Score:0

OpenDKIM & Mailman

us flag

I have a small mail server based on Fedora with postfix, OpenDKIM, spamassassin and mailman.

  • OpenDKIM signature for outgoing emails works
  • OpenDKIM verification for incoming emails works

When a DKIM message is sent to a mailing list I see the following in the headers:

DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li DB09BDFEE4
Authentication-Results: corti.li;
    dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=id.ethz.ch [email protected] header.a=rsa-sha256 header.s=key1-q3-2021 header.b=FOCb7EwF
[...]
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li A2C29DFED2
Received: from mailg210.ethz.ch (mailg210.ethz.ch [129.132.198.194])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by corti.li (Postfix) with ESMTPS id 98D21DF4AC
 for <[email protected]>; Thu,  2 Dec 2021 14:19:55 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 corti.li 98D21DF4AC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=id.ethz.ch;
 s=key1-q3-2021; t=1638451169; h=From:Subject:Date:Message-ID:To
 :MIME-Version:Content-Type; bh=qzmynR6bBoUQ7r53VOIB9APaTNZN6JNW86G7ge/XIj
 U=; b=FOCb7EwFI/pVyk/KvT2kEAFLcKguQN9b+UzfLobMxPe1YwAm1wHrRSs3ZXo8l1DUJTM
 J5/lO3rJAMu8+ZidXMHLSFWl7JwZ2ciqB93RiQMYNONBLZ+HOYpkUxzof3L9MAzdCmGeaJisF
 bk8FF/E8G+rGrBP7xXMpv+MgvofWU9RVCTQZqLOnWqPYyBsEsptByHDgsrUsmPGZSxQ1OUasd
 j6cEkRfXk3EVqVNVZXWfGLWDD4CWd0VKSNMGk/SMPgx9L63SUe1qSv4PUIJn9Lepn6gnvZaE9
 D7+v3uk69Kfglr4gK7OpFB1X/YQrEhQYzcstB6+sUUVTFhA3ROKyuHXA==;

In this example

  • corti.li is my server
  • @id.ethz.ch is the from domain

OpenDKIM configuration in /etc/postfix/main.cf:

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Mailman is configured via

./postfix/main.cf:alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases

and entries like

testlist:              "|/usr/lib/mailman/mail/mailman post testlist"

in /etc/mailman/aliases

Spamassassin is /etc/postfix/master.cf configured as:

[root@corti etc]# grep spamass /etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
submission inet n      -       n       -       -       smtpd -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
smtps    inet  n       -       n       -       -       smtpd  -o content_filter=spamassassin -o tls_preempt_cipherlist=yes
spamassassin unix  -       n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

Log entries about A2C29DFED2

Dec 02 14:19:57 corti.li postfix/pickup[190218]: A2C29DFED2: uid=513 from=<[email protected]>
Dec 02 14:19:57 corti.li postfix/cleanup[194198]: A2C29DFED2: message-id=<[email protected]>
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: no signing table match for '*****@id.ethz.ch'
Dec 02 14:19:57 corti.li opendkim[192090]: A2C29DFED2: DKIM verification successful
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: from=<[email protected]>, size=12955, nrcpt=1 (queue active)
Dec 02 14:19:57 corti.li postfix/local[194206]: A2C29DFED2: to=<[email protected]>, relay=local, delay=0.1, delays=0.01/0/0/0.09, dsn=2.0.0, status=sent (delivered to command: /usr/lib/mailman/mail/mailman post rpg)
Dec 02 14:19:57 corti.li postfix/qmgr[1080]: A2C29DFED2: removed

and

Dec 02 14:20:03 corti.li postfix/pickup[190218]: DB09BDFEE4: uid=513 from=<[email protected]>
Dec 02 14:20:03 corti.li postfix/cleanup[194198]: DB09BDFEE4: message-id=<[email protected]>
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: no signing table match for '*****@id.ethz.ch'
Dec 02 14:20:03 corti.li opendkim[192090]: DB09BDFEE4: bad signature data
Dec 02 14:20:03 corti.li postfix/qmgr[1080]: DB09BDFEE4: from=<[email protected]>, size=14580, nrcpt=1 (queue active)
Dec 02 14:20:03 corti.li postfix/local[194206]: DB09BDFEE4: passing <[email protected]> to transport=procmail
Dec 02 14:20:04 corti.li postfix/pipe[194207]: DB09BDFEE4: to=<[email protected]>, relay=procmail, delay=0.15, delays=0.07/0/0/0.08, dsn=2.0.0, status=sent (delivered via procmail service)
Dec 02 14:20:04 corti.li postfix/qmgr[1080]: DB09BDFEE4: removed

Why is the DKIM signature of the outgoing message checked? mailman modifies the message and the original signature should not be relevant anymore.

Score:0
us flag

I could solve the problem by telling mailman to always remove the DKIM signature:

# Some list posts and mail to the -owner address may contain DomainKey or                                                                        
# DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/>.                                                                    
# Various list transformations to the message such as adding a list header or                                                                    
# footer or scrubbing attachments or even reply-to munging can break these                                                                       
# signatures.  It is generally felt that these signatures have value, even if                                                                    
# broken and even if the outgoing message is resigned.  However, some sites                                                                      
# may wish to remove these headers.  Possible values and meanings are:                                                                           
# No, 0, False -> do not remove headers.                                                                                                         
# Yes, 1, True -> remove headers only if we are munging the from header due                                                                      
#                 to from_is_list or dmarc_moderation_action.                                                                                    
# 2 -> always remove headers.                                                                                                                    
# 3 -> always remove, rename and preserve original DKIM headers.                                                                                 
REMOVE_DKIM_HEADERS = 2
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.