Thread: BUG #18822: mailing lists reject mails due to DKIM-signature
The following bug has been logged on the website:
Bug reference: 18822
Logged by: Matthias Apitz
Email address: gurucubano@googlemail.com
PostgreSQL version: 16.5
Operating system: SuSE Linux SLES 15 SP6
Description:
This is not strictly a PostgreSQL software problem, but one of the
configuration and administration of the community mailing list. Please
change the place for this issue accordingly.
I'm an active member of the community for many years (check the archives for
my name). Since some days, all my mails to the PostgreSQL lists get rejected
with a message:
Your message to pgsql-bugs with subject
Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
Logs
has been rejected by a moderator and will not be posted.
The reason given for rejection was:
This email has a DKIM signature on the List- headers of
the email, indicating that it is not allowed to pass this
email on through a mailinglist
...
I investigated this on my side and the reason is that my ISP 1blu.de adds
since January 20 2025 a DKIM-Signature to all my outgoing mails of:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=unixarea.de
; s=blu3434000;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
b=nlMvRnatrYiMjStI6F/rnF2zbZ
DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog
qw+9X8Sg==;
i.e. the header lines of List-* are part of the DKIM signed lines.
I can't change this, as the signing is done by the MTA of 1blu.de. I raised
a ticket there, but without any luck until now.
On the other hand, the RFC 6576 explicitly allows this, see the chapter
5.4.1. Recommended Signature Content
and explains in B.2.3. Mailing Lists and Re-Posters
what mailing-list should do:
A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature. It also could choose to add its own signature to the
message. ...
Rejecting the mails should not be done and is IMHO a bug!
Please fix this.
Hi Matthias! On 22.02.25 12:45, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 18822 > Logged by: Matthias Apitz > Email address: gurucubano@googlemail.com > PostgreSQL version: 16.5 > Operating system: SuSE Linux SLES 15 SP6 > Description: > > This is not strictly a PostgreSQL software problem, but one of the > configuration and administration of the community mailing list. Please > change the place for this issue accordingly. > > I'm an active member of the community for many years (check the archives for > my name). Since some days, all my mails to the PostgreSQL lists get rejected > with a message: > > Your message to pgsql-bugs with subject > > > > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in > > Logs > > > > has been rejected by a moderator and will not be posted. > > The reason given for rejection was: > > > > This email has a DKIM signature on the List- headers of > > the email, indicating that it is not allowed to pass this > > email on through a mailinglist > ... > > I investigated this on my side and the reason is that my ISP 1blu.de adds > since January 20 2025 a DKIM-Signature to all my outgoing mails of: > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=unixarea.de > ; s=blu3434000; > h=Content-Transfer-Encoding:Content-Type:MIME-Version: > Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID: > > > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc > > > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: > > List-Subscribe:List-Post:List-Owner:List-Archive; > > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; > b=nlMvRnatrYiMjStI6F/rnF2zbZ > > DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9 > > > 5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG > > > GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd > > > MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog > > qw+9X8Sg==; > > i.e. the header lines of List-* are part of the DKIM signed lines. > > I can't change this, as the signing is done by the MTA of 1blu.de. I raised > a ticket there, but without any luck until now. > > On the other hand, the RFC 6576 explicitly allows this, see the chapter > > 5.4.1. Recommended Signature Content > > and explains in B.2.3. Mailing Lists and Re-Posters > what mailing-list should do: > > A Forwarder that does not modify the body or signed header fields of > a message is likely to maintain the validity of the existing > signature. It also could choose to add its own signature to the > message. ... > > Rejecting the mails should not be done and is IMHO a bug! > Please fix this. This is an issue on your ISPs side (and usually caused by people carelessly using for example exim with its default set of signing headers). You should never send email with a signed List-* header to any mailinglist because the mailinglist system needs to modify/control that header. This is documented it a number of places - see for example the documentation for debian: https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant or https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F Some misconfigured mail servers sign the list-* headers. This is a bad idea, but it should especially never be done when submitting to a mailing list, since its telling that mailing list that the message can't be sent from any other mailing list without breaking DKIM. Stefan
Hi Stefan,
Have you read what the RFC 6576 specifies about exactly this case?
matthias
On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> wrote:
Hi Matthias!
On 22.02.25 12:45, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 18822
> Logged by: Matthias Apitz
> Email address: gurucubano@googlemail.com
> PostgreSQL version: 16.5
> Operating system: SuSE Linux SLES 15 SP6
> Description:
>
> This is not strictly a PostgreSQL software problem, but one of the
> configuration and administration of the community mailing list. Please
> change the place for this issue accordingly.
