[Bug 557493] [NEW] Mailman must not strip DKIM-Signature headers
James Ralston
ralston at pobox.com
Wed Apr 7 20:21:11 CEST 2010
Public bug reported:
I reviewed the discussion that led to the decision to have Mailman strip
DomainKey-Signature and DKIM-Signature headers:
http://mail.python.org/pipermail/mailman-
developers/2006-January/018537.html
This may have been the correct action to take in 2006. But since then,
the DKIM standard has been finalized (RFC4871), and it contains:
3.5. The DKIM-Signature Header Field
The DKIM-Signature header field SHOULD be treated as though it were a
trace header field as defined in Section 3.6 of [RFC2822], and hence
SHOULD NOT be reordered and SHOULD be prepended to the message.
RFC2822 defers to RFC2821, which has been replaced by RFC5321, which
states:
4.4. Trace Information
An Internet mail program MUST NOT change or delete a Received: line
that was previously added to the message header section. SMTP
servers MUST prepend Received lines to messages; they MUST NOT change
the order of existing lines or insert Received lines in any other
location.
Ergo, Mailman MUST NOT strip DKIM-Signature headers. Even if Mailman
knows that actions it will take with the message will invalidate one or
more DKIM-Signature headers, those (now-invalid) signatures MUST be left
intact. DKIM-Signature headers must be treated exactly like trace
(Received) headers.
This isn't simply a case of doing the right thing just for standards
compliance: although DKIM states that MTAs can't treat the lack of a
DKIM signature any differently than an invalid DKIM signature, the
presence of a DKIM-Signature header (even invalid) is a consumable item
for MUAs; e.g., a token for Bayesian anti-spam systems. (For example, we
currently receive *zero* spam with forged DKIM-Signature headers for our
own domain. Zero. Thus, even an invalid DKIM-Signature header is
incredibly useful to have.)
The fix for this is simple; just remove this line from
Mailman/Handlers/CleanseDKIM.py:
del msg['dkim-signature']
As for DomainKeys, although the DomainKeys protocol is now historical,
RFC4870 states:
3.5.2. Determining Whether an Email Should Be Signed
A signer MUST NOT sign an email that already contains a "DomainKey-
Signature:" header unless a "Sender:" header has been added that was
not included in the original signature. The most obvious case where
this occurs is with mailing lists.
A signer SHOULD NOT remove an existing "DomainKey-Signature:" header.
The difficulty here is that the signer (downstream from Mailman) cannot
guarantee that a Sender header was added that was not included in the
original signature, but it is forbidden from adding another DomainKey-
Signature header if that wasn't the case. I suspect this is why many
(most?) DomainKeys signers simply refrain from signing if a DomainKey-
Signature header is already present, which is the behavior that Joe
Peterson observed, and led to the decision to unconditionally strip all
DomainKey-Signature and DKIM-Signature headers.
Thus, I think Mailman stripping DomainKey-Signature headers is probably
still the best choice; leaving them will all but guarantee that any
downstream DomainKey-signer will refrain from generating a DomainKey-
Signature. This isn't optimal, of course, but implementation ambiguities
like this are why DomainKeys is now historical.
But Mailman absolutely needs to cease stripping DKIM-Signature headers.
(And really, CleanseDKIM.py should be renamed to CleanseDomainKeys.py.)
** Affects: mailman
Importance: Undecided
Status: New
--
Mailman must not strip DKIM-Signature headers
https://bugs.launchpad.net/bugs/557493
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
More information about the Mailman-coders
mailing list