[Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

Peter Bossley pete at bossley.me
Wed Aug 12 15:21:58 CEST 2015 

This is going to be a lengthy explanation, as I've spent a bit of time troubleshooting this issue.
I am running Mailman 2.1.20 as part of a server running WHM/cpanel.
The MTA is Exim.
The MTA was configured to reject DKIM failures.
The domain was configured to sign outgoing messages with DKIM.
We noticed that when messages were posted by gmail users, they would appear in the list archives but they would not be delivered to any list members. Posts by other domains such as my custom office 365 domain worked fine and were delivered to everyone including gmail users.
Of course my first stop was the logs, and I saw entries like this in the smtp-failure log:
Aug 11 22:06:50 2015 (3128) SMTP session failure: 550, DKIM: encountered the following problem validating gmail.com:
signature_incorrect, msgid: <CAHtjcYNyqX8Na44GC9GKUsS=2FbS=HD1ofu3GqcJkZuRomwreQ at mail.gmail.com>
Aug 11 22:06:50 2015 (3128) SMTP session failure: 550, DKIM: encountered the following problem validating gmail.com:
signature_incorrect, msgid: <CAHtjcYNyqX8Na44GC9GKUsS=2FbS=HD1ofu3GqcJkZuRomwreQ at mail.gmail.com>
Thinking that our signing of DKIM was causing issues, I shut that off. That didn't change anything.
So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well.
I then attempted to set this setting to wrap message, which again did not fix the issue.
At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work.
Last, I tried wrap message, which did seem to work. Given the functionality issues this created, however, I decided to keep investigating.
It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue. Since the initial posts were making it to the web-based archives I figured the gmail signature was fine.
I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact?

More information about the Mailman-Users mailing list