Date: Sun, 03 Aug 2014 09:11:15 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD lists and DKIM Message-ID: <53DDEEA3.4060702@infracaninophile.co.uk> In-Reply-To: <1407011530.3895.84.camel@btw.pki2.com> References: <1407011530.3895.84.camel@btw.pki2.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kxCJIOFKXBrOGATVCEO2EtqCSCp8IqCN8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 02/08/2014 21:32, Dennis Glatting wrote: > Mail coming through the FreeBSD lists often breaks messages signed > through DKIM. What is the policy to resolve this issue? >=20 > Turning off DKIM isn't an option. If there is a signature, such as > someone in the chain coming through gmail, it must validate or the > message is rejected. I understand this is a common problem for email > lists and there are patches available to reformat messages. >=20 > http://tools.ietf.org/html/rfc6377 >=20 > The best general recommendation for dealing with MLMs is that the ML= M > or an MTA in the MLM's domain apply its own DKIM signature to each > message it forwards and that assessors on the receiving end consider= > the MLM's domain signature in making their assessments. (See > Section 5, especially Section 5.2.) If you're in charge of the systems *sending* the DKIM signed messages, then choose the set of mail headers the signature is based on carefully: avoid any headers that would tend to be re-written during processing by the mailing list software. On the receiving side: allow for mailing lists to add trailers to messages that pass. Don't base your acept/reject decisions entirely on whether the message passes or fails DKIM or other tests. The way Spamassassin handles such things is the way to go: DKIM, SPF, automatic white-listing all make a weighted contribution to calculating the score. The advice for the MLM to apply it's own signature to a message is problematic in that it magnifies the cpu load required to process messages quite a lot. At least with DKIM it is possible to do that: compare to what would be needed with SPF, where the MLM would be forced to resend the message as *originating* from the mailing list itself. Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matthew@infracaninophile.co.uk --kxCJIOFKXBrOGATVCEO2EtqCSCp8IqCN8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJT3e6vXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT6TsP/234ZQpzR+oC4J9X4yJYzTWw lLO4ULAUFAMawMR/e6u4PtujU3v/0haZm/GNqxOWtyt1jelQdqioVI/AFjYrF2n0 kj9u7h5FqGIFWuaRdGmhRRblk/9go4UTEG/CKjiDbIKnqSSoDx6uIYseWUxAGQ4C /ikxjwGphE/KjuTLq8atLz8NICFl+XFNJYwBgCvMGVsV7Vf6Y0niF1TO76a4apo5 Kw4aSAMMPDKzyvRvKwcREY8eg/IpD0xkItKSms6jENHmpdZqe19xSu8HQ+WE0OHd 2t0KVcClNOm3TS3XbAD960kOwrMxqPy0xVCtMoqLDkZmvAEgDPDzVVWH9Qqnc7jK FpfdaLwtnEOZ6PTGF/TZPgxtIKJtnw7MHwHPlIELJcozY3j7L/r5xILBB/cJiY+S mN/JQ3G7IeP+EKn3+LntUBfMpAHHrtEw5yMCTa2JzXcIX3//EO1TTSdRaMZOUFDP 743DiFqMy6TnDEM3YbLrVPalTT9nmHpJt7/qz3YGX/esmkw49VngvzuPuEHaniND m9hTDlIqGl1cKzDWjK0cmjmQHONs8ni6Ml6J5+AYLEtNsAo0oAIsXTdjd8yBg8Be HfhZV6M/ZqG8kpYhbmw248ruYFa75rsDgK7uXtkin4WQV3vsS8YAkvJnJFdQKZI3 vg+rjrXbFdd9MeYeSC/e =9Ks/ -----END PGP SIGNATURE----- --kxCJIOFKXBrOGATVCEO2EtqCSCp8IqCN8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53DDEEA3.4060702>