>
> I'm an active member of the community for many years (check the archives for
> my name). Since some days, all my mails to the PostgreSQL lists get rejected
> with a message:
>
> Your message to pgsql-bugs with subject
>
>
>
> Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
>
> Logs
>
>
>
> has been rejected by a moderator and will not be posted.
>
> The reason given for rejection was:
>
>
>
> This email has a DKIM signature on the List- headers of
>
> the email, indicating that it is not allowed to pass this
>
> email on through a mailinglist
> ...
>
> I investigated this on my side and the reason is that my ISP 1blu.de adds
> since January 20 2025 a DKIM-Signature to all my outgoing mails of:
>
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=unixarea.de
> ; s=blu3434000;
> h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
>
>
> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
>
>
> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
>
> List-Subscribe:List-Post:List-Owner:List-Archive;
>
> bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> b=nlMvRnatrYiMjStI6F/rnF2zbZ
>
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
>
>
> 5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
>
>
> GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
>
>
> MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog
>
> qw+9X8Sg==;
>
> i.e. the header lines of List-* are part of the DKIM signed lines.
>
> I can't change this, as the signing is done by the MTA of 1blu.de. I raised
> a ticket there, but without any luck until now.
>
> On the other hand, the RFC 6576 explicitly allows this, see the chapter
>
> 5.4.1. Recommended Signature Content
>
> and explains in B.2.3. Mailing Lists and Re-Posters
> what mailing-list should do:
>
> A Forwarder that does not modify the body or signed header fields of
> a message is likely to maintain the validity of the existing
> signature. It also could choose to add its own signature to the
> message. ...
>
> Rejecting the mails should not be done and is IMHO a bug!
> Please fix this.
This is an issue on your ISPs side (and usually caused by people
carelessly using for example exim with its default set of signing headers).
You should never send email with a signed List-* header to any
mailinglist because the mailinglist system needs to modify/control that
header.
This is documented it a number of places - see for example the
documentation for debian:
https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant
or
https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F
Some misconfigured mail servers sign the list-* headers. This is a bad
idea, but it should especially never be done when submitting to a
mailing list, since its telling that mailing list that the message can't
be sent from any other mailing list without breaking DKIM.
Stefan
On 22.02.25 17:56, Matthias Apitz wrote:
> Hi Stefan,
Hi Matthias!
>
> Have you read what the RFC 6576 specifies about exactly this case?
I think you are talking about 6376 (which has been augmented and updated
in various ways already) - we are very well aware of what it says and we
are fully compliant because we do not modify messages we want to pass
through. I order to be able to do that we need to make sure we only
accept messages where that is possible.
Incoming mails with a signed List-* header cannot be forwarded
unmodified because we need to add/change those headers ourselfs (because
_WE_ are the mailinglist and we need that for our mails to be accepted
downstream) so what we do is rejecting those through our moderation
system with an explaination.
taking the RFC
" A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature. It also could choose to add its own signature to the
message."
we are a forwarder that (in the case of a List-* header) NEEDS to modify
the message so we cannot forward it without breaking.
Stefan
>
> matthias
>
> On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner
> <stefan@kaltenbrunner.cc <mailto:stefan@kaltenbrunner.cc>> wrote:
>
> Hi Matthias!
>
>
> On 22.02.25 12:45, PG Bug reporting form wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 18822
> > Logged by: Matthias Apitz
> > Email address: gurucubano@googlemail.com
> <mailto:gurucubano@googlemail.com>
> > PostgreSQL version: 16.5
> > Operating system: SuSE Linux SLES 15 SP6
> > Description:
> >
> > This is not strictly a PostgreSQL software problem, but one of the
> > configuration and administration of the community mailing list.
> Please
> > change the place for this issue accordingly.
> >
> > I'm an active member of the community for many years (check the
> archives for
> > my name). Since some days, all my mails to the PostgreSQL lists
> get rejected
> > with a message:
> >
> > Your message to pgsql-bugs with subject
> >
> >
> >
> > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
> >
> > Logs
> >
> >
> >
> > has been rejected by a moderator and will not be posted.
> >
> > The reason given for rejection was:
> >
> >
> >
> > This email has a DKIM signature on the List- headers of
> >
> > the email, indicating that it is not allowed to pass this
> >
> > email on through a mailinglist
> > ...
