2016-08-01 01:39:07

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] DKIM signatures

This list server adds "[refpolicy]" to the subject and also adds a list footer
before sending out mail. To preserve DKIM signatures the sender can manually
add "[refpolicy]" when starting a new thread. Also a sender who controls the
DKIM policy for their domain can add the "l=" flag to sign only the length of
the original message so that the footer doesn't break the signature.

Is it possible to enable the l= flag on Gmail DKIM signatures? If not then I
think it's necessary to either remove the list footer or enable the DKIM
feature in mailman where it sets the From: field to the list address and allows
the list sender to apply their own DKIM signature to the outbound mail.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


2016-08-15 07:58:38

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] DKIM signatures

On Monday, 1 August 2016 11:39:07 AM AEST Russell Coker wrote:
> This list server adds "[refpolicy]" to the subject and also adds a list
> footer before sending out mail. To preserve DKIM signatures the sender can
> manually add "[refpolicy]" when starting a new thread. Also a sender who
> controls the DKIM policy for their domain can add the "l=" flag to sign
> only the length of the original message so that the footer doesn't break
> the signature.
>
> Is it possible to enable the l= flag on Gmail DKIM signatures? If not then
> I think it's necessary to either remove the list footer or enable the DKIM
> feature in mailman where it sets the From: field to the list address and
> allows the list sender to apply their own DKIM signature to the outbound
> mail.

http://krebsonsecurity.com/2016/07/trump-dnc-rnc-flunk-email-security-test/

DKIM and DMARC (which depends on it) are gaining popularity. The above
article isn't about politics (I really hope no-one will say "vote for the
candidate with the best mail server") but about the expectations of modern
mail servers. Probably everyone here should read all of Krebs articles as he
writes a lot of stuff that's relevant to us.

Tresys people, when will get get this list fixed?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2016-08-19 15:17:08

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] DKIM signatures

On Mon, Aug 15, 2016 at 05:58:38PM +1000, Russell Coker wrote:
> On Monday, 1 August 2016 11:39:07 AM AEST Russell Coker wrote:
> > This list server adds "[refpolicy]" to the subject and also adds a list
> > footer before sending out mail. To preserve DKIM signatures the sender can
> > manually add "[refpolicy]" when starting a new thread. Also a sender who
> > controls the DKIM policy for their domain can add the "l=" flag to sign
> > only the length of the original message so that the footer doesn't break
> > the signature.
> >
> > Is it possible to enable the l= flag on Gmail DKIM signatures? If not then
> > I think it's necessary to either remove the list footer or enable the DKIM
> > feature in mailman where it sets the From: field to the list address and
> > allows the list sender to apply their own DKIM signature to the outbound
> > mail.
>
> http://krebsonsecurity.com/2016/07/trump-dnc-rnc-flunk-email-security-test/
>
> DKIM and DMARC (which depends on it) are gaining popularity. The above
> article isn't about politics (I really hope no-one will say "vote for the
> candidate with the best mail server") but about the expectations of modern
> mail servers. Probably everyone here should read all of Krebs articles as he
> writes a lot of stuff that's relevant to us.
>
> Tresys people, when will get get this list fixed?

Do you happen to know how other big lists handle DKIM and SPF and stuff
like that? doesnt LKML prefix the subject and stuff on their mails too?

I just realized my dkim records are not in my DNS but i thought i'd set
it up. I guess I have one more item on my todo list now :P

-- Jason
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2016-08-22 07:06:26

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] DKIM signatures

On Friday, 19 August 2016 11:17:08 PM AEST Jason Zaman wrote:
> Do you happen to know how other big lists handle DKIM and SPF and stuff
> like that? doesnt LKML prefix the subject and stuff on their mails too?
>
> I just realized my dkim records are not in my DNS but i thought i'd set
> it up. I guess I have one more item on my todo list now :P

Mailman (which is used by this list) has a configuration option to replace the
From: field with the address of the list server. I believe that this is the
correct thing to do as list mail does not come from the sender but from the
list server.

When a list preserves the From: field it has to preserve the Subject: (which
means no [refpolicy] prefix) and adding a footer is incompatible with any DKIM
sender that doesn't use the l= flag. Given that most senders don't use l= and
most users don't have the ability to change their DKIM configuration this
pretty much excludes a list footer unless you change the From: field.

Also the list server needs to not reformat the message or mime encode it for
best compatability. There are sender options to relax formatting checks that
should allow mime-coding the message body to not break the signature, but
again we are at the problem of most users being unable to change their
configuration.

Of the minority of users who are able to change their DKIM configuration (IE
having access to DNS records and DKIM daemon configuration) most of them don't
have the skill to tweak all the settings themselves.

As an aside I was unsubscribed from this list for a coupe of weeks.
Presumably because of DKIM failures.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/