From owner-freebsd-questions@freebsd.org Tue Nov 27 16:03:32 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 731201151D70 for ; Tue, 27 Nov 2018 16:03:32 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D107A82E0B for ; Tue, 27 Nov 2018 16:03:31 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=Fc4Bt1l9NuUuesgasLkYZoPGseA/MrBu34SDgD7pE3I=; b=KMqBnZGHqp4FaW8unU8B0LUN3d 7dMlp6XRYYcxnFxP2pE9TckYnPyhqoQzmwcMImi4ZNN1JGB9jh1d2SjRdgh5bQCfbXKnD8YYSJbHD D0a7IGsNV3YMSSLjp1FXZhhTWnKUGlrz5u9gvHunV5+oOEqBokaG0RY8EMkUyE2YHmQo=; Received: from vas by admin.sibptus.ru with local (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gRfpi-000LCg-Mc; Tue, 27 Nov 2018 23:03:30 +0700 Date: Tue, 27 Nov 2018 23:03:30 +0700 From: Victor Sudakov To: "John R. Levine" Cc: freebsd-questions@freebsd.org Subject: Re: Invalid DKIM signatures in this list Message-ID: <20181127160330.GC78157@admin.sibptus.ru> References: <20181126125259.GB86999@admin.sibptus.ru> <20181126172133.CDCDB2008E6098@ary.qy> <20181127015856.GA79319@admin.sibptus.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: Victor Sudakov X-Rspamd-Queue-Id: D107A82E0B X-Spamd-Result: default: False [-8.32 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[tomsk.su]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[sibptus.ru:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[cached: admin.sibptus.ru]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-2.72)[ip: (-8.89), ipnet: 2001:19f0:5000::/38(-4.44), asn: 20473(-0.17), country: US(-0.09)]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 16:03:32 -0000 --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable John R. Levine wrote: >On Tue, 27 Nov 2018, Victor Sudakov wrote: >> The problem is in FreeBSD's mailing list manager which is broken IMHO. > >If you are saying that it's broken because it's not deleting old DKIM >signtures, I'm sorry, but you're simply mistaken. I helped write the DKIM >specs so I'm not guessing here. > >> See RFC 6377 >> >> "The best general recommendation for dealing with MLMs is that the MLM >> or an MTA in the MLM's domain apply its own DKIM signature to each >> message it forwards and that assessors on the receiving end consider >> the MLM's domain signature in making their assessments. (See >> Section 5, especially Section 5.2.)" > >I helped write that RFC. It was and is just guessing. While it would >be a good idea for the lists to add their own signature, they're not >broken if they don't. And that says nothing about deleting old >signatures. With all due respect to you as the co-author of the RFC, it does say=20 something about deleting old signatures. I'm not quoting for you=20 (this would be odd) but for the general public here who are reading this th= read. In "5.7. Signature Removal Issues" the document says=20 "However, if the MLM is configured to make changes to the message prior to reposting that would invalidate the original signature(s), further action is RECOMMENDED to prevent invalidated signatures from arriving at final recipients, possibly triggering unwarranted filter actions. " and it mentions=20 "5. Remove all previously evaluated DKIM signatures;" as one of the possible solutions (among 5 other suggestions). and then again: "Removing the original signature(s) seems particularly appropriate when the MLM knows it is likely to invalidate any or all of them due to the nature of the reformatting it will do. " --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJb/WrSAAoJEA2k8lmbXsY0MVYIAKkfYiE/sxD1ya3tw/qEQ8x4 6kydBkhZWxRJ1f18WmEhLW5x6cEyPNcgSRAS/XhxzxCWP/jG1JkvnKvGK909STeD YoxENYinqOyAE+A6t7ptY8IwFaPEY/zdbgLDbLim/GaLLrDRLTGwEmTKhYgvqUWN e0eo5a6OOPrbsiNSuSZo9wMbxCCB3xrtb0CxbVhPMuBnz2ie+W8g69RXNSlmos/J oNMTCr6hn5zBtI9ZlXQs+xc8JRQgx2yYKZUNTXjDI5TaQ8+89GHAAs3dI7ll+bmr H8eqN+WwU3Kcue9QitUMg9o+YWTrGpaBdIWYK310/XBi5nEOk1s8/g1LseLexcM= =3MX+ -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/--