dovecot - Oct 2022 - dovecot mailing list (this mailing list), DKIM, SPF and DMARC

hi at zakaria.website skrev den 2022-09-13 14:03:
> least to must pass Signature Verification. Have anyone managed to
> configure EXIM to verify more than one DKIM Signature header?
postfix smtpd_milter_maps with a list of ips that is known maillists ips 
is best for software that are brokken, use DISABLE as results pr ip that 
is maillist ips, that will disabled opendmarc and other milters when 
client ip is a maillist, postfix be happy until trusted domain have 
updated and stable milters

use rspamd if possible, with is imho the only stable milters with solve 
it all, i hate to write that but it might be right for time being, while 
spamassassin v4 is on the way

On 2022-09-13 14:10, Benny Pedersen wrote:
> hi at zakaria.website skrev den 2022-09-13 14:03:
> 
>> least to must pass Signature Verification. Have anyone managed to
>> configure EXIM to verify more than one DKIM Signature header?
> 
> postfix smtpd_milter_maps with a list of ips that is known maillists 
> ips is best for software that are brokken, use DISABLE as results pr ip 
> that is maillist ips, that will disabled opendmarc and other milters 
> when client ip is a maillist, postfix be happy until trusted domain 
> have updated and stable milters
> 
> use rspamd if possible, with is imho the only stable milters with solve 
> it all, i hate to write that but it might be right for time being, 
> while spamassassin v4 is on the way

Disabling DKIM Verification it doesnt seem to be a difficult matter in 
EXIM per IPs list from a file too, and not sure about migrating to 
Postfix as I am interested in a workaround over than shoving the problem 
under the carpet ( not intending any offensive language ). I think 
dovecot mailing list is well built and its working as it should but we 
should be able to check if email its from mailing list, then expect more 
than one header of signature to be attempted with verification.

On 2022-09-13 13:10, Benny Pedersen wrote:
> hi at zakaria.website skrev den 2022-09-13 14:03:
> 
>> least to must pass Signature Verification. Have anyone managed to
>> configure EXIM to verify more than one DKIM Signature header?
> 
> postfix smtpd_milter_maps with a list of ips that is known maillists 
> ips is best for software that are brokken, use DISABLE as results pr ip 
> that is maillist ips, that will disabled opendmarc and other milters 
> when client ip is a maillist, postfix be happy until trusted domain 
> have updated and stable milters
> 
> use rspamd if possible, with is imho the only stable milters with solve 
> it all, i hate to write that but it might be right for time being, 
> while spamassassin v4 is on the way
Another update yet with a solution.

I found the causing issue with DKIM and DMARC failure when a signed 
email pass through mailing list such as dovecot as I expected, it has 
nothing to do with the mailing list but it's to do with DKIM signing 
headers set. It's due to one of or several headers in the DKIM signing 
set, getting added or modified after signing at dovecot end.

Anyhow, here is the DKIM signing headers set in this mailing list, that 
it should work and it will prevent the batch of DMARC emails and bad 
signature from happening again.

from:from:reply-to:date:date:message-id:message-id:to:to:cc:
      mime-version:mime-version:content-type:content-type:
      in-reply-to:in-reply-to:references:references

Thanks to my friend who didnt need a credit, and helped me out in 
reaching this solution.

Zakaria.