From owner-freebsd-questions@FreeBSD.ORG Sun Aug 3 18:27:09 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 102BB470 for ; Sun, 3 Aug 2014 18:27:09 +0000 (UTC) Received: from btw.pki2.com (btw.pki2.com [IPv6:2001:470:a:6fd::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B8BC42F15 for ; Sun, 3 Aug 2014 18:27:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by btw.pki2.com (8.14.9/8.14.9) with ESMTP id s73IQtwn010649; Sun, 3 Aug 2014 11:26:56 -0700 (PDT) (envelope-from dg@pki2.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pki2.com; s=pki2; t=1407090416; bh=d1GMNgI2mTKFtMvIzZFn0RwPpkE41qWNAcckEB6w9as=; h=Subject:From:To:Cc:In-Reply-To:References:Date; b=eWeKHmMWwIeYV2RYvRr+6+68ZDunXrIfFgZmXhTU2klE3HcKEn2rT/ClXamltKAZd IxAycBosWjp6lqp9XZQYhdkrNC6gzPsRTb47Obr+slALfRkaK9qSNpqXIJ1E8e2d2q j8HCfLzbOW8JPCpRAvvyG7Yo6Uh1bVb995vx9JQkPlS1x8igqpr2DTWgINY5dvIWg9 nv0sZ97oxtOuFADZMIjwucbJvxBojazRtn7DjIi4f/4odWLzhWxD+IilmUGG8nzqAV rv7OSsnZYx8/OGp1WTOYK3Qodo8y+RkVDI4azctQXU0hhQv08ORJ3YfviDmujkwK1h lrMu0sO1EV3PQ== Subject: Re: FreeBSD lists and DKIM From: Dennis Glatting To: Matthew Seaman In-Reply-To: <53DDEEA3.4060702@infracaninophile.co.uk> References: <1407011530.3895.84.camel@btw.pki2.com> <53DDEEA3.4060702@infracaninophile.co.uk> Content-Type: text/plain; charset="ISO-8859-1" Date: Sun, 03 Aug 2014 11:26:55 -0700 Message-ID: <1407090415.3895.113.camel@btw.pki2.com> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-SoftwareMunitions-MailScanner-Information: Dennis Glatting X-SoftwareMunitions-MailScanner-ID: s73IQtwn010649 X-SoftwareMunitions-MailScanner: Found to be clean X-MailScanner-From: dg@pki2.com Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2014 18:27:09 -0000 On Sun, 2014-08-03 at 09:11 +0100, Matthew Seaman wrote: > On 02/08/2014 21:32, Dennis Glatting wrote: > > Mail coming through the FreeBSD lists often breaks messages signed > > through DKIM. What is the policy to resolve this issue? > > > > Turning off DKIM isn't an option. If there is a signature, such as > > someone in the chain coming through gmail, it must validate or the > > message is rejected. I understand this is a common problem for email > > lists and there are patches available to reformat messages. > > > > http://tools.ietf.org/html/rfc6377 > > > > The best general recommendation for dealing with MLMs is that the MLM > > or an MTA in the MLM's domain apply its own DKIM signature to each > > message it forwards and that assessors on the receiving end consider > > the MLM's domain signature in making their assessments. (See > > Section 5, especially Section 5.2.) > > If you're in charge of the systems *sending* the DKIM signed messages, > then choose the set of mail headers the signature is based on carefully: > avoid any headers that would tend to be re-written during processing by > the mailing list software. > > On the receiving side: allow for mailing lists to add trailers to > messages that pass. Don't base your acept/reject decisions entirely on > whether the message passes or fails DKIM or other tests. The way > Spamassassin handles such things is the way to go: DKIM, SPF, automatic > white-listing all make a weighted contribution to calculating the score. > > The advice for the MLM to apply it's own signature to a message is > problematic in that it magnifies the cpu load required to process > messages quite a lot. At least with DKIM it is possible to do that: > compare to what would be needed with SPF, where the MLM would be forced > to resend the message as *originating* from the mailing list itself. > That's not my experience. I operate five email servers: two in, two out, and one in/out; servicing about 1,000 users. Although relatively small, we're using 2048 bit keys on the outbound side and see negligible load increase on these 8-16 core servers. These servers are also doing AV, DNS, custom MILTER daemons, IPS daemons, and other services. On the incoming side, the verification load is next to nothing compared to MailScanner/SpamAssasin/AV/DKIM/DMARC/RBL, and other loads. I also see a lot of broken stuff including bad keys (e.g., CostCo), small keys (typically 512 bits), and forgeries/spam but signed with invalid keys/signatures. What I am finding useful is DMARC reports. They are interesting although I can't do anything about forgeries (typically from China). However, these go into the quarterly roll-up justifying my existence, meager as it is. There are two fundamental problems with ignoring broken signatures. The first is obvious -- you might as well not have them. The second is large email providers are imposing DMARC (p=reject) and other providers are honoring it. Consequently, I argue, NOT fixing signatures in an email list increasingly limits it breadth. https://help.yahoo.com/kb/postmaster/yahoo-dmarc-policy-sln24050.html Regardless, I'd like to know the FreeBSD lists policies. I don't see them posted anywhere but that could just be me. I can insert exceptions but @freebsd.org isn't enough. -- Dennis Glatting