Fwd: Fw: Use of DKIM on at-large mailing list
The short term fix is to add "REMOVE_DKIM_HEADERS = Yes" to mm_cfg.py http://wiki.list.org/display/DEV/DKIM OK, that will not generate the right DKIM sigs, but at least it will prevent Mailman from forwarding the original ones, and consequently generate false positives in spam filters. Patrick -------- Original Message -------- Subject: [At-Large] Fw: Use of DKIM on at-large mailing list Date: Wed, 19 Nov 2008 11:32:21 +0100 From: "Olivier MJ Crepin-Leblond" <ocl@gih.com> To: <at-large@atlarge-lists.icann.org> Reply-To: At-Large Worldwide <at-large@atlarge-lists.icann.org> Hello everyone, sorry for posting this here, but I sent the enquiry to the at-large-owner address but received no reply, so I think this might have gotten lost or ended up in /dev/null.. In short: DKIM/DomainKeys is incorrectly set-up for atlarge-lists.icann.org Warm regards, Olivier -- Olivier MJ Crepin-Leblond, Ph.D Global Information Highway Ltd http://www.gih.com/ocl.html ----- Original Message ----- From: "Olivier MJ Crepin-Leblond" <ocl@gih.com> To: <at-large-owner@atlarge-lists.icann.org> Sent: Wednesday, November 12, 2008 12:04 PM Subject: Use of DKIM on at-large mailing list
Hello there,
I have noticed that you are using DKIM/DomainKeys on the at-large ICANN server. I think that it is great that you are embracing new technology. It is also great that the server supports TLS.
However, it appears that its implementation for domainkeys/DKIM on the mailing list does not work correctly.
At present:
- messages which are DKIM-signed keep their DKIM signature and therefore FAIL when received, because the at-large mailing list adds a footer (how to subscribe/unsubscribe), so the message has been tampered with - messages which are not DKIM-signed become signed by the atlarge-lists.icann.org server. However, there is no entry for default._domainkey.atlarge-lists.icann.org key in the DNS.
What should really happen:
- the atlarge-lists.icann.org server should recognise when a domainkey is active & replace the incoming domainkey with its own domainkey if positive. - atlarge-lists.icann.org should have an entry in the ICANN DNS for its key under: default._domainkey.atlarge-lists.icann.org
If you have any questions, don't hesitate to ask.
Warm regards,
Olivier
-- Olivier MJ Crepin-Leblond, Ph.D Global Information Highway Ltd http://www.gih.com/ocl.html
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann... At-Large Official Site: http://atlarge.icann.org
OK, that will not generate the right DKIM sigs, but at least it will prevent Mailman from forwarding the original ones, and consequently generate false positives in spam filters.
The problem is that mailman has been adding signatures with keys that don't exist, so they can't be verified. The fix is quite simple, put the keys into ICANN's DNS server. There's no reason to remove existing signatures; any spam filter that pays attention to signatures that don't verify is hopelessly broken anyway. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. PS: Don't argue. I wrote some of the DKIM standards, you know.
participants (2)
-
John L -
Patrick Vande Walle