[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] lists.xen.org Mailman configuration and DKIM

On Fri, Aug 03, 2012 at 07:44:30AM -0700, Ian Jackson wrote:
> Matt Wilson writes ("[Xen-devel] lists.xen.org Mailman configuration and 
> DKIM"):
> > Several folks have let me know that my messages sent via lists.xen.org
> > are marked as spam / spoofed, especially when using Gmail to receive
> > Xen mail. I believe this is because outbound Amazon email contains a
> > DKIM signature. When Mailman modifies my message and re-sends it, the
> > DKIM signature is invalidated [1].
> > 
> > To work around this, Mailman 2.1.10 and later contain a configuration
> > variable called "REMOVE_DKIM_HEADERS" [2]. Perhaps if this were turned
> > on we'd work around the problem.
> ...
> > [1] http://wiki.list.org/display/DEV/DKIM
> > [2] https://bugs.launchpad.net/mailman/+bug/557493
> 
> Having checked RFC4871 I think it is clear that according to the
> standards
>   - Mailman SHOULD NOT [1] strip DKIM-Signature
>   - No-one should treat a message with an invalid DKIM signature
>     differently from a message with no DKIM signature at all [2]
> 
> [1] 4871 says in s3.5 that DKIM-Signature SHOULD be treated the same
> way as a trace header (ie a Received), so removing it would be a
> violation of that SHOULD not necessarily a violation of the MUST NOT
> mess with Received headers.
> 
> [2] RFC4871 6.1:
>    A verifier SHOULD NOT treat a message that has one or more bad
>    signatures and no good signatures differently from a message with
>    no signature at all; such treatment is a matter of local policy and
>    is beyond the scope of this document.

> I think it would be better if you would do one of:
>   (a)  Get Gmail fixed to comply with RFC4871 6.1;

I agree that the Gmail implementation is inconvenient, but I do not
think that they are not compliant with RFC 4871 6.1 given the RFC 2119
definition of "SHOULD NOT". I should also mention that I'm not
confident that stripping DKIM headers will resolve the problem. In
fact, Gmail markes messages sent from ebay.com and paypal.com that do
not pass DKIM validation as phishing [1][2][3]. I do not know if
messages from amazon.com are handled similarly.

>   (b)  Get your correspondents to use a non-broken email host;

Lars, George - is that an option?

>   (c)  Get the DKIM the spec changed or clarified;

I think that RFC 4871 is pretty clear in the intent, but leaves room
for interpretation via SHOULD / SHOULD NOT.

>   (d)  Stop putting these abused things in your email headers.

Obviously this isn't going to happen. The amazon.com domain is a
popular target for spammers and phishers, and providing DKIM headers
may help prevent phishing attacks.

> That would be better than asking lists.xen.org to start violating the
> specified protocol.  Now of course a SHOULD is not an absolute
> requirement.  Perhaps mailing lists are a special case somehow; but if
> so I would expect this to be addressed in the relevant standards
> documents.  I don't see any particular reason to think that
> lists.xen.org is somehow unusual.

Ultimately I think that Mailman should verify DKIM signatures, provide
a new signature for the modified message (or have the outbound MTA do
the signing), and retain the origional DKIM signature as a trace. I
believe that this is in line with the recomendations for intermediary
email handlers like Mailman in RFC 5863 [4]. Of course, I don't know
if Gmail will rework their implementation to ignore the invalid
signature. At least one Mailman user reported success simply adding a
new signature and not stripping any header [5].

If a test of removing DKIM headers to see if it helps with delivery to
Gmail is off the table, then perhaps configuring Mailman in a way that
doesn't break DKIM signatures would be an option? Amazon's signed
headers include date, from, to, cc, subject, message-id and
mime-version. If the subject manipulation of adding [Xen-devel] was
removed, the signature would likely still be valid.

Personally, I think that stripping DKIM headers as a short term
workaround is less objectionable.

Matt

[1] 
http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and-paypal.html
[2] https://support.google.com/mail/bin/answer.py?hl=en&answer=105760
[3] https://support.google.com/mail/bin/answer.py?hl=en&answer=175365
[4] http://tools.ietf.org/html/rfc5863#page-25
[5] http://mail.python.org/pipermail/mailman-users/2011-October/072304.html

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.