dovecot - Oct 2022 - dovecot mailing list (this mailing list), DKIM, SPF and DMARC

On 2022-09-13 13:10, Benny Pedersen wrote:
> hi at zakaria.website skrev den 2022-09-13 14:03:
> 
>> least to must pass Signature Verification. Have anyone managed to
>> configure EXIM to verify more than one DKIM Signature header?
> 
> postfix smtpd_milter_maps with a list of ips that is known maillists 
> ips is best for software that are brokken, use DISABLE as results pr ip 
> that is maillist ips, that will disabled opendmarc and other milters 
> when client ip is a maillist, postfix be happy until trusted domain 
> have updated and stable milters
> 
> use rspamd if possible, with is imho the only stable milters with solve 
> it all, i hate to write that but it might be right for time being, 
> while spamassassin v4 is on the way
Another update yet with a solution.

I found the causing issue with DKIM and DMARC failure when a signed 
email pass through mailing list such as dovecot as I expected, it has 
nothing to do with the mailing list but it's to do with DKIM signing 
headers set. It's due to one of or several headers in the DKIM signing 
set, getting added or modified after signing at dovecot end.

Anyhow, here is the DKIM signing headers set in this mailing list, that 
it should work and it will prevent the batch of DMARC emails and bad 
signature from happening again.

from:from:reply-to:date:date:message-id:message-id:to:to:cc:
      mime-version:mime-version:content-type:content-type:
      in-reply-to:in-reply-to:references:references

Thanks to my friend who didnt need a credit, and helped me out in 
reaching this solution.

Zakaria.

hi at zakaria.website skrev den 2022-10-11 13:42:
> On 2022-09-13 13:10, Benny Pedersen wrote:
>> hi at zakaria.website skrev den 2022-09-13 14:03:
> from:from:reply-to:date:date:message-id:message-id:to:to:cc:
>      mime-version:mime-version:content-type:content-type:
>      in-reply-to:in-reply-to:references:references
> 
> Thanks to my friend who didnt need a credit, and helped me out in
> reaching this solution.
i have no frinds, but it might be related 
https://gitlab.com/fumail/fuglu/-/issues/262

with my conservative list of signed headers it pass

On 10/11/22 07:42, hi at zakaria.website wrote:
> Another update yet with a solution.
> 
> I found the causing issue with DKIM and DMARC failure when a signed 
> email pass through mailing list such as dovecot as I expected, it has 
> nothing to do with the mailing list but it's to do with DKIM signing 
> headers set. It's due to one of or several headers in the DKIM signing 
> set, getting added or modified after signing at dovecot end.
> 
> Anyhow, here is the DKIM signing headers set in this mailing list, that 
> it should work and it will prevent the batch of DMARC emails and bad 
> signature from happening again.
> 
> from:from:reply-to:date:date:message-id:message-id:to:to:cc:
>  ???? mime-version:mime-version:content-type:content-type:
>  ???? in-reply-to:in-reply-to:references:references
   Please forgive me for jumping in, but I just noticed this.  I (like 
many others) have issues with mailing lists and the flurry of DMARC 
emails after posting.  I'm using OpenDKIM.  There's a lot of material 
out there about proper configuration of DKIM, but nothing really 
definitive, with lots of "it depends on your requirements" type of 
noncommittal crap.  Email use cases don't differ THAT much.

   So does what you said above mean that you've come up with a working 
configuration to address the issue of mailing lists causing DKIM to barf 
due to header modifications?  If so, can you tell me more about 
specifically what you're doing, like which headers you're signing and 
how?  I've been at my wits' end with this for some time; DKIM (and SPF 
etc etc) seem to be really quite awful overall.

             Thanks,
             -Dave

-- 
Dave McGuire, AK4HZ
New Kensington, PA