[Mailman-Developers] dkim and email list software - potential solution

Ian Eiloart iane at sussex.ac.uk
Wed Oct 7 12:00:52 CEST 2009 

As far as I recall, Mailman removes DKIM signatures, and re-signs messages. 
You're saying that with ADSP, that's not adequate unless Mailman first 
rewrites the "From:" address. Some lists are configured to do this already, 
the question is what to do about those that don't.

Dave Crocker suggests that it's not the business of the list to fix this. 
That's true, but it is sensible to discuss how list managers could address 
the problem, and it's certainly useful to be aware of the problem - even if 
we conclude that list managers should not attempt to resolve it.

It seems to me that it's sensible for the list software to test the DKIM 
signature before and after any changes it makes to the message. And apply 
these policies:

Good before, good after: deliver the message as normal.

Bad before (broken DKIM sig, or missing a sig that ADSP says should be 
there), reject the message at SMTP time, but that's the MTA's job.

Good before, "discardable" after: If the DKIM signature is good, and the 
return-path is is signed, we can comfortably generate a bounce message. 
Otherwise, I guess we should reject at SMTP time, or bounce to the From 
address, perhaps? Effectively, you're saying to the sender "you've asked 
the recipient to discard the message that I'm about to send on your behalf, 
I'm going to save them the trouble". The RFC warns that use of 
"discardable" means that you're unlikely to get the message through a 
mailing list, but I think it's better to alert the sender. Rejection at 
SMTP time might be more practicable because a significant proportion of 
such email is from addresses that don't accept bounce messages!

The MTA would need to know whether the list was going to rewrite the From: 
header, I suppose.

Bad before, bad after: (DKIM or ADSP fail), reject the message at SMTP time 
if possible. That's the job of the border MTA, though.

Bad before, good after: presumably this is a list that rewrites From 
headers, but I don't think we want this message, so we should reject at 
SMTP time. Alternatively, if the ADSP policy is "discardable", we can 
discard it without guilt. Again, this is probably the job of the border MTA.

If the ADSP policy is "all", then I don't see a problem. The recipient 
should not reject a message from a mailing list just because it doesn't 
carry a matching signature. This is expected behaviour: we know the message 
was sent with a signature, we know the message came from a mailing list, we 
know the list was going to break or remove the signature. We should, 
however, look for a signature from the mailing list, and we should apply 
initial reputation tests (and modifications) to the list, not the original 
sender. If the list has good reputation, we should assume that it tested 
ADSP, and found a good DKIM signature on the original message. We can, 
therefore continue and check (and modify) the reputation of the original 
sender.

That last paragraph makes the job of reputation assignment harder where 
mailing lists are concerned - but that's to be expected. The whole point of 
DKIM, as far as I'm concerned, is to allow more sophisticated assessment 
and assignment of reputation scores.

--On 1 October 2009 18:57:27 +1000 Daniel Black <daniel at cacert.org> wrote:

>
> I proposed some ideas around DKIM compatibility with mail lists and tried
> to  send here too. Obviously the anti-cross-post feature on mailman-
> developers at python.org is working well (which on some levels I appreciate).
>
> As leading maillist product I'm keep to know your opinion. This has
> obviously  been mentioned before never quite got momentum[1]. Now that
> ADSP (RFC 5617) is  out it seems that validating domains with a ADSP
> policy of dkim=all seems  rather weak as anything other than a temporary
> spam bias (until spammers catch  on).
>
> My nice controversial idea is to mangle the from: address in mailing
> lists in  general so that the list domain becomes the author (for ADSP
> purposes) and  those DKIM validating emails are given the ability to do
> more with ADSP than  spam biasing.
>
> Original post here http://mipassoc.org/pipermail/dkim-dev/2009-
> September/000202.html
>
> Other ideas welcome.
>
> [1] http://wiki.list.org/display/DEV/DKIM



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

More information about the Mailman-Developers mailing list