Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #18822: mailing lists reject mails due to DKIM-signature - Mailing list pgsql-bugs

From Matthias Apitz
Subject Re: BUG #18822: mailing lists reject mails due to DKIM-signature
Date
Msg-id CAHzebO8CxUtQ4CBv6uGRxcxGK0Upau7_o+-eeBha3Ad3kqR0Kw@mail.gmail.com
Whole thread Raw
In response to Re: BUG #18822: mailing lists reject mails due to DKIM-signature  (Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>)
List pgsql-bugs
Tree view
Sorry, to mixup the number. The correct one is RFC 6376.
It states cleary that a forwarder which does not want to change the body should do:
A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature.  It also could choose to add its own signature to the
message.

i.e. should pass the message as it is or could add own signatures.

matthias




On Sat, Feb 22, 2025 at 6:14 PM Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> wrote:
On 22.02.25 17:56, Matthias Apitz wrote:
> Hi Stefan,

Hi Matthias!


>
> Have you read what the RFC 6576 specifies about exactly this case?

I think you are talking about 6376 (which has been augmented and updated
in various ways already) - we are very well aware of what it says and we
are fully compliant because we do not modify messages we want to pass
through. I order to be able to do that we need to make sure we only
accept messages where that is possible.
Incoming mails with a signed List-* header cannot be forwarded
unmodified because we need to add/change those headers ourselfs (because
_WE_ are the mailinglist and we need that for our mails to be accepted
downstream) so what we do is rejecting those through our moderation
system with an explaination.

taking the RFC

" A Forwarder that does not modify the body or signed header fields of
    a message is likely to maintain the validity of the existing
    signature.  It also could choose to add its own signature to the
    message."

we are a forwarder that (in the case of a List-* header) NEEDS to modify
the message so we cannot forward it without breaking.




Stefan

>
> matthias
>
> On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner
> <stefan@kaltenbrunner.cc <mailto:stefan@kaltenbrunner.cc>> wrote:
>
>     Hi Matthias!
>
>
>     On 22.02.25 12:45, PG Bug reporting form wrote:
>      > The following bug has been logged on the website:
>      >
>      > Bug reference:      18822
>      > Logged by:          Matthias Apitz
>      > Email address: gurucubano@googlemail.com
>     <mailto:gurucubano@googlemail.com>
>      > PostgreSQL version: 16.5
>      > Operating system:   SuSE Linux SLES 15 SP6
>      > Description:
>      >
>      > This is not strictly a PostgreSQL software problem, but one of the
>      > configuration and administration of the community mailing list.
>     Please
>      > change the place for this issue accordingly.
>      >
>      > I'm an active member of the community for many years (check the
>     archives for
>      > my name). Since some days, all my mails to the PostgreSQL lists
>     get rejected
>      > with a message:
>      >
>      > Your message to pgsql-bugs with subject
>      >
>      >
>      >
>      > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
>      >
>      >   Logs
>      >
>      >
>      >
>      > has been rejected by a moderator and will not be posted.
>      >
>      > The reason given for rejection was:
>      >
>      >
>      >
>      > This email has a DKIM signature on the List- headers of
>      >
>      > the email, indicating that it is not allowed to pass this
>      >
>      > email on through a mailinglist
>      > ...
>      >
>      > I investigated this on my side and the reason is that my ISP
>     1blu.de <http://1blu.de> adds
>      > since January 20 2025 a DKIM-Signature to all my outgoing mails of:
>      >
>      > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
>      > d=unixarea.de <http://unixarea.de>
>      >          ; s=blu3434000;
>      > h=Content-Transfer-Encoding:Content-Type:MIME-Version:
>      >          Reply-To:Message-
>     ID:Subject:To:From:Date:Sender:Cc:Content-ID:
>      >
>      >
>      > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-
>     To:Resent-Cc
>      >
>      >
>      > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-
>     Unsubscribe:
>      >
>      >          List-Subscribe:List-Post:List-Owner:List-Archive;
>      >
>      >          bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
>      > b=nlMvRnatrYiMjStI6F/rnF2zbZ
>      >
>      >
>     DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
>      >
>      >
>      > 5zDhdwYSgxaU6fW4CbtGfhZT+v/
>     lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
>      >
>      >
>      > GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/
>     Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
>      >
>      >
>      > MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/
>     Tr8gMAPGluXkdpC8kKog
>      >
>      >          qw+9X8Sg==;
>      >
>      > i.e. the header lines of List-* are part of the DKIM signed lines.
>      >
>      > I can't change this, as the signing is done by the MTA of 1blu.de
>     <http://1blu.de>. I raised
>      > a ticket there, but without any luck until now.
>      >
>      > On the other hand, the RFC 6576 explicitly allows this, see the
>     chapter
>      >
>      > 5.4.1.  Recommended Signature Content
>      >
>      > and explains in B.2.3.  Mailing Lists and Re-Posters
>      > what mailing-list should do:
>      >
>      >    A Forwarder that does not modify the body or signed header
>     fields of
>      >     a message is likely to maintain the validity of the existing
>      >     signature.  It also could choose to add its own signature to the
>      >     message. ...
>      >
>      > Rejecting the mails should not be done and is IMHO a bug!
>      > Please fix this.
>
>     This is an issue on your ISPs side (and usually caused by people
>     carelessly using for example exim with its default set of signing
>     headers).
>     You should never send email with a signed List-* header to any
>     mailinglist because the mailinglist system needs to modify/control that
>     header.
>
>
>     This is documented it a number of places - see for example the
>     documentation for debian:
>
>     https://wiki.debian.org/
>     Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant <https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant>
>
>     or
>
>     https://wiki.list.org/DOC/
>     What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F <https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F>
>
>     Some misconfigured mail servers sign the list-* headers. This is a bad
>     idea, but it should especially never be done when submitting to a
>     mailing list, since its telling that mailing list that the message
>     can't
>     be sent from any other mailing list without breaking DKIM.
>
>
>
>     Stefan
>

pgsql-bugs by date:

Previous
From: Stefan Kaltenbrunner
Date:
Subject: Re: BUG #18822: mailing lists reject mails due to DKIM-signature
Next
From: Tom Lane
Date:
Subject: Re: BUG #18822: mailing lists reject mails due to DKIM-signature