DKIM Failures cause posts from gmail users to not be relayed to the list
This is going to be a lengthy explanation, as I've spent a bit of time troubleshooting this issue. I am running Mailman 2.1.20 as part of a server running WHM/cpanel. The MTA is Exim. The MTA was configured to reject DKIM failures. The domain was configured to sign outgoing messages with DKIM. We noticed that when messages were posted by gmail users, they would appear in the list archives but they would not be delivered to any list members. Posts by other domains such as my custom office 365 domain worked fine and were delivered to everyone including gmail users. Of course my first stop was the logs, and I saw entries like this in the smtp-failure log: Aug 11 22:06:50 2015 (3128) SMTP session failure: 550, DKIM: encountered the following problem validating gmail.com: signature_incorrect, msgid: <CAHtjcYNyqX8Na44GC9GKUsS=2FbS=HD1ofu3GqcJkZuRomwreQ@mail.gmail.com> Aug 11 22:06:50 2015 (3128) SMTP session failure: 550, DKIM: encountered the following problem validating gmail.com: signature_incorrect, msgid: <CAHtjcYNyqX8Na44GC9GKUsS=2FbS=HD1ofu3GqcJkZuRomwreQ@mail.gmail.com> Thinking that our signing of DKIM was causing issues, I shut that off. That didn't change anything. So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well. I then attempted to set this setting to wrap message, which again did not fix the issue. At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work. Last, I tried wrap message, which did seem to work. Given the functionality issues this created, however, I decided to keep investigating. It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue. Since the initial posts were making it to the web-based archives I figured the gmail signature was fine. I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact?
On Wed, 12 Aug 2015 13:21:58 +0000 Peter Bossley <pete@bossley.me> wrote:
Hello Peter,
I'm far from being an expert regarding DKIM, DKMS and mailman, but what I can say is this;
*All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage.
Maybe this is an option you could also explore.
See <https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html> for the announcement. Sadly, very little in the way of details, but the poster of the message may be able to help you.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Drums quite good, bass is too loud, and I can't hear the words Sound Of The Suburbs - Members
On Wed, 12 Aug 2015 10:04:14 -0400 Barry Warsaw <barry@list.org> wrote:
Hello Barry,
FWIW, lists.debian.org does not run Mailman.
Fair enough. Seems to me to be less likely that Peter's problem is the same, as other list owners of mailman run lists would probably be reporting similar errors.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Sign away your life Tin Soldiers - Stiff Little Fingers
On 08/12/2015 06:44 AM, Brad Rogers wrote:
*All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage.
In order to avoid DKIM signature breakage, you also have to turn off subject prefixing, content filtering, reply-to header munging and message headers.
See item 2) at <http://wiki.list.org/x/17891458> although the OP's issue is not with DMARC; it is with his own outgoing MTA being too fussy about a broken sig.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 08/12/2015 06:21 AM, Peter Bossley wrote:
The MTA was configured to reject DKIM failures.
This is wrong and is the cause of your issue. See RFC 6376 <http://www.rfc-editor.org/rfc/rfc6376.txt> sec 4.4, sec 6.1 and sec 6.3.
The issue is your mail list transformations break gmail's DKIM signature and you are rejecting the outgoing mail because of the invalid signature, in spit of the fact that it may also contain a valid signature. Even if it doesn't also contain a valid signature, mail should not be rejected just because of an invalid DKIM signature. In most cases an invalid DKIM signature should be treated the same as no signature.
The domain was configured to sign outgoing messages with DKIM.
OK.
So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well.
This is not a DMARC issue per se as gmail's DMARC policy is p=none.
I then attempted to set this setting to wrap message, which again did not fix the issue.
Because gmail's DMARC policy is p=none, dmarc_moderation_action won't apply to this mail.
At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work. Last, I tried wrap message, which did seem to work.
Because the outer wrapper message only contains your DKIM signature. Gmail's is in the wrapped message which is part of the message body and not checked by your MTA.
Given the functionality issues this created, however, I decided to keep investigating. It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue.
No. Turning off DKIM failure rejection or at least changing it to ignore a failure if there is also a valid DKIM sig present was the correct solution.
Since the initial posts were making it to the web-based archives I figured the gmail signature was fine.
The sig was fine in the incoming mail, but transformations like subject prefixing and the addition of a message header or footer break the sig in the outgoing mail.
I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact?
All Munging the From: does is create one more failure in gmail's DKIM sig. This is not a DMARC issue. Do not reject messages just because they happen to contain one invalid DKIM sig. This is wrong. Read the RFC sections I refer to above.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Wed, 12 Aug 2015 13:21:58 +0000 Peter Bossley <pete@bossley.me> wrote:
Hello Peter,
I'm far from being an expert regarding DKIM, DKMS and mailman, but what I can say is this;
*All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage.
Maybe this is an option you could also explore.
See <https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html> for the announcement. Sadly, very little in the way of details, but the poster of the message may be able to help you.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Drums quite good, bass is too loud, and I can't hear the words Sound Of The Suburbs - Members
On Wed, 12 Aug 2015 10:04:14 -0400 Barry Warsaw <barry@list.org> wrote:
Hello Barry,
FWIW, lists.debian.org does not run Mailman.
Fair enough. Seems to me to be less likely that Peter's problem is the same, as other list owners of mailman run lists would probably be reporting similar errors.
-- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Sign away your life Tin Soldiers - Stiff Little Fingers
On 08/12/2015 06:44 AM, Brad Rogers wrote:
*All* lists run from list.debian.org are to have their footers turned off because of valid DKIM signature breakage.
In order to avoid DKIM signature breakage, you also have to turn off subject prefixing, content filtering, reply-to header munging and message headers.
See item 2) at <http://wiki.list.org/x/17891458> although the OP's issue is not with DMARC; it is with his own outgoing MTA being too fussy about a broken sig.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 08/12/2015 06:21 AM, Peter Bossley wrote:
The MTA was configured to reject DKIM failures.
This is wrong and is the cause of your issue. See RFC 6376 <http://www.rfc-editor.org/rfc/rfc6376.txt> sec 4.4, sec 6.1 and sec 6.3.
The issue is your mail list transformations break gmail's DKIM signature and you are rejecting the outgoing mail because of the invalid signature, in spit of the fact that it may also contain a valid signature. Even if it doesn't also contain a valid signature, mail should not be rejected just because of an invalid DKIM signature. In most cases an invalid DKIM signature should be treated the same as no signature.
The domain was configured to sign outgoing messages with DKIM.
OK.
So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well.
This is not a DMARC issue per se as gmail's DMARC policy is p=none.
I then attempted to set this setting to wrap message, which again did not fix the issue.
Because gmail's DMARC policy is p=none, dmarc_moderation_action won't apply to this mail.
At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work. Last, I tried wrap message, which did seem to work.
Because the outer wrapper message only contains your DKIM signature. Gmail's is in the wrapped message which is part of the message body and not checked by your MTA.
Given the functionality issues this created, however, I decided to keep investigating. It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue.
No. Turning off DKIM failure rejection or at least changing it to ignore a failure if there is also a valid DKIM sig present was the correct solution.
Since the initial posts were making it to the web-based archives I figured the gmail signature was fine.
The sig was fine in the incoming mail, but transformations like subject prefixing and the addition of a message header or footer break the sig in the outgoing mail.
I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact?
All Munging the From: does is create one more failure in gmail's DKIM sig. This is not a DMARC issue. Do not reject messages just because they happen to contain one invalid DKIM sig. This is wrong. Read the RFC sections I refer to above.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (4)
-
Barry Warsaw -
Brad Rogers -
Mark Sapiro -
Peter Bossley