> >
> > I investigated this on my side and the reason is that my ISP
> 1blu.de <http://1blu.de> adds
> > since January 20 2025 a DKIM-Signature to all my outgoing mails of:
> >
> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> > d=unixarea.de <http://unixarea.de>
> > ; s=blu3434000;
> > h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> > Reply-To:Message-
> ID:Subject:To:From:Date:Sender:Cc:Content-ID:
> >
> >
> > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-
> To:Resent-Cc
> >
> >
> > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-
> Unsubscribe:
> >
> > List-Subscribe:List-Post:List-Owner:List-Archive;
> >
> > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> > b=nlMvRnatrYiMjStI6F/rnF2zbZ
> >
> >
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
> >
> >
> > 5zDhdwYSgxaU6fW4CbtGfhZT+v/
> lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
> >
> >
> > GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/
> Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
> >
> >
> > MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/
> Tr8gMAPGluXkdpC8kKog
> >
> > qw+9X8Sg==;
> >
> > i.e. the header lines of List-* are part of the DKIM signed lines.
> >
> > I can't change this, as the signing is done by the MTA of 1blu.de
> <http://1blu.de>. I raised
> > a ticket there, but without any luck until now.
> >
> > On the other hand, the RFC 6576 explicitly allows this, see the
> chapter
> >
> > 5.4.1. Recommended Signature Content
> >
> > and explains in B.2.3. Mailing Lists and Re-Posters
> > what mailing-list should do:
> >
> > A Forwarder that does not modify the body or signed header
> fields of
> > a message is likely to maintain the validity of the existing
> > signature. It also could choose to add its own signature to the
> > message. ...
> >
> > Rejecting the mails should not be done and is IMHO a bug!
> > Please fix this.
>
> This is an issue on your ISPs side (and usually caused by people
> carelessly using for example exim with its default set of signing
> headers).
> You should never send email with a signed List-* header to any
> mailinglist because the mailinglist system needs to modify/control that
> header.
>
>
> This is documented it a number of places - see for example the
> documentation for debian:
>
> https://wiki.debian.org/
> Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant
<https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant>
>
> or
>
> https://wiki.list.org/DOC/
>
What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F
<https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F>
>
> Some misconfigured mail servers sign the list-* headers. This is a bad
> idea, but it should especially never be done when submitting to a
> mailing list, since its telling that mailing list that the message
> can't
> be sent from any other mailing list without breaking DKIM.
>
>
>
> Stefan
>
Sorry, to mixup the number. The correct one is RFC 6376.
It states cleary that a forwarder which does not want to change the body should do:
A Forwarder that does not modify the body or signed header fields of a message is likely to maintain the validity of the existing signature. It also could choose to add its own signature to the message.
i.e. should pass the message as it is or could add own signatures.
matthias
On Sat, Feb 22, 2025 at 6:14 PM Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> wrote:
On 22.02.25 17:56, Matthias Apitz wrote:
> Hi Stefan,
Hi Matthias!
>
> Have you read what the RFC 6576 specifies about exactly this case?
I think you are talking about 6376 (which has been augmented and updated
in various ways already) - we are very well aware of what it says and we
are fully compliant because we do not modify messages we want to pass
through. I order to be able to do that we need to make sure we only
accept messages where that is possible.
Incoming mails with a signed List-* header cannot be forwarded
unmodified because we need to add/change those headers ourselfs (because
_WE_ are the mailinglist and we need that for our mails to be accepted
downstream) so what we do is rejecting those through our moderation
system with an explaination.
taking the RFC
" A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature. It also could choose to add its own signature to the
message."
we are a forwarder that (in the case of a List-* header) NEEDS to modify
the message so we cannot forward it without breaking.
Stefan
>
> matthias
>
> On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner
> <stefan@kaltenbrunner.cc <mailto:stefan@kaltenbrunner.cc>> wrote:
>
> Hi Matthias!
>
>
> On 22.02.25 12:45, PG Bug reporting form wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 18822
> > Logged by: Matthias Apitz
> > Email address: gurucubano@googlemail.com
> <mailto:gurucubano@googlemail.com>
> > PostgreSQL version: 16.5
> > Operating system: SuSE Linux SLES 15 SP6
> > Description:
> >
> > This is not strictly a PostgreSQL software problem, but one of the
> > configuration and administration of the community mailing list.
> Please
> > change the place for this issue accordingly.
> >
> > I'm an active member of the community for many years (check the
> archives for
> > my name). Since some days, all my mails to the PostgreSQL lists
> get rejected
> > with a message:
> >
> > Your message to pgsql-bugs with subject
> >
> >
> >
> > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
> >
> > Logs
> >
> >
> >
> > has been rejected by a moderator and will not be posted.
> >
> > The reason given for rejection was:
> >
> >
> >
> > This email has a DKIM signature on the List- headers of
> >
> > the email, indicating that it is not allowed to pass this
> >
> > email on through a mailinglist
> > ...
