test - ignore
Sten Carlsen
stenc at s-carlsen.dk
Wed Jan 26 16:30:38 UTC 2022
Thanks
Sten
> On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>
>>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <me at junc.eu> wrote:
>>> Authentication-Results: lists.isc.org;
>>> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>>> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
>
> On 25.01.22 12:25, Dan Mahoney wrote:
>> The headers you cite are lying to you. :) The message passed DKIM on the
>> way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
>> when the message got to the mailman python scripts and then shot back out
>> via the MTA, they had an altered body and no longer passed, and the header
>> was rewritten to say "fail". (This is visible from the logging on the
>> servers, but nowhere else).
>
> there were multiple headers when that mail came here:
>
> Authentication-Results: fantomas.fantomas.sk;
> dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
> dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
> dkim-atps=neutral
> Authentication-Results: lists.isc.org;
> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
>
> obviously when the mail came to list, DKIM was fine, not so after it left
> (thanks to list signature)
>
>>> will my dkim fail aswell ?
>
> it did...
>
>> Altering the body or headers at all (whch lists do) will often break the
>> hashing. For this reason, most recent versions of mailman have an option
>> to rewrite your mail from:
When the dkim is set up, you can select which parts of the header you want to include in the signature.
I have selected a smaller part of the headers for my signature, so does this go through?
>
> [...]
>
>> ...but only in the event you have a restrictive DMARC policy.
>
> this explains why both your and Benny's mail did fail here, while Eduard's
> did not - that one was signed by mailman because of his domains' restrictive
> policy.
>
> I missed this part before.
>
>> I've argued that it should be possible to do so for *any* dmarc policy,
>> even p=none, but that option is not present in mailman 3, at least.
>
> I agree.
> spam filter is something that can use dkim fail and should not be ignored.
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Support bacteria - they're the only culture some people have.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220126/9a6c7082/attachment.htm>
More information about the bind-users
mailing list