From owner-freebsd-questions@freebsd.org Tue Sep 4 22:17:11 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A81E7FFD8EB for ; Tue, 4 Sep 2018 22:17:11 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw1-xc2a.google.com (mail-yw1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 060AF83DC0 for ; Tue, 4 Sep 2018 22:17:11 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw1-xc2a.google.com with SMTP id m62-v6so1889757ywd.6 for ; Tue, 04 Sep 2018 15:17:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IF4xf1hLlcbsPyXEAZkSKNRrj19fl1+2d4FO4xBvHBk=; b=EI+rtKIMlEeQQHzWWRQkSZsPFhBYX7OOZYDOBtujpuFlnspxMDmjO5KLqrZpqbYmwt OOhBcZRx0d7mkleM0fS87Rgdrx9P6R01HKtc78dpaGJ06NIdtyE1cFC1GvzgCS3Rosug JBxH5HAgFvxRNdZ2qExfzauoLvET8K375CZuv/AQU+3wdiuXaAiv0YIcf4uvlnUIDVkj d7SbyJuAqdCB72rbI2JzCRIWNJuklRDCxERmi25clWZwSbUOlrzw5jUziTcVGeFRbqi4 /Pvw+iN66Ma7vIyPY37aAp6pKTVDCkh+fp+Tja261+y0AvfOA2wv4IctrJXH1b5Tx/i/ oWGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IF4xf1hLlcbsPyXEAZkSKNRrj19fl1+2d4FO4xBvHBk=; b=O8FOPY1hixPa3jHFr+W3c8tfRbCceTh+0hRVXhgcUN60TIx+HF2xAOOuGgdmBcxNnn awM7q4Mh3ASbO3eIP4QZjp92D6nI9H/vAkF/x6m51XbBXl68AltXQ7Qx6yfaRMmAU1Wg 9ddZhGd2kBGvReSHOMr23OLSt3Bf5PiFe9Bom02th4ty5FVuVCypZtZ7i7ymVuhEa753 TQDlwdwvlImcau1Gfc1E/+ktP/QoRlub8nAKyxGQpPskkd29DhRtocyQ+6nkx/cga/2k 2qqPaVwbCQ59yi6Bhc53F+Uy03XY23ns5lnKZrxa9sSB7wwCWt0jJSayXgVQl1OOyk6P N08A== X-Gm-Message-State: APzg51C7ZeKCoWQewyC8DoBQjPQNYKGyJvB7GUwPsDqkfrh2GwrtSl0q HqPdCTu+ZeuhDOMX7RMXUYF4B/J8hv/ecD3Pp+j9YA== X-Google-Smtp-Source: ANB0VdawkYVILAtz+MypMjfkT0tVQXhiGXrbMp59qmzCOALUCJ+2EVv4WH3BCpRGzoYlV9P0LmvKJm26Br21YuWCVUk= X-Received: by 2002:a81:5dc1:: with SMTP id r184-v6mr19129598ywb.122.1536099430152; Tue, 04 Sep 2018 15:17:10 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:aa33:0:0:0:0:0 with HTTP; Tue, 4 Sep 2018 15:17:09 -0700 (PDT) In-Reply-To: <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com> References: <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <47bf9a4f8499073f6b29bf7b29d82039.squirrel@webmail.harte-lyne.ca> <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com> From: William Dudley Date: Tue, 4 Sep 2018 18:17:09 -0400 Message-ID: Subject: Re: DKIM is driving me nuts To: Jim Ohlstein Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 22:17:11 -0000 I was hoping that having my server "do" DKIM would improve my "reputation" with other mail servers. This was prompted by bounce messages from some clown with a " us.army.mil" address, whose server bounces *everything* without a valid 1024 bit DKIM signature. I'm just running a hobby mail server, but I provide about a dozen mailing lists to small organizations. The problems with DKIM for me are: 1. It's "impossible" (read: "I'm not spending any more time on this") to get DKIM working with different MUAs. I can get it to work when I send email using Thunderbird, but not when I send email from the command line (mailx). "Works" means that the inserted DKIM headers pass the checks at the other end. 2. My server sends automated reminder emails to the mailing lists, and any emails sent by my system through Mailman fail DKIM checks (even though my system is inserting DKIM stuff in the headers). In both cases, apparently there's some magic involved with hostnames in the mail headers and the matching DNS records, and I have given up because hours and hours of experimenting have gotten me exactly bupkus. I read a bit on the intersection of Mailman and DKIM, and it isn't pretty. It's not even clear *what* Mailman should DO with DKIM signed emails from people submitting emails to their list. I was only worrying about signing my OWN emails (machine generated) using DKIM, and hadn't even considered what would happen to *other's* DKIM signatures. If I wasn't running Mailman, I might be interested in figuring out the magic, but since the Mailman/DKIM thing is so borked, it's time to declare victory and move on. Perhaps one day, my children will be able to get DKIM working with Mailman, but it's clearly science fiction right now. AOL and Yahoo can't go out of business fast enough. Yahoo broke all mailing lists with their stupid policy of "email that has From: domain different from sending domain is spam" and that's enough damage that it should result in the corporate death penalty. When the majority of the emails from my own server are bouncing from lack of DKIM, I'll shut off my mail server. That's why I have a gmail account, as a secondary channel. Thanks, Bill Dudley This email is free of malware because I run Linux. On Tue, Sep 4, 2018 at 5:41 PM, Jim Ohlstein wrote: > Hello, > > On 09/04/2018 11:48 AM, William Dudley wrote: > > I have decided to abandon this quest. > > > > The intersection of DKIM and Mailman is a huge cluster f--k, and will not > > be sorted out > > any time soon, if ever. > > > > Since I value the mailing lists I host, and am unwilling to stop those > > services, > > it makes sense to give up on DKIM. > > Before you give up on DKIM, it sounds as though this is a Mailman > problem. There are "fixes" for some issues in Mailman (both 2.1 and 3.1) > that can be easily applied. > > In short, DKIM is a digital signature using a private key. The signature > can be verified with the public key. If anything in the message is > changed (as Mailman and other list software is apt to do by changing > headers or adding a footer), DKIM will fail. Also, some large freemail > providers (Yahoo and AOL) have published DMARC policies to reject any > emails from them that fail DKIM. Many smaller servers do the same. > > Here's the DKIM results from your last email via Gmail: > > Authentication-Results: maurice.jlkmail.com (amavisd-new); > dkim=fail (2048-bit key) reason="fail (body has been altered)" > header.d=gmail.com > > More and more large servers are requiring not only DKIM, but DMARC > policies as well. Running a small mail server is only going to get more > cumbersome. Taking down a working system may not be the best choice. > > What is the specific problems that this one user is having? Is it that > his emails to the list are being rejected? Or is his mail server at > "us.army.mil" rejecting emails from the list? Can you post the relevant > entries from your mail log (usually /var/log/maillog on FreeBSD)? > > > > > DKIM doesn't solve any problems (except for one poor schmuck who has a ". > > us.army.mil" > > email address, that rejects all email without DKIM), I don't find DKIM > > valuable > > enough to fight with it any more. > > > > Thanks to all for their suggestions. I have learned somethings, which > was > > the point, > > after all. > > > > Bill Dudley > > > > > > > > -- > Jim Ohlstein > Professional Mailman Hosting > https://mailman-hosting.com > >