> >
> > I investigated this on my side and the reason is that my ISP
> 1blu.de <http://1blu.de> adds
> > since January 20 2025 a DKIM-Signature to all my outgoing mails of:
> >
> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> > d=unixarea.de <http://unixarea.de>
> > ; s=blu3434000;
> > h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> > Reply-To:Message-
> ID:Subject:To:From:Date:Sender:Cc:Content-ID:
> >
> >
> > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-
> To:Resent-Cc
> >
> >
> > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-
> Unsubscribe:
> >
> > List-Subscribe:List-Post:List-Owner:List-Archive;
> >
> > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> > b=nlMvRnatrYiMjStI6F/rnF2zbZ
> >
> >
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
> >
> >
> > 5zDhdwYSgxaU6fW4CbtGfhZT+v/
> lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
> >
> >
> > GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/
> Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
> >
> >
> > MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/
> Tr8gMAPGluXkdpC8kKog
> >
> > qw+9X8Sg==;
> >
> > i.e. the header lines of List-* are part of the DKIM signed lines.
> >
> > I can't change this, as the signing is done by the MTA of 1blu.de
> <http://1blu.de>. I raised
> > a ticket there, but without any luck until now.
> >
> > On the other hand, the RFC 6576 explicitly allows this, see the
> chapter
> >
> > 5.4.1. Recommended Signature Content
> >
> > and explains in B.2.3. Mailing Lists and Re-Posters
> > what mailing-list should do:
> >
> > A Forwarder that does not modify the body or signed header
> fields of
> > a message is likely to maintain the validity of the existing
> > signature. It also could choose to add its own signature to the
> > message. ...
> >
> > Rejecting the mails should not be done and is IMHO a bug!
> > Please fix this.
>
> This is an issue on your ISPs side (and usually caused by people
> carelessly using for example exim with its default set of signing
> headers).
> You should never send email with a signed List-* header to any
> mailinglist because the mailinglist system needs to modify/control that
> header.
>
>
> This is documented it a number of places - see for example the
> documentation for debian:
>
> https://wiki.debian.org/
> Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant <https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant>
>
> or
>
> https://wiki.list.org/DOC/
> What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F <https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F>
>
> Some misconfigured mail servers sign the list-* headers. This is a bad
> idea, but it should especially never be done when submitting to a
> mailing list, since its telling that mailing list that the message
> can't
> be sent from any other mailing list without breaking DKIM.
>
>
>
> Stefan
>
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> On 22.02.25 17:56, Matthias Apitz wrote:
>> Have you read what the RFC 6576 specifies about exactly this case?
> we are a forwarder that (in the case of a List-* header) NEEDS to modify
> the message so we cannot forward it without breaking.
Yeah. Regardless of what may be written in the RFC, there are only
these possibilities when the mailing list forwarder receives a
message like this:
1. Add the PG list headers, don't touch the DKIM header, forward.
Most modern recipients will reject the result as spam because it
fails DKIM checks.
2. Don't add the PG list headers, don't touch the DKIM header,
forward. Many list recipients will discard or at least
misclassify the result for lack of PG list headers.
3. Add the PG list headers, discard the DKIM header, forward.
This may well end up marked as spam too, and it's certainly
not complying with the intent of DKIM.
4. Reject the message.
To the extent that including List-* in a DKIM signature has any
real-world use, it is precisely to disavow the message if it's
forwarded by a mailing list.
The short answer here is that your ISP are fools, or else are
intentionally preventing their users from participating in
mailing lists.
regards, tom lane
On 22.02.25 18:25, Tom Lane wrote: > Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes: >> On 22.02.25 17:56, Matthias Apitz wrote: >>> Have you read what the RFC 6576 specifies about exactly this case? > >> we are a forwarder that (in the case of a List-* header) NEEDS to modify >> the message so we cannot forward it without breaking. > > Yeah. Regardless of what may be written in the RFC, there are only > these possibilities when the mailing list forwarder receives a > message like this: > > 1. Add the PG list headers, don't touch the DKIM header, forward. > Most modern recipients will reject the result as spam because it > fails DKIM checks. > > 2. Don't add the PG list headers, don't touch the DKIM header, > forward. Many list recipients will discard or at least > misclassify the result for lack of PG list headers. > > 3. Add the PG list headers, discard the DKIM header, forward. > This may well end up marked as spam too, and it's certainly > not complying with the intent of DKIM. > > 4. Reject the message. > > To the extent that including List-* in a DKIM signature has any > real-world use, it is precisely to disavow the message if it's > forwarded by a mailing list. > > The short answer here is that your ISP are fools, or else are > intentionally preventing their users from participating in > mailing lists. exactly (and thanks for the roundup of our "non"-options). There is basically nothing we can do about that other than recommending a different ISP or one of the myriads of free mail providers out there that get this right. Stefan
On Sat, Feb 22, 2025 at 12:25:57PM -0500, Tom Lane wrote:
> Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> > On 22.02.25 17:56, Matthias Apitz wrote:
> >> Have you read what the RFC 6576 specifies about exactly this case?
