Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Sep 2018 18:17:09 -0400
From:      William Dudley <wfdudley@gmail.com>
To:        Jim Ohlstein <jim@mailman-hosting.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: DKIM is driving me nuts
Message-ID:  <CAFsnNZ+HXxrn7+3sYxWtBuA1+rCjvhbtrAg6Y5Tkm_icAte-fg@mail.gmail.com>
In-Reply-To: <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com>
References:  <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com> <a57ff4870e5d68211e673a5383892017.squirrel@webmail.harte-lyne.ca> <CAFsnNZL-C+_VTw7YXvUeyM_BfiikZqgADo+S5KP_zpu7xcUvAg@mail.gmail.com> <47bf9a4f8499073f6b29bf7b29d82039.squirrel@webmail.harte-lyne.ca> <CAFsnNZ++4xxgjiRa3t_RGV4cQ5hF7k8=p9HU87NHXfpQ6grPyg@mail.gmail.com> <CAFsnNZJ8em-FPE7z1bPhG3wQ7K8qk-Nq_m01Uqa4zzOzR6qbeQ@mail.gmail.com> <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I was hoping that having my server "do" DKIM would improve my "reputation"
with other
mail servers.  This was prompted by bounce messages from some clown with a "
us.army.mil"
address, whose server bounces *everything* without a valid 1024 bit DKIM
signature.

I'm just running a hobby mail server, but I provide about a dozen mailing
lists to small
organizations.

The problems with DKIM for me are:

1. It's "impossible" (read: "I'm not spending any more time on this") to
get DKIM
working with different MUAs.  I can get it to work when I send email using
Thunderbird,
but not when I send email from the command line (mailx).  "Works" means
that the
inserted DKIM headers pass the checks at the other end.

2. My server sends automated reminder emails to the mailing lists, and any
emails sent by my system through Mailman fail DKIM checks (even though my
system is inserting DKIM stuff in the headers).

In both cases, apparently there's some magic involved with hostnames in the
mail
headers and the matching DNS records, and I have given up because
hours and hours of experimenting have gotten me exactly bupkus.

I read a bit on the intersection of Mailman and DKIM, and it isn't pretty.
It's not even
clear *what* Mailman should DO with DKIM signed emails from people
submitting
emails to their list.  I was only worrying about signing my OWN emails
(machine generated)
using DKIM, and hadn't even considered what would happen to *other's* DKIM
signatures.

If I wasn't running Mailman, I might be interested in figuring out the
magic, but since
the Mailman/DKIM thing is so borked, it's time to declare victory and move
on.

Perhaps one day, my children will be able to get DKIM working with Mailman,
but it's clearly
science fiction right now.

AOL and Yahoo can't go out of business fast enough.  Yahoo broke all
mailing lists with
their stupid policy of "email that has From: domain different from sending
domain is spam"
and that's enough damage that it should result in the corporate death
penalty.

When the majority of the emails from my own server are bouncing from lack
of DKIM,
 I'll shut off my mail server.  That's why I have a gmail account, as a
secondary channel.

Thanks,
Bill Dudley


This email is free of malware because I run Linux.

On Tue, Sep 4, 2018 at 5:41 PM, Jim Ohlstein <jim@mailman-hosting.com>
wrote:

> Hello,
>
> On 09/04/2018 11:48 AM, William Dudley wrote:
> > I have decided to abandon this quest.
> >
> > The intersection of DKIM and Mailman is a huge cluster f--k, and will not
> > be sorted out
> > any time soon, if ever.
> >
> > Since I value the mailing lists I host, and am unwilling to stop those
> > services,
> > it makes sense to give up on DKIM.
>
> Before you give up on DKIM, it sounds as though this is a Mailman
> problem. There are "fixes" for some issues in Mailman (both 2.1 and 3.1)
> that can be easily applied.
>
> In short, DKIM is a digital signature using a private key. The signature
> can be verified with the public key. If anything in the message is
> changed (as Mailman and other list software is apt to do by changing
> headers or adding a footer), DKIM will fail. Also, some large freemail
> providers (Yahoo and AOL) have published DMARC policies to reject any
> emails from them that fail DKIM. Many smaller servers do the same.
>
> Here's the DKIM results from your last email via Gmail:
>
> Authentication-Results: maurice.jlkmail.com (amavisd-new);
>         dkim=fail (2048-bit key) reason="fail (body has been altered)"
>         header.d=gmail.com
>
> More and more large servers are requiring not only DKIM, but DMARC
> policies as well. Running a small mail server is only going to get more
> cumbersome. Taking down a working system may not be the best choice.
>
> What is the specific problems that this one user is having? Is it that
> his emails to the list are being rejected? Or is his mail server at
> "us.army.mil" rejecting emails from the list? Can you post the relevant
> entries from your mail log (usually /var/log/maillog on FreeBSD)?
>
> >
> > DKIM doesn't solve any problems (except for one poor schmuck who has a ".
> > us.army.mil"
> > email address, that rejects all email without DKIM), I don't find DKIM
> > valuable
> > enough to fight with it any more.
> >
> > Thanks to all for their suggestions.  I have learned somethings, which
> was
> > the point,
> > after all.
> >
> > Bill Dudley
> >
> >
> >
>
> --
> Jim Ohlstein
> Professional Mailman Hosting
> https://mailman-hosting.com
>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAFsnNZ+HXxrn7+3sYxWtBuA1+rCjvhbtrAg6Y5Tkm_icAte-fg>