FreeBSD lists and DKIM
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Aug 3 08:11:37 UTC 2014
On 02/08/2014 21:32, Dennis Glatting wrote:
> Mail coming through the FreeBSD lists often breaks messages signed
> through DKIM. What is the policy to resolve this issue?
>
> Turning off DKIM isn't an option. If there is a signature, such as
> someone in the chain coming through gmail, it must validate or the
> message is rejected. I understand this is a common problem for email
> lists and there are patches available to reformat messages.
>
> http://tools.ietf.org/html/rfc6377
>
> The best general recommendation for dealing with MLMs is that the MLM
> or an MTA in the MLM's domain apply its own DKIM signature to each
> message it forwards and that assessors on the receiving end consider
> the MLM's domain signature in making their assessments. (See
> Section 5, especially Section 5.2.)
If you're in charge of the systems *sending* the DKIM signed messages,
then choose the set of mail headers the signature is based on carefully:
avoid any headers that would tend to be re-written during processing by
the mailing list software.
On the receiving side: allow for mailing lists to add trailers to
messages that pass. Don't base your acept/reject decisions entirely on
whether the message passes or fails DKIM or other tests. The way
Spamassassin handles such things is the way to go: DKIM, SPF, automatic
white-listing all make a weighted contribution to calculating the score.
The advice for the MLM to apply it's own signature to a message is
problematic in that it magnifies the cpu load required to process
messages quite a lot. At least with DKIM it is possible to do that:
compare to what would be needed with SPF, where the MLM would be forced
to resend the message as *originating* from the mailing list itself.
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matthew at infracaninophile.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140803/c04de275/attachment.sig>
More information about the freebsd-questions
mailing list