[Bug 1645901] [NEW] DKIM signatures stripped from -owner messages with anonymous lists

Robert Mathews rob-launchpad.net at tigertech.com
Tue Nov 29 18:02:01 EST 2016

Public bug reported:

If a list is set to be an anonymous list, and a message is sent to the
-owner address, Mailman strips any existing DKIM header.

This means that if someone from a DMARC-restricted address (e.g.
yahoo.com) is sending a message that would get forwarded to an owner at
a DMARC-checking ISP (e.g. yahoo.com), the message is rejected: it fails
the DMARC check due to non-matching SPF and missing DKIM headers. If the
DKIM header was left intact, it should work, since Mailman didn't modify
the body for an -owner message.

It makes privacy sense to always strip DKIM headers on messages that
will be posted to an anonymous list. And it can work out okay because
DMARC munging mitigation can be applied afterwards.

But it doesn't seem to make sense to do the same for -owner messages on
anonymous lists. Mailman doesn't apply other anonymous list
modifications, like hiding the "From:" header, for -owner messages, as
far as I can tell.

This happens, by the way, due to Defaults.py:

# This is the pipeline which messages sent to the -owner address go through

Is 'CleanseDKIM' really helpful in this -owner flow? Removing it would
solve this problem. Alternately, perhaps CleanseDKIM could be taught to
exempt -owner addresses on anonymous lists.

** Affects: mailman
     Importance: Undecided
         Status: New

** Tags: dkim dmarc

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  DKIM signatures stripped from -owner messages with anonymous lists

To manage notifications about this bug go to:

More information about the Mailman-coders mailing list