[Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

Wed Aug 12 16:26:05 CEST 2015

On 08/12/2015 06:21 AM, Peter Bossley wrote:

> The MTA was configured to reject DKIM failures.

This is wrong and is the cause of your issue. See RFC 6376
<http://www.rfc-editor.org/rfc/rfc6376.txt> sec 4.4, sec 6.1 and sec 6.3.

The issue is your mail list transformations break gmail's DKIM signature
and you are rejecting the outgoing mail because of the invalid
signature, in spit of the fact that it may also contain a valid
signature. Even if it doesn't also contain a valid signature, mail
should not be rejected just because of an invalid DKIM signature. In
most cases an invalid DKIM signature should be treated the same as no
signature.

> The domain was configured to sign outgoing messages with DKIM.

OK.

> So, next, thinking that the DMARC issues that have been plaguing the internet lately were to blame, I tried changing the DMARC_Moderation setting to munge. This failed to change the situation as well.

This is not a DMARC issue per se as gmail's DMARC policy is p=none.

> I then attempted to set this setting to wrap message, which again did not fix the issue.

Because gmail's DMARC policy is p=none, dmarc_moderation_action won't
apply to this mail.

> At this point, I moved on to the from as list global setting, and tried munge here as well. This didn't work.
> Last, I tried wrap message, which did seem to work.

Because the outer wrapper message only contains your DKIM signature.
Gmail's is in the wrapped message which is part of the message body and
not checked by your MTA.

> Given the functionality issues this created, however, I decided to keep investigating.
> It was at this point that I decided to turn off DKIM failure rejection. I initially dismissed this course of action because I felt that changing the from as list setting to munge should have prevented this from becoming an issue.

No. Turning off DKIM failure rejection or at least changing it to ignore
a failure if there is also a valid DKIM sig present was the correct
solution.

> Since the initial posts were making it to the web-based archives I figured the gmail signature was fine.

The sig was fine in the incoming mail, but transformations like subject
prefixing and the addition of a message header or footer break the sig
in the outgoing mail.

> I'm at a loss of where to go from here. I would like to still reject DKIM failures, but my mailing lists need to work properly as well. Does anyone have any suggestions or ideas on why the Munge setting didn't seem to have an impact?

All Munging the From: does is create one more failure in gmail's DKIM
sig. This is not a DMARC issue. Do not reject messages just because they
happen to contain one invalid DKIM sig. This is wrong. Read the RFC
sections I refer to above.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan