04.12.2020 18:55, Per Jessen пишет:
Hans-Peter Jansen wrote:
when a domain (in this example "suse.com") uses DKIM signatures, a hash of the email contents is added to an email. The hash usually includes a selection of headers and the email body.
If any of those headers or the body is altered, the hash no longer matches (when checked on the receiving end) and we have a DKIM failure. With DMARC, the domain specifies what should happen in that case, quarantine or reject.
Right now as you already noted mailman adds footer which always invalidates original DKIM signature. And SPF is fundamentally incompatible with DMARC. Still apparently messages are not bounced, right? If body is altered anyway, does it matter if you also alter header additionally?
As others noted, it's mostly a matter of serializing any modification in a correct order, isn't it?
Not quite, no. The only real alternative we have is to sign the redistributed messages ourselves, but now the message will be coming from the list, not from the original sender. This option was dismissed as being the least user friendly.
Actually the real alternative seems to be ARC (Authenticated Received Chain), at least long term. As mentioned in https://dmarc.org/2019/07/arc-protocol-published-as-rfc-8617/ mailman seems to support it.
Especially, given, that mailman adds a complete footer to every mail (for good reasons). Why is it okay to alter the body, but not the subject? Any alterations had to be done before calculating the hashes anyway.
Don't worry, the footer will be going away too. I have just not yet managed to find the magic mailman incantation that lets me override the default footers. (no joke, my overrides simply don't work).
Still - why it does not cause bounces even though openSUSE lists apparently stopped stripping off DKIM-Signature which are invalidated?