>
> > we are a forwarder that (in the case of a List-* header) NEEDS to modify
> > the message so we cannot forward it without breaking.
>
> Yeah. Regardless of what may be written in the RFC, there are only
> these possibilities when the mailing list forwarder receives a
> message like this:
>
> 1. Add the PG list headers, don't touch the DKIM header, forward.
> Most modern recipients will reject the result as spam because it
> fails DKIM checks.
>
> 2. Don't add the PG list headers, don't touch the DKIM header,
> forward. Many list recipients will discard or at least
> misclassify the result for lack of PG list headers.
>
> 3. Add the PG list headers, discard the DKIM header, forward.
> This may well end up marked as spam too, and it's certainly
> not complying with the intent of DKIM.
>
> 4. Reject the message.
>
> To the extent that including List-* in a DKIM signature has any
> real-world use, it is precisely to disavow the message if it's
> forwarded by a mailing list.
>
> The short answer here is that your ISP are fools, or else are
> intentionally preventing their users from participating in
> mailing lists.
I will admit I was shocked to realize I have to modify the default
Debian exim4 DKIM header signing to submit to email lists, and I am
confused why there is a header signing default on Debian that includes
List-* headers.
With the help of Magnus, I was able to use this script:
exim -bP macros | grep '^_DKIM_SIGN_HEADERS=' | sed --regexp-extended 's/:?\<(Resent-|List-)[^:]*//g'
to prevent signing of all Resent and List headers, and use this line in
exim4.conf.localmacros:
DKIM_SIGN_HEADERS=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:In-Reply-To:References
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
I'm subscribed to some hundred technical mailing lists and do not face this problem with any other list, only with the PostgreSQL lists. For example, when I write to the list mutt-users@mutt.org and my ISP 1blu.de sends the same DKIM-Signature containing these List-* entries (which might be there or not, what I count a religious war depending of how one reads the RFC in question), what gets delivered by the mutt-users@mutt.org list server to the subscribers, like me, DKIM related is only:
grep ^DKIM mutt.mail
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C3A51819CC
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5EB3A605E8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5EB3A605E8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
On Sat, Feb 22, 2025 at 6:47 PM Bruce Momjian <bruce@momjian.us> wrote:
On Sat, Feb 22, 2025 at 12:25:57PM -0500, Tom Lane wrote:
> Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> > On 22.02.25 17:56, Matthias Apitz wrote:
> >> Have you read what the RFC 6576 specifies about exactly this case?
>
> > we are a forwarder that (in the case of a List-* header) NEEDS to modify
> > the message so we cannot forward it without breaking.
>
> Yeah. Regardless of what may be written in the RFC, there are only
> these possibilities when the mailing list forwarder receives a
> message like this:
>
> 1. Add the PG list headers, don't touch the DKIM header, forward.
> Most modern recipients will reject the result as spam because it
> fails DKIM checks.
>
> 2. Don't add the PG list headers, don't touch the DKIM header,
> forward. Many list recipients will discard or at least
> misclassify the result for lack of PG list headers.
>
> 3. Add the PG list headers, discard the DKIM header, forward.
> This may well end up marked as spam too, and it's certainly
> not complying with the intent of DKIM.
>
> 4. Reject the message.
>
> To the extent that including List-* in a DKIM signature has any
> real-world use, it is precisely to disavow the message if it's
> forwarded by a mailing list.
>
> The short answer here is that your ISP are fools, or else are
> intentionally preventing their users from participating in
> mailing lists.
I will admit I was shocked to realize I have to modify the default
Debian exim4 DKIM header signing to submit to email lists, and I am
confused why there is a header signing default on Debian that includes
List-* headers.
