Re: [Mailman-Developers] Dealing with DomainKeys and DKIM
Joe Peterson Sat, 10 Sep 2005 12:03:55 -0700
I've recently been testing DomainKeys (http://antispam.yahoo.com/domainkeys) and DKIM (which is supposedly a merging of DomainKeys with Cisco's scheme. I am using dk-milter and dkim-milter with sendmail. What this does is add two header lines to outgoing email that allow the receiver to determine the authenticity of the sender...
Anyway, since I run a Mailman system too, I figured this might be a problem. Indeed it is, since the header lines get passed through, and when the check is done, it indicates a failure. DomainKeys recommends mail lists regenerate the keys rather than pass them through.
What I tried was pretty simple: Mailman doesn't have to deal with these things itself, but if it strips the old keys from the header, the keys will be regenerated on the way out by the MTA, thereby making the whole process clean. So the receiver of the email can at least verify that the mail came from the host hosting Mailman. I suppose Mailman could also check email on the way in for valid keys if it wanted, but that's another subject...
I patched Handlers/Cleanse.py as follows:
49a50,55
# JGP: Remove all "DomainKeys" type header lines, since we want these # to be regenerated by the MTA when this message is sent out. We need # to let new such keys be generated because Mailman alters the
message,
# and the old keys would be seen as invalid by the receiver. del msg['domainkey-signature'] del msg['dkim-signature']
I wanted to pass this by the developers here and see if:
This is a reasonable thing to do (or maybe have an option, or even a way to strip selected headers in the config?)
If this is the right place to do it.
-Thanks, Joe
Good day all,
I have recently started using dkim-milter myself, and i have made these adjustments to my Cleanse.py to get around this very problem and it works great, alltho i have another little problem.....
When i send a mail to list-owner@mysite, if there is a dkim-signature allready in the header (in my case my mail is signed) my dkim-milter trys to verify it instead of signing it on the way back out to the list owner. i hope that makes sense.
basicaly i would like to know what i can edit to remove the dkim-signature from ALL incoming mail, not just mail to be bounced to the list.
thanks in advance
Martin Airs (Camberwell)
At 3:01 AM +0000 2006-01-15, Camberwell wrote:
Anyway, since I run a Mailman system too, I figured this might be a problem. Indeed it is, since the header lines get passed through, and when the check is done, it indicates a failure. DomainKeys recommends mail lists regenerate the keys rather than pass them through.
Did you check Mailman version 2.1.7? It was released recently
and I believe that handling DomainKeys/DKIM was one of the things that was addressed.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
Brad Knowles wrote:
Did you check Mailman version 2.1.7? It was released recently and I believe that handling DomainKeys/DKIM was one of the things that was addressed.
Brad is correct, but it is addressed exactly as described in the OP, namely by modifying Cleanse.py to delete 'domainkey-signature' and 'dkim-signature' headers from the message.
The problem with this is that 'Cleanse' is not in OWNER_PIPELINE so the headers don't get deleted from messages to listname-owner.
There are a couple of possibilities to address this. The first is easy, but wrong. Add
OWNER_PIPELINE.insert(1,'Cleanse')
to mm_cfg.py to add 'Cleanse' after 'SpamDetect' in OWNER_PIPELINE. The reason this is wrong is that if a list is anonymous, the owner will have to refer to the 'post' log to find out who the message was from as Cleanse will replace From: and Reply-To: with the list address and remove Sender: and X-Originating-Email:.
A better idea is to remove the 'domainkey-signature' and 'dkim-signature' headers in ToOutgoing.py which should get them out of all messages.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Jan 15, 2006, at 11:10 AM, Mark Sapiro wrote:
Brad Knowles wrote:
Did you check Mailman version 2.1.7? It was released recently and I believe that handling DomainKeys/DKIM was one of the things that was addressed.
Brad is correct, but it is addressed exactly as described in the OP, namely by modifying Cleanse.py to delete 'domainkey-signature' and 'dkim-signature' headers from the message.
The problem with this is that 'Cleanse' is not in OWNER_PIPELINE so
the headers don't get deleted from messages to listname-owner.There are a couple of possibilities to address this. The first is
easy, but wrong. AddOWNER_PIPELINE.insert(1,'Cleanse')
to mm_cfg.py to add 'Cleanse' after 'SpamDetect' in OWNER_PIPELINE.
The reason this is wrong is that if a list is anonymous, the owner will have to refer to the 'post' log to find out who the message was from as Cleanse will replace From: and Reply-To: with the list address and remove Sender: and X-Originating-Email:.A better idea is to remove the 'domainkey-signature' and 'dkim-signature' headers in ToOutgoing.py which should get them out of all messages.
Or to add a simpler handler (maybe something called CleanseDKIM.py?)
and add that to OWNER_PIPELINE, possibly refactoring out those from
Cleanse.py so we don't duplicate code.
-Barry
Camberwell wrote:
i have added that line to my mm_cfg.py and it works perfectly thankyou very much. sorry i'm not brilliant at python but how might i go about removing the signatures in ToOutgoing.py. your first solution works fine for me as my list will never be anonymous so thanks again
You could add the following (watch out for wrapped lines)
# Remove any "DomainKeys" (or similar) header lines. The values
contained # in these header lines are intended to be used by the recipient to detect # forgery or tampering in transit, and the modifications made by Mailman # to the headers and body of the message will cause these keys to appear # invalid. Removing them will at least avoid this misleading result, and # it will also give the MTA the opportunity to regenerate valid keys # originating at the Mailman server for the outgoing message. del msg['domainkey-signature'] del msg['dkim-signature']
immediately following the line
def process(mlist, msg, msgdata):
in Mailman/Handlers/ToOutgoing.py.
Note to developers:
It seems we should move this from Cleanse.py to ToOutgoing.py for exactly the reasons expressed earlier in this thread, but I'm a little uneasy about mucking with headers in ToOutgoing as that isn't its purpose. Any comments?
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark Sapiro wrote:
Note to developers:
It seems we should move this from Cleanse.py to ToOutgoing.py for exactly the reasons expressed earlier in this thread, but I'm a little uneasy about mucking with headers in ToOutgoing as that isn't its purpose. Any comments?
And Barry Warsaw commented previously:
Or to add a simpler handler (maybe something called CleanseDKIM.py?) and add that to OWNER_PIPELINE, possibly refactoring out those from Cleanse.py so we don't duplicate code.
Barry's comment seems to me to be the way to go. I'll work up a patch.
-- Mark Sapiro <msapiro@value.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Barry Warsaw
-
Brad Knowles
-
Camberwell
-
Mark Sapiro