On Fri, 20 Nov 2015 03:08:05 PM Joel W. Shea via luv-talk wrote:
IIRC I think somebody said that Mailman breaks the DKIM on the original message.
I was referring to the mailing list making it's own signatures, but you're correct, in some circumstances mailmain will break signatures, for instance; by rewriting the From/Subject fields where they were signed by the original sender.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802048 The previous version of Mailman that we used (from Debian/Wheezy) would reformat the DKIM header to use spaces instead of tabs which for some reason broke all the Linux DKIM software I tested with. Ideally we would have the DKIM checking handle this, I filed the above Debian bug about this. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802047 It would also be possible for Mailman to have special case code for DKIM headers. I filed the above bug report requesting this. But I don't expect that anything will happen in this regard as the new version of Mailman in Debian/Jessie now base64 encodes message bodies for no good reason and with no apparent way to disable it. It MIGHT be possible to make Mailman forward mail without breaking DKIM if the sender uses base64 encoding, but if the sender doesn't (as my favourite MUA doesn't) then that seems impossible.
Which provokes the question - why not fix Mailman so it doesn't break the DKIM on the original message?
Mailman can already sensibly handle DKIM signatures.
No it seems to be broken and becoming more broken. If you think this can be solved then please tell me how.
IIRC this is because of the design of Mailman; it interprets the headers and writes them out again, so it can't write them back exactly the same as they were before.
I don't have the references handy, I apologise in advance if I got the above wrong.
I recall there being a long discussion thread on the mailman list, late last decade, regarding the handling of DKIM signature edge-cases, but I think things have improved since then
Testing proves otherwise.
Which seems to be saying we need to mangle the From: header due to poor design decisions in Mailman.
Only if we want forwarded mail to pass DMARC policy, which is a seperate issue (the second one on my original post)
If we want to support Gmail recipients then we have to do that. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/