test - ignore
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Jan 26 16:14:49 UTC 2022
>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <me at junc.eu> wrote:
>> Authentication-Results: lists.isc.org;
>> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
On 25.01.22 12:25, Dan Mahoney wrote:
> The headers you cite are lying to you. :) The message passed DKIM on the
> way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
> when the message got to the mailman python scripts and then shot back out
> via the MTA, they had an altered body and no longer passed, and the header
> was rewritten to say "fail". (This is visible from the logging on the
> servers, but nowhere else).
there were multiple headers when that mail came here:
Authentication-Results: fantomas.fantomas.sk;
dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
dkim-atps=neutral
Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
obviously when the mail came to list, DKIM was fine, not so after it left
(thanks to list signature)
>> will my dkim fail aswell ?
it did...
> Altering the body or headers at all (whch lists do) will often break the
> hashing. For this reason, most recent versions of mailman have an option
> to rewrite your mail from:
[...]
>...but only in the event you have a restrictive DMARC policy.
this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.
I missed this part before.
> I've argued that it should be possible to do so for *any* dmarc policy,
> even p=none, but that option is not present in mailman 3, at least.
I agree.
spam filter is something that can use dkim fail and should not be ignored.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
More information about the bind-users
mailing list