Date: Sun, 03 Aug 2014 11:26:55 -0700 From: Dennis Glatting <dg@pki2.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD lists and DKIM Message-ID: <1407090415.3895.113.camel@btw.pki2.com> In-Reply-To: <53DDEEA3.4060702@infracaninophile.co.uk> References: <1407011530.3895.84.camel@btw.pki2.com> <53DDEEA3.4060702@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2014-08-03 at 09:11 +0100, Matthew Seaman wrote: > On 02/08/2014 21:32, Dennis Glatting wrote: > > Mail coming through the FreeBSD lists often breaks messages signed > > through DKIM. What is the policy to resolve this issue? > > > > Turning off DKIM isn't an option. If there is a signature, such as > > someone in the chain coming through gmail, it must validate or the > > message is rejected. I understand this is a common problem for email > > lists and there are patches available to reformat messages. > > > > http://tools.ietf.org/html/rfc6377 > > > > The best general recommendation for dealing with MLMs is that the MLM > > or an MTA in the MLM's domain apply its own DKIM signature to each > > message it forwards and that assessors on the receiving end consider > > the MLM's domain signature in making their assessments. (See > > Section 5, especially Section 5.2.) > > If you're in charge of the systems *sending* the DKIM signed messages, > then choose the set of mail headers the signature is based on carefully: > avoid any headers that would tend to be re-written during processing by > the mailing list software. > > On the receiving side: allow for mailing lists to add trailers to > messages that pass. Don't base your acept/reject decisions entirely on > whether the message passes or fails DKIM or other tests. The way > Spamassassin handles such things is the way to go: DKIM, SPF, automatic > white-listing all make a weighted contribution to calculating the score. > > The advice for the MLM to apply it's own signature to a message is > problematic in that it magnifies the cpu load required to process > messages quite a lot. At least with DKIM it is possible to do that: > compare to what would be needed with SPF, where the MLM would be forced > to resend the message as *originating* from the mailing list itself. > That's not my experience. I operate five email servers: two in, two out, and one in/out; servicing about 1,000 users. Although relatively small, we're using 2048 bit keys on the outbound side and see negligible load increase on these 8-16 core servers. These servers are also doing AV, DNS, custom MILTER daemons, IPS daemons, and other services. On the incoming side, the verification load is next to nothing compared to MailScanner/SpamAssasin/AV/DKIM/DMARC/RBL, and other loads. I also see a lot of broken stuff including bad keys (e.g., CostCo), small keys (typically 512 bits), and forgeries/spam but signed with invalid keys/signatures. What I am finding useful is DMARC reports. They are interesting although I can't do anything about forgeries (typically from China). However, these go into the quarterly roll-up justifying my existence, meager as it is. There are two fundamental problems with ignoring broken signatures. The first is obvious -- you might as well not have them. The second is large email providers are imposing DMARC (p=reject) and other providers are honoring it. Consequently, I argue, NOT fixing signatures in an email list increasingly limits it breadth. https://help.yahoo.com/kb/postmaster/yahoo-dmarc-policy-sln24050.html Regardless, I'd like to know the FreeBSD lists policies. I don't see them posted anywhere but that could just be me. I can insert exceptions but @freebsd.org isn't enough. -- Dennis Glatting <dg@pki2.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1407090415.3895.113.camel>