test - ignore
Dan Mahoney
dmahoney at isc.org
Tue Jan 25 20:25:44 UTC 2022
> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <me at junc.eu> wrote:
>
> On 2022-01-25 17:45, Greg Choules wrote:
>> Hello.
>
> Authentication-Results: lists.isc.org;
> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
> dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
>
> dont know why it failed
I may as well answer this since other people chimed in on the test message. I'm Dan Mahoney, ISC's sysadmin who runs most of our mail systems, and, coincidentally, also do some work with the Trusted Domain Project on opendkim and opendmarc.
The headers you cite are lying to you. :) The message passed DKIM on the way IN to lists.isc.org <http://lists.isc.org/> (the dedicated vm that runs our lists), but then, when the message got to the mailman python scripts and then shot back out via the MTA, they had an altered body and no longer passed, and the header was rewritten to say "fail". (This is visible from the logging on the servers, but nowhere else).
The solution here, is that lists.isc.org <http://lists.isc.org/> should only be running in "signer" mode, and not verifying anything (we verify messages on our MXes, and make the decisions there to reject if dmarc says to do so). The only things that lists.isc.org <http://lists.isc.org/> will sign are things that it generates itself (i.e. things from the lists.isc.org <http://lists.isc.org/> domain).
>
> will my dkim fail aswell ?
Re: DKIM failure, both SPF and DKIM is well known to be broken by mailing lists. So if you're running a dmarc-enforced domain with a policy of P=reject, it's possible that mail you send via a list will be rejected.
Altering the body or headers at all (whch lists do) will often break the hashing. For this reason, most recent versions of mailman have an option to rewrite your mail from:
From: "Benny Pedersen" <you(at)example.com <http://example.com/>>
...to...
From: "Benny Pedersen via bind-users" <bind-users(at)lists.isc.org <http://lists.isc.org/>>
Reply-To: "Benny Pederson" <you(at)example.com <http://example.com/>>
Cc: bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
...but only in the event you have a restrictive DMARC policy. I've argued that it should be possible to do so for *any* dmarc policy, even p=none, but that option is not present in mailman 3, at least.
Here at ISC, we have a little bit of a cheat -- messages *we* send to bind-users will pass SPF, because lists.isc.org <http://lists.isc.org/> is in our SPF list.
The upcoming "better" solution for this is ARC: basically a way for lists.isc.org <http://lists.isc.org/> to assert "This thing passed muster when it entered our borders, trust us".
-Dan Mahoney
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220125/bcf7dbd6/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220125/bcf7dbd6/attachment-0001.bin>
More information about the bind-users
mailing list