With the help of Magnus, I was able to use this script:
exim -bP macros | grep '^_DKIM_SIGN_HEADERS=' | sed --regexp-extended 's/:?\<(Resent-|List-)[^:]*//g'
to prevent signing of all Resent and List headers, and use this line in
exim4.conf.localmacros:
DKIM_SIGN_HEADERS=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:In-Reply-To:References
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
Hi Matthias! On 24.02.25 07:55, Matthias Apitz wrote: > I'm subscribed to some hundred technical mailing lists and do not face > this problem with any other list, only with the PostgreSQL lists. For > example, when I write to the list mutt-users@mutt.org <mailto:mutt- > users@mutt.org> and my ISP 1blu.de <http://1blu.de> sends the same DKIM- > Signature containing these List-* entries (which might be there or not, > what I count a religious war depending of how one reads the RFC in > question), what gets delivered by the mutt-users@mutt.org <mailto:mutt- > users@mutt.org> list server to the subscribers, like me, DKIM related is > only: I think it has been explained a few times now that out options are either to reject mails with signed List-* headers before distribution or distribute them with a broken signature. We will not distribute mails with broken signatures because that would immediately cause us to get into serious blacklisting troubles with all large mail providers worldwide - we have been there and we will not go back. We _NEED_ our own List-* headers on our mails to comply with say gmail policies for large senders (5k mails/24h for google and we are way above that) and to provide easy features for our users (say one-click unsubscribe in most popular webmail interfaces), so there is nothing we can do here unfortunately. > > grep ^DKIM mutt.mail > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org <http:// > smtp1.osuosl.org> C3A51819CC > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org <http:// > smtp3.osuosl.org> 5EB3A605E8 > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; not sure what you are try to tell us here - what is relevant is whether the signature (if there is one) still validates and whether those lists actually maintain List-* headers. Stefan
Hi Stefan,
>
> grep ^DKIM mutt.mail
> DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org <http://
> smtp1.osuosl.org> C3A51819CC
> DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org <http://
> smtp3.osuosl.org> 5EB3A605E8
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
not sure what you are try to tell us here - what is relevant is whether
the signature (if there is one) still validates and whether those lists
actually maintain List-* headers.
The mail I sent to the mutt-users mailing list contains what my provider adds as DKIM-signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de
; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=evptchc8isl0uD+RpFR+iPUP1z
Fsx3N3+Hy1JPLQlNuGuHzKZA460Lgd/X+ZZQfp/LQVvcVVWfvMPXOOoNz9ANhTJPCfhAtfu0zit2a
Xozgq0bH66Ig2PNNayGDoz+BOocDLTqT87Ue9O+OOYp5VXrV2r3xFdwPMI5rmSklhECwQiMMgpfb2
Hnp1yOfjq5W9JdHjYCbMPFWCR+4BCyfPzUCKRJDN/txoUMTHr73Ip0S95QAhw1cT++2zGHeIv9Sdv
3G+bZxy/UpIRg0WMmD6P+04gNjxGBWlOu8YukSX/g3k1sYiBpnbKnh5NdWI/ZPpS5S+WQAqbzteWS
dhKhQmVw==;
; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=evptchc8isl0uD+RpFR+iPUP1z
Fsx3N3+Hy1JPLQlNuGuHzKZA460Lgd/X+ZZQfp/LQVvcVVWfvMPXOOoNz9ANhTJPCfhAtfu0zit2a
Xozgq0bH66Ig2PNNayGDoz+BOocDLTqT87Ue9O+OOYp5VXrV2r3xFdwPMI5rmSklhECwQiMMgpfb2
Hnp1yOfjq5W9JdHjYCbMPFWCR+4BCyfPzUCKRJDN/txoUMTHr73Ip0S95QAhw1cT++2zGHeIv9Sdv
3G+bZxy/UpIRg0WMmD6P+04gNjxGBWlOu8YukSX/g3k1sYiBpnbKnh5NdWI/ZPpS5S+WQAqbzteWS
dhKhQmVw==;
and what is then delivered by the server of mutt.org is:
From mutt-users-bounces@mutt.org Sat Feb 22 13:06:32 2025
Return-Path: <mutt-users-bounces@mutt.org>
Delivered-To: w51246_0-guru@mb-13.1blu.de
Received: from ms-10.1blu.de ([172.16.180.5])
by mb-13.1blu.de with LMTP
id qFnPOMi9uWcneDoA2HEZdA
(envelope-from <mutt-users-bounces@mutt.org>)
for <w51246_0-guru@mb-13.1blu.de>; Sat, 22 Feb 2025 13:06:32 +0100
Received: from [140.211.166.138] (helo=smtp1.osuosl.org)
by ms-10.1blu.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <mutt-users-bounces@mutt.org>)
id 1tloHA-007Lt2-G5
for guru@unixarea.de;
Sat, 22 Feb 2025 13:06:32 +0100
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id D22D381A99;
