test - ignore

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Jan 26 16:14:49 UTC 2022 

>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <me at junc.eu> wrote:
>> Authentication-Results: lists.isc.org;
>> 	dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>> 	dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z

On 25.01.22 12:25, Dan Mahoney wrote:
> The headers you cite are lying to you.  :) The message passed DKIM on the
> way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
> when the message got to the mailman python scripts and then shot back out
> via the MTA, they had an altered body and no longer passed, and the header
> was rewritten to say "fail".  (This is visible from the logging on the
> servers, but nowhere else).

there were multiple headers when that mail came here:

Authentication-Results: fantomas.fantomas.sk;
        dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
        dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
        dkim-atps=neutral
Authentication-Results: lists.isc.org;
        dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
        dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z

obviously when the mail came to list, DKIM was fine, not so after it left
(thanks to list signature)

>> will my dkim fail aswell ?

it did...

> Altering the body or headers at all (whch lists do) will often break the
> hashing.  For this reason, most recent versions of mailman have an option
> to rewrite your mail from:

[...]

>...but only in the event you have a restrictive DMARC policy. 

this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.

I missed this part before.

> I've argued that it should be possible to do so for *any* dmarc policy,
> even p=none, but that option is not present in mailman 3, at least.

I agree.
spam filter is something that can use dkim fail and should not be ignored.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

More information about the bind-users mailing list