Closed Bug 657399 Opened 13 years ago Closed 3 years ago

Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message

Categories

(Infrastructure & Operations :: Infrastructure: Mail, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: ehsan.akhgari, Unassigned)

Details

Otherwise, messages with valid DKIM headers which are forwarded through our list server could be misclassified as spam because of having invalid DKIM headers.

This happens when posting to the lists from gmail for example.
Over to Dave for comments.
Assignee: server-ops → justdave
Note that DKIM signatures are calculated based on some headers and the body.
So, changing headers might be the culprit, too.

I performed a couple of tests, minimizing a failing message.

Even after removing the "plaintext signature" (the trailing 4 lines with the listname and link to mailman), the DKIM signature verification still failed.

As a next test, I asked Ehsan to send me a minimal test message from gmail.
What I received was a multipart (html, plain) message.

However, the messages frmo Ehsan distributed by the mailinglist are plain, only.

I suspect that mailman stripped away the html part, and resent only the plain part, and obviously modified both the body and the content-type/-encoding headers.

...

Related: jcranmer on IRC said:

"there is apparently a config in mailman that can tell it to strip DKIM headers"

Also, he gave me a link to this bug:

https://bugs.launchpad.net/mailman/+bug/557493
Summary: Mozilla list server should rewrite DKIM headers because it modifies the body of the message → Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message
I think we should go for the hotfix to strip the header.

A complete solution would require to "verify signature", remember status, check if rewrite message is necessary. if no rewrite necessary, keep the dkim. Else: strip dkim, if there was a valid signature, produce a new dkim signature.

Until we have that, we should strip.
Please let me add,

my hosted spam filter service sends bounces to mozilla.org, most likely because of this bug.

The result is that lists.mozilla.org notifies me every couple of days, and requests me to confirm I want to remain as a subscriber.
It appears that Gmail has become more aggreessive with its warnings.

see example: http://img815.imageshack.us/img815/2568/gmailwarning.png
Interesting. I just started seeing "via lists.mozilla.org" in Gmail, but I haven't seen the stronger "may not have been sent by" warning yet.

http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=1311182
Assignee: justdave → rbryce
If you're using mailman, the following might be sufficient to fix this bug:

in /etc/mailman/mm_cfg.py
add this line:

REMOVE_DKIM_HEADERS = Yes
> 
> in /etc/mailman/mm_cfg.py
> add this line:
> 
> REMOVE_DKIM_HEADERS = Yes


What do you think about this proposal?
Component: Server Operations → Server Operations: Infrastructure
Assignee: rbryce → server-ops-infra
OS: Mac OS X → All
QA Contact: mrz → jdow
Hardware: x86 → All
Assignee: server-ops-infra → limed
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Component: Infrastructure: Other → Infrastructure: Mail
QA Contact: jdow → limed
Assignee: limed → infra
QA Contact: limed → cshields

Since mailman has been decom'ed, this bug has no more relevance.
Other DKIM bugs cover other parts of the mail infra, so I think this is a standalone closeout.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.