Sat, 22 Feb 2025 12:06:28 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id tw30mst0o_g3; Sat, 22 Feb 2025 12:06:27 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.166.142; helo=lists1.osuosl.org; envelope-from=mutt-users-bounces@mutt.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C3A51819CC
Received: from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])
by smtp1.osuosl.org (Postfix) with ESMTP id C3A51819CC;
Sat, 22 Feb 2025 12:06:25 +0000 (UTC)
X-Original-To: mutt-users@mutt.org
Delivered-To: mutt-users@mutt.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists1.osuosl.org (Postfix) with ESMTP id 79403D92
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 73F5960670
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:22 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id V8r3TyVZo1ko for <mutt-users@mutt.org>;
Sat, 22 Feb 2025 12:06:21 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.254.4.101;
helo=ms-10.1blu.de; envelope-from=guru@unixarea.de; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 5EB3A605E8
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5EB3A605E8
Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101])
by smtp3.osuosl.org (Postfix) with ESMTPS id 5EB3A605E8
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:19 +0000 (UTC)
Received: from [62.216.207.183] (helo=localhost.unixarea.de)
by ms-10.1blu.de with esmtpsa (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <guru@unixarea.de>) id 1tloGu-007LCE-Uk
for mutt-users@mutt.org; Sat, 22 Feb 2025 13:06:17 +0100
Received: from localhost.my.domain (c720-1400094 [127.0.0.1])
by localhost.unixarea.de (8.17.1/8.14.9) with ESMTP id 51MC6GFG003949
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 13:06:16 +0100 (CET)
(envelope-from guru@unixarea.de)
Received: (from guru@localhost)
by localhost.my.domain (8.17.1/8.14.9/Submit) id 51MC6GLH003948
for mutt-users@mutt.org; Sat, 22 Feb 2025 13:06:16 +0100 (CET)
(envelope-from guru@unixarea.de)
X-Authentication-Warning: localhost.my.domain: guru set sender to
guru@unixarea.de using -f
Date: Sat, 22 Feb 2025 13:06:16 +0100
From: Matthias Apitz <guru@unixarea.de>
To: mutt-users@mutt.org
Subject: Re: DKIM signature rejected
Message-ID: <Z7m9uGjDYsCWdHtS@c720-1400094>
Mail-Followup-To: mutt-users@mutt.org
References: <Z7b6/ObsQG8OZOPO@pureos> <AEi2z70BWrXPL2R8@aceecat.org>
<Z7dhM3q7jskyCxPv@c720-1400094> <0kLY0pByvZWAaOff@aceecat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0kLY0pByvZWAaOff@aceecat.org>
X-Operating-System: FreeBSD 14.0-CURRENT r1400094 (amd64)
X-message-flag: Mails in HTML will not be read! Please, only plain text.
X-Con-Id: 51246
X-Con-U: 0-guru
X-Originating-IP: 62.216.207.183
X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
c=relaxed/relaxed; d=unixarea.de
; s=blu3434000; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:
MIME-Version:References:Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=P0GNuJT8+PqDMtQ3yPxl7iG7yOg5kBSJK0qy2eUD1OA=; b=INTn3Hn+OfMu9af5aja77QeUIt
HPBI0HbqSQJD6ubWyMQ+HUcBfLnzCwK+AxzG7VVZ1+s+/WPRW1hHSWMpxW3Zmvsvi6jeENJyWKx6B
UXM3l4/38I3zsttiFBwkhixQphmBxlddGhxl0CG5mp/7q/3SQRRZozNw+0FWymaqMrUlwXC6u9KRO
Y2TLajF5Og9Wuj5OCkqLaZdhSBM/SvZlPDpFswxf8xiuF9uEbVc4WQr+lPSEzJ5FWs6uBCo841rht
jVFH2/4r/JBxVCVJyz+p8p2QFaaeFGRNppmNwUx99FxErUo2n6VLgEWW7ESCoJiyP+NqM5VXwJdkH
HGroZ40A==;
X-Mailman-Original-Authentication-Results: smtp3.osuosl.org;
dmarc=none (p=none dis=none)
header.from=unixarea.de
X-Mailman-Original-Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key,
unprotected) header.d=unixarea.de header.i=@unixarea.de header.a=rsa-sha256
header.s=blu3434000 header.b=INTn3Hn+
X-BeenThere: mutt-users@mutt.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: <mutt-users.mutt.org>
List-Unsubscribe: <https://lists.mutt.org/mailman/options/mutt-users>,
<mailto:mutt-users-request@mutt.org?subject=unsubscribe>
List-Archive: <http://lists.mutt.org/pipermail/mutt-users/>
List-Post: <mailto:mutt-users@mutt.org>
List-Help: <mailto:mutt-users-request@mutt.org?subject=help>
List-Subscribe: <https://lists.mutt.org/mailman/listinfo/mutt-users>,
<mailto:mutt-users-request@mutt.org?subject=subscribe>
Reply-To: Matthias Apitz <guru@unixarea.de>
Errors-To: mutt-users-bounces@mutt.org
X-Envelope-To: @
Status: RO
Content-Length: 4445
Lines: 118
El día viernes, febrero 21, 2025 a las 01:21:02p. m. -0800, googly.negotiator862@aceecat.org escribió:
...
