[Bug 1645901] [NEW] DKIM signatures stripped from -owner messages with anonymous lists
Public bug reported: If a list is set to be an anonymous list, and a message is sent to the -owner address, Mailman strips any existing DKIM header. This means that if someone from a DMARC-restricted address (e.g. yahoo.com) is sending a message that would get forwarded to an owner at a DMARC-checking ISP (e.g. yahoo.com), the message is rejected: it fails the DMARC check due to non-matching SPF and missing DKIM headers. If the DKIM header was left intact, it should work, since Mailman didn't modify the body for an -owner message. It makes privacy sense to always strip DKIM headers on messages that will be posted to an anonymous list. And it can work out okay because DMARC munging mitigation can be applied afterwards. But it doesn't seem to make sense to do the same for -owner messages on anonymous lists. Mailman doesn't apply other anonymous list modifications, like hiding the "From:" header, for -owner messages, as far as I can tell. This happens, by the way, due to Defaults.py: # This is the pipeline which messages sent to the -owner address go through OWNER_PIPELINE = [ 'SpamDetect', 'Replybot', 'CleanseDKIM', 'OwnerRecips', 'ToOutgoing', ] Is 'CleanseDKIM' really helpful in this -owner flow? Removing it would solve this problem. Alternately, perhaps CleanseDKIM could be taught to exempt -owner addresses on anonymous lists. ** Affects: mailman Importance: Undecided Status: New ** Tags: dkim dmarc -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1645901 Title: DKIM signatures stripped from -owner messages with anonymous lists To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1645901/+subscriptions
** Branch linked: lp:mailman/2.1 -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1645901 Title: DKIM signatures stripped from -owner messages with anonymous lists To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1645901/+subscriptions
Thanks for your report. I agree that CleanseDKIM should not be in OWNER_PIPELINE and I have removed it for the next release. In the mean time, you can always put OWNER_PIPELINE.remove('CleanseDKIM') in mm_cfg.py. ** Changed in: mailman Importance: Undecided => Medium ** Changed in: mailman Status: New => Fix Committed ** Changed in: mailman Milestone: None => 2.1.24 ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1645901 Title: DKIM signatures stripped from -owner messages with anonymous lists To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1645901/+subscriptions
** Changed in: mailman Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1645901 Title: DKIM signatures stripped from -owner messages with anonymous lists To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1645901/+subscriptions
participants (3)
-
Launchpad Bug Tracker
-
Mark Sapiro
-
Robert Mathews