test - ignore

Sten Carlsen stenc at s-carlsen.dk
Wed Jan 26 16:30:38 UTC 2022 

Thanks

Sten

> On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> 
>>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <me at junc.eu> wrote:
>>> Authentication-Results: lists.isc.org;
>>> 	dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>>> 	dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
> 
> On 25.01.22 12:25, Dan Mahoney wrote:
>> The headers you cite are lying to you.  :) The message passed DKIM on the
>> way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
>> when the message got to the mailman python scripts and then shot back out
>> via the MTA, they had an altered body and no longer passed, and the header
>> was rewritten to say "fail".  (This is visible from the logging on the
>> servers, but nowhere else).
> 
> there were multiple headers when that mail came here:
> 
> Authentication-Results: fantomas.fantomas.sk;
>       dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
>       dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
>       dkim-atps=neutral
> Authentication-Results: lists.isc.org;
>       dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>       dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
> 
> obviously when the mail came to list, DKIM was fine, not so after it left
> (thanks to list signature)
> 
>>> will my dkim fail aswell ?
> 
> it did...
> 
>> Altering the body or headers at all (whch lists do) will often break the
>> hashing.  For this reason, most recent versions of mailman have an option
>> to rewrite your mail from:

When the dkim is set up, you can select which parts of the header you want to include in the signature.

I have selected a smaller part of the headers for my signature,  so does this go through?

> 
> [...]
> 
>> ...but only in the event you have a restrictive DMARC policy. 
> 
> this explains why both your and Benny's mail did fail here, while Eduard's
> did not - that one was signed by mailman because of his domains' restrictive
> policy.
> 
> I missed this part before.
> 
>> I've argued that it should be possible to do so for *any* dmarc policy,
>> even p=none, but that option is not present in mailman 3, at least.
> 
> I agree.
> spam filter is something that can use dkim fail and should not be ignored.
> 
> -- 
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Support bacteria - they're the only culture some people have.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220126/9a6c7082/attachment.htm>

More information about the bind-users mailing list