[Mailman-Developers] Dealing with DomainKeys and DKIM

Camberwell camberwell at camberwellcarrot.net
Sun Jan 15 06:29:27 CET 2006


Joe Peterson
Sat, 10 Sep 2005 12:03:55 -0700

I've recently been testing DomainKeys
(http://antispam.yahoo.com/domainkeys) and DKIM (which is supposedly a
merging of DomainKeys with Cisco's scheme.  I am using dk-milter and
dkim-milter with sendmail.  What this does is add two header lines to
outgoing email that allow the receiver to determine the authenticity of
the sender...

Anyway, since I run a Mailman system too, I figured this might be a
problem.  Indeed it is, since the header lines get passed through, and
when the check is done, it indicates a failure.  DomainKeys recommends
mail lists regenerate the keys rather than pass them through.

What I tried was pretty simple: Mailman doesn't have to deal with these
things itself, but if it strips the old keys from the header, the keys
will be regenerated on the way out by the MTA, thereby making the whole
process clean.  So the receiver of the email can at least verify that
the mail came from the host hosting Mailman.  I suppose Mailman could
also check email on the way in for valid keys if it wanted, but that's
another subject...

I patched Handlers/Cleanse.py as follows:

49a50,55
>     # JGP: Remove all "DomainKeys" type header lines, since we want these
>     # to be regenerated by the MTA when this message is sent out.  We need
>     # to let new such keys be generated because Mailman alters the
message,
>     # and the old keys would be seen as invalid by the receiver.
>     del msg['domainkey-signature']
>     del msg['dkim-signature']


I wanted to pass this by the developers here and see if:

1) This is a reasonable thing to do (or maybe have an option, or even a
way to strip selected headers in the config?)

2) If this is the right place to do it.

        -Thanks, Joe
--------------------------------------------------------------
Good day all,

I have recently started using dkim-milter myself, and i have made these 
adjustments to my Cleanse.py
to get around this very problem and it works great, alltho i have 
another little problem.....

When i send a mail to list-owner at mysite, if there is a dkim-signature 
allready in the header (in my case my mail is signed)
my dkim-milter trys to verify it instead of signing it on the way back 
out to the list owner. i hope that makes sense.

basicaly i would like to know what i can edit to remove the 
dkim-signature from ALL incoming mail, not just mail to be bounced to 
the list.

i have tried the latest version 2.1.7 and it does indeed remove the 
domainkey signature on mail that is for the list, and my MTA does indeed 
re insert its own domainkey signature, BUT the domainkey signature is 
NOT removed for mail to list-owner.

how can i remove these headers?

thanks in advance

Martin Airs (Camberwell)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3553 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.python.org/pipermail/mailman-developers/attachments/20060115/2dc794ae/attachment.bin 


More information about the Mailman-Developers mailing list