Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message

NEW
Assigned to

Status

Infrastructure & Operations
Infrastructure: Mail
7 years ago
5 years ago

People

(Reporter: Ehsan, Assigned: limed)

Tracking

Details

(Reporter)

Description

7 years ago
Otherwise, messages with valid DKIM headers which are forwarded through our list server could be misclassified as spam because of having invalid DKIM headers.

This happens when posting to the lists from gmail for example.
Over to Dave for comments.
Assignee: server-ops → justdave

Comment 2

7 years ago
Note that DKIM signatures are calculated based on some headers and the body.
So, changing headers might be the culprit, too.

I performed a couple of tests, minimizing a failing message.

Even after removing the "plaintext signature" (the trailing 4 lines with the listname and link to mailman), the DKIM signature verification still failed.

As a next test, I asked Ehsan to send me a minimal test message from gmail.
What I received was a multipart (html, plain) message.

However, the messages frmo Ehsan distributed by the mailinglist are plain, only.

I suspect that mailman stripped away the html part, and resent only the plain part, and obviously modified both the body and the content-type/-encoding headers.

...

Related: jcranmer on IRC said:

"there is apparently a config in mailman that can tell it to strip DKIM headers"

Also, he gave me a link to this bug:

https://bugs.launchpad.net/mailman/+bug/557493

Updated

7 years ago
Summary: Mozilla list server should rewrite DKIM headers because it modifies the body of the message → Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message

Comment 4

7 years ago
I think we should go for the hotfix to strip the header.

A complete solution would require to "verify signature", remember status, check if rewrite message is necessary. if no rewrite necessary, keep the dkim. Else: strip dkim, if there was a valid signature, produce a new dkim signature.

Until we have that, we should strip.

Comment 5

7 years ago
Please let me add,

my hosted spam filter service sends bounces to mozilla.org, most likely because of this bug.

The result is that lists.mozilla.org notifies me every couple of days, and requests me to confirm I want to remain as a subscriber.

Comment 6

7 years ago
It appears that Gmail has become more aggreessive with its warnings.

see example: http://img815.imageshack.us/img815/2568/gmailwarning.png

Comment 7

7 years ago
Interesting. I just started seeing "via lists.mozilla.org" in Gmail, but I haven't seen the stronger "may not have been sent by" warning yet.

http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=1311182

Updated

7 years ago
Assignee: justdave → rbryce

Comment 8

7 years ago
If you're using mailman, the following might be sufficient to fix this bug:

in /etc/mailman/mm_cfg.py
add this line:

REMOVE_DKIM_HEADERS = Yes

Comment 9

6 years ago
> 
> in /etc/mailman/mm_cfg.py
> add this line:
> 
> REMOVE_DKIM_HEADERS = Yes


What do you think about this proposal?
Component: Server Operations → Server Operations: Infrastructure
Assignee: rbryce → server-ops-infra
OS: Mac OS X → All
QA Contact: mrz → jdow
Hardware: x86 → All

Updated

6 years ago
Assignee: server-ops-infra → limed
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations

Updated

5 years ago
Component: Infrastructure: Other → Infrastructure: Mail
QA Contact: jdow → limed
You need to log in before you can comment on or make changes to this bug.