Page MenuHomePhabricator
Create Task
Maniphest T322429

Mailman: strip the 'DKIM-Signature' related to the original messages, since Mailman alters the message, causing broken DKIM signature, contributing to messages marked as spam
Closed, ResolvedPublic
Actions

Description

Problem

Emails received from WMIT Mailman may have invalid DKIM signature and can be (often) marked as spam.

Example of a problematic header:

Authentication-Results: example.wikimedia.it (amavisd-new); dkim=fail (1024-bit
 key) reason="fail (message has been altered)" header.d=example.com
 header.b=JTAvJYcU; dkim=fail (1024-bit key) reason="fail (message has been
 altered)" header.d=example.com header.b=JTAvJYcU

Note:

fail (message has been altered)

Context

When someone (with a recent mailserver, I mean a DKIM-enabled mailserver) sends an email to the WMIT Mailman, it may be cases where the original DKIM firm is valid, but Mailman delivers invalid DKIM-Signature signature, and so the email is marked as spam and, often, discarded by receivers.

This happens because Mailman alters the original message. This happens in various ways: changing the subject, adding the prefix [Something], altering the body, altering the From:, etc.

Mailman alters the original message and it breaks the original DKIM signature.

Ideal solution

  1. strip the DKIM-Signature: header since it cannot be valid anymore if Mailman changes the original message
  2. (bonus point) preserve the old DKIM signature in another (non?)standard header (uhm... ?... X-original-DKIM-Signature:) for cryptography lovers who might want to check it out
  3. (bonus point) introduce a valid DKIM-Signature: generated by the Mailman's underlying mailserver, in order to have a valid signature respecting the new message delivered from Mailman

Having said that, I don't think this solution can be implemented easily in Mailman.

Proposed solution

Edit the Mailman configuration file and set remove_dkim_headers: yes in order to strip the header DKIM-Signature: that usually contains an invalid firm, since the original message was altered by Mailman and so its crypto signature is invalid.

Related documentation explaining default value:

# Some list posts and mail to the -owner address may contain DomainKey or
# DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/>.
# Various list transformations to the message such as adding a list header or
# footer or scrubbing attachments or even reply-to munging can break these
# signatures.  It is generally felt that these signatures have value, even if
# broken and even if the outgoing message is resigned.  However, some sites
# may wish to remove these headers by setting this to 'yes'.
remove_dkim_headers: no

https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/config/docs/config.html#remove-dkim-headers

Related Objects
Search...

Event Timeline

valerio.bozzolan created this task.Nov 4 2022, 5:03 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 5:25 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 5:37 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 5:44 PM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 5:48 PM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 5:51 PM
valerio.bozzolan moved this task from Backlog to 📧 Mail on the WMIT-Infrastructure board.
valerio.bozzolan added a subscriber: Nemo_bis.Nov 7 2022, 12:07 PM

Thanks to @Nemo_bis for reporting the issue every time I send an e-mail. I hope this page makes sense as solution.

valerio.bozzolan closed this task as Resolved.Nov 15 2022, 12:52 PM
valerio.bozzolan claimed this task.

Fixed by a combination of:

  • strip of the invalidated DKIM signature
  • addition of valid DKIM signature, signed from the wikimedia.it's mailserver
valerio.bozzolan added a comment.Nov 15 2022, 12:52 PM

Thanks Gvf for the last point

gerritbot added a comment.Apr 13 2023, 10:11 AM

Change 908495 had a related patch set uploaded (by VolkerE; author: VolkerE):

[design/codex@main] tokens, Message, InfoChip: Use darker border colors

https://gerrit.wikimedia.org/r/908495

gerritbot added a project: Patch-For-Review.Apr 13 2023, 10:11 AM
gerritbot added a comment.Apr 13 2023, 11:35 AM

Change 908524 had a related patch set uploaded (by VolkerE; author: VolkerE):

[mediawiki/core@master] mediawiki.ui: Apply darker Message border colors

https://gerrit.wikimedia.org/r/908524

valerio.bozzolan added a subscriber: Volker_E.Apr 13 2023, 11:37 AM

(Hi @Volker_E - note that T322429 is unrelated from https://gerrit.wikimedia.org/r/908524)

Volker_E added a comment.Apr 13 2023, 11:45 AM
In T322429#8778751, @valerio.bozzolan wrote:

(Hi @Volker_E - note that T322429 is unrelated from https://gerrit.wikimedia.org/r/908524)

Yeah, sorry. Fixed directly before you've sent the message above.

valerio.bozzolan added a comment.Apr 13 2023, 11:46 AM

Yup! nice patch btw

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL