscribers may have DKIM signed email: a) As noted in the OpenDKIM README, in the Mailing Lists section, if the list traffic is itself has DKIM signing in place, it will override the DKIM signing done by the sender. This allows the footer modification to the message to no longer be an issue. This fixed the DKIM problem, not the DMARC issue. For DMARC the signature should come from the same as the From address. Since SPF is going to fail with your From, the receiver will need to see DKIM that matches the From. For DMARC either SPF or DKIM should be valid and match the From field, while for SPF and DKIM itself the From doesn't matter. So really the only options for DMARC are: - Do not touch either the signed headers or body at all, leave From intact, keep the DKIM signatures. But even then it might break. - Change the From. You can leave the DKIM signature in tact or remove it, it doesn't change anything. I think option #3 here: https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F would be the solution? --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
--On Wednesday, August 05, 2015 5:54 PM +0200 Kurt Roeckx k...@roeckx.be wrote: On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote: Yesterday, I was alerted by a member of the list that my emails to openssl-dev are ending up in their SPAM folder. After examining my emails as sent out by OpenSSL's mailman, I saw that it is mucking with the headers, causing DKIM failures. This could be because of one of two reasons: a) The version of mailman used by the OpenSSL project (2.1.18) has a known bug around DKIM that was fixed in 2.1.19 That seems to be about wrapped messages in case of moderation? Ok, good to know, not applicable here then. ;) b) The mailman configuration is incorrect. You mean things like: - We change the subject to include the list name? I've fixed our config to no longer sign the subject header. - We add a footer about the list? Yes, this is definitely a problem, since it screws with the body. Personally, I don't see the point of the openssl-dev footer. If someone's on the list, I would hope they're smart enough to figure out how to unsubscribe (although sadly, I see time and again on other lists where people aren't...). However, there are two solutions to that allow adding a footer when list subscribers may have DKIM signed email: a) As noted in the OpenDKIM README, in the Mailing Lists section, if the list traffic is itself has DKIM signing in place, it will override the DKIM signing done by the sender. This allows the footer modification to the message to no longer be an issue. b) Mailman can be configured to strip DKIM headers entirely from incoming email. This is generally considered bad practice, but it does allow the emails to get delivered to all list members w/o issue. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
Yesterday, I was alerted by a member of the list that my emails to openssl-dev are ending up in their SPAM folder. After examining my emails as sent out by OpenSSL's mailman, I saw that it is mucking with the headers, causing DKIM failures. This could be because of one of two reasons: a) The version of mailman used by the OpenSSL project (2.1.18) has a known bug around DKIM that was fixed in 2.1.19 b) The mailman configuration is incorrect. I attempted to file an RT to alert the OpenSSL project of this significant issue. Unfortunately, I received the following grossly uneducated response. Can someone who actually understands email, and why it is critical that DKIM signed messages sent from list members *NOT* be broken by OpenSSL's mailman instance please educate whomever the moderator is on this? Personally I'd nominate Viktor for that activity. And then, can someone please fix this issue? :) Error is: Authentication-Results: edge01.zimbra.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (message has been altered) header.d=zimbra.com Thanks! --Quanah Forwarded Message Date: Wednesday, August 05, 2015 2:19 AM + From: openssl-bugs-mod-ow...@openssl.org To: qua...@zimbra.com Subject: Request to mailing list openssl-bugs-mod rejected Your request to the openssl-bugs-mod mailing list Posting of your message titled mailman version and/or configuration for the openssl-dev list breaks DKIM has been rejected by the list moderator. The moderator gave the following reason for rejecting your request: This is not a bug. We're not really interested in DKIM FWIW. Any questions or comments should be directed to the list administrator at: openssl-bugs-mod-ow...@openssl.org -- End Forwarded Message -- -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote: Yesterday, I was alerted by a member of the list that my emails to openssl-dev are ending up in their SPAM folder. After examining my emails as sent out by OpenSSL's mailman, I saw that it is mucking with the headers, causing DKIM failures. This could be because of one of two reasons: You seems to be running with p=reject. In my opinion p=reject is only useful for domains that don't have any users. a) The version of mailman used by the OpenSSL project (2.1.18) has a known bug around DKIM that was fixed in 2.1.19 That seems to be about wrapped messages in case of moderation? b) The mailman configuration is incorrect. You mean things like: - We change the subject to include the list name? - We add a footer about the list? - We don't rewrite the From address? Error is: Authentication-Results: edge01.zimbra.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (message has been altered) header.d=zimbra.com You really should consider moving to at least a 2048 bit key. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Wed, Aug 05, 2015 at 04:54:25PM +0200, Kurt Roeckx wrote: On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote: Yesterday, I was alerted by a member of the list that my emails to openssl-dev are ending up in their SPAM folder. After examining my emails as sent out by OpenSSL's mailman, I saw that it is mucking with the headers, causing DKIM failures. This could be because of one of two reasons: You seems to be running with p=reject. In my opinion p=reject is only useful for domains that don't have any users. Yahoo adopted a reject DMARC policy back in 2014 and that caused all kinds of mailing list havoc. a) The version of mailman used by the OpenSSL project (2.1.18) has a known bug around DKIM that was fixed in 2.1.19 That seems to be about wrapped messages in case of moderation? Possibly referencing that 2.1.9 fixed an issue with not honoring REMOVE_DKIM_HEADERS=2. b) The mailman configuration is incorrect. You mean things like: - We change the subject to include the list name? I interpret the comment to mean that, because OpenSSL lists modify messages (see below), they should strip DKIM headers (see above) before distribution to prevent false negatives in recipient implementations. zimbra.com includes the subject header when computing its header digest so yes, adding [list-name] invalidates its DKIM signature. - We add a footer about the list? That also invalidates zimbra.com's DKIM sig because they don't use body hash length limits. - We don't rewrite the From address? Error is: Authentication-Results: edge01.zimbra.com (amavisd-new); dkim=fail (1024-bit key) reason=fail (message has been altered) header.d=zimbra.com You really should consider moving to at least a 2048 bit key. Good suggestion though orthogonal to the issue. --mancha (https://twitter.com/mancha140) pgpGuFx7MTUHU.pgp Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Wed, Aug 05, 2015 at 04:54:57PM +, mancha wrote: I interpret the comment to mean that, because OpenSSL lists modify messages (see below), they should strip DKIM headers (see above) before distribution to prevent false negatives in recipient implementations. Won't that always give DKIM failures instead, without also rewriting the From? Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Wed, Aug 05, 2015 at 09:33:02PM +0200, Kurt Roeckx wrote: On Wed, Aug 05, 2015 at 04:54:57PM +, mancha wrote: I interpret the comment to mean that, because OpenSSL lists modify messages (see below), they should strip DKIM headers (see above) before distribution to prevent false negatives in recipient implementations. Won't that always give DKIM failures instead, without also rewriting the From? I'm no expert on this but I believe the answer is not always. I think it depends on if a) the domain has an ADSP and, if it does, b) what its signing-practice is. I just did a quick check and it seems zimbra.com doesn't have an ADSP. Yahoo.com has an ADSP but doesn't specify all messages will be signed (has an unknown tag value). OpenSSL is certainly not alone in its practice of mangling headers and adding body footers so I'd be curious to hear how other lists handle domains such as yahoo.com. --mancha (https://twitter.com/mancha140) pgpiDnFRnLBZp.pgp Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On 05/08/15 23:00, mancha wrote: OpenSSL is certainly not alone in its practice of mangling headers and adding body footers so I'd be curious to hear how other lists handle domains such as yahoo.com. We warn people that DKIM-using domains may experience bounces, and that they should subscribe using a different email address to our lists. Yahoo/AOL switching it on before the probably most used mailing list manager could handle it certainly did not help in creating goodwill. Even now the mailman version included in our distribution still can't handle it, and manually installing and maintaining a different one is not something we care to do. Jonas ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
On Wed 2015-08-05 17:04:30 -0400, Jonas Maebe wrote: On 05/08/15 23:00, mancha wrote: OpenSSL is certainly not alone in its practice of mangling headers and adding body footers so I'd be curious to hear how other lists handle domains such as yahoo.com. We warn people that DKIM-using domains may experience bounces, and that they should subscribe using a different email address to our lists. Yahoo/AOL switching it on before the probably most used mailing list manager could handle it certainly did not help in creating goodwill. Even now the mailman version included in our distribution still can't handle it, and manually installing and maintaining a different one is not something we care to do. fwiw, the intersection between dkim/dmarc and mailman policy affects even people who don't have dkim/dmarc enabled for their domains. mailman effectively puts subscribers on hold if some threshold number of mails sent to them bounce. if a subscriber's mail exchanger respects dkim/dmarc reject policy, even if they do not set it for their own domain, then all messages sent through mailman from a dmarc reject domain will bounce for that subscriber. So if Alice from yahoo.com (which has dmarc reject) sends mail through mailman, which sends it to Bob from example.com (which doesn't have dmarc reject set, but respects it from other domains), Bob's mail exchanger will bounce the message. If Alice sends enough mail through mailman, mailman will rack up one bounce from Bob per message, and mailman will eventually unsubscribe Bob as a result. afaict, mailman 2.1.9 or rejecting all mail from domains with dmarc reject are the only sane paths through this thicket. bleah. --dkg ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