Return-Path: <mutt-users-bounces@mutt.org>
Delivered-To: w51246_0-guru@mb-13.1blu.de
Received: from ms-10.1blu.de ([172.16.180.5])
by mb-13.1blu.de with LMTP
id qFnPOMi9uWcneDoA2HEZdA
(envelope-from <mutt-users-bounces@mutt.org>)
for <w51246_0-guru@mb-13.1blu.de>; Sat, 22 Feb 2025 13:06:32 +0100
Received: from [140.211.166.138] (helo=smtp1.osuosl.org)
by ms-10.1blu.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from <mutt-users-bounces@mutt.org>)
id 1tloHA-007Lt2-G5
for guru@unixarea.de;
Sat, 22 Feb 2025 13:06:32 +0100
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id D22D381A99;
Sat, 22 Feb 2025 12:06:28 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id tw30mst0o_g3; Sat, 22 Feb 2025 12:06:27 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.166.142; helo=lists1.osuosl.org; envelope-from=mutt-users-bounces@mutt.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C3A51819CC
Received: from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])
by smtp1.osuosl.org (Postfix) with ESMTP id C3A51819CC;
Sat, 22 Feb 2025 12:06:25 +0000 (UTC)
X-Original-To: mutt-users@mutt.org
Delivered-To: mutt-users@mutt.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists1.osuosl.org (Postfix) with ESMTP id 79403D92
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 73F5960670
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:22 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
id V8r3TyVZo1ko for <mutt-users@mutt.org>;
Sat, 22 Feb 2025 12:06:21 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=178.254.4.101;
helo=ms-10.1blu.de; envelope-from=guru@unixarea.de; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 5EB3A605E8
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5EB3A605E8
Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101])
by smtp3.osuosl.org (Postfix) with ESMTPS id 5EB3A605E8
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 12:06:19 +0000 (UTC)
Received: from [62.216.207.183] (helo=localhost.unixarea.de)
by ms-10.1blu.de with esmtpsa (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <guru@unixarea.de>) id 1tloGu-007LCE-Uk
for mutt-users@mutt.org; Sat, 22 Feb 2025 13:06:17 +0100
Received: from localhost.my.domain (c720-1400094 [127.0.0.1])
by localhost.unixarea.de (8.17.1/8.14.9) with ESMTP id 51MC6GFG003949
for <mutt-users@mutt.org>; Sat, 22 Feb 2025 13:06:16 +0100 (CET)
(envelope-from guru@unixarea.de)
Received: (from guru@localhost)
by localhost.my.domain (8.17.1/8.14.9/Submit) id 51MC6GLH003948
for mutt-users@mutt.org; Sat, 22 Feb 2025 13:06:16 +0100 (CET)
(envelope-from guru@unixarea.de)
X-Authentication-Warning: localhost.my.domain: guru set sender to
guru@unixarea.de using -f
Date: Sat, 22 Feb 2025 13:06:16 +0100
From: Matthias Apitz <guru@unixarea.de>
To: mutt-users@mutt.org
Subject: Re: DKIM signature rejected
Message-ID: <Z7m9uGjDYsCWdHtS@c720-1400094>
Mail-Followup-To: mutt-users@mutt.org
References: <Z7b6/ObsQG8OZOPO@pureos> <AEi2z70BWrXPL2R8@aceecat.org>
<Z7dhM3q7jskyCxPv@c720-1400094> <0kLY0pByvZWAaOff@aceecat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0kLY0pByvZWAaOff@aceecat.org>
X-Operating-System: FreeBSD 14.0-CURRENT r1400094 (amd64)
X-message-flag: Mails in HTML will not be read! Please, only plain text.
X-Con-Id: 51246
X-Con-U: 0-guru
X-Originating-IP: 62.216.207.183
X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;
c=relaxed/relaxed; d=unixarea.de
; s=blu3434000; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:
MIME-Version:References:Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=P0GNuJT8+PqDMtQ3yPxl7iG7yOg5kBSJK0qy2eUD1OA=; b=INTn3Hn+OfMu9af5aja77QeUIt
HPBI0HbqSQJD6ubWyMQ+HUcBfLnzCwK+AxzG7VVZ1+s+/WPRW1hHSWMpxW3Zmvsvi6jeENJyWKx6B
UXM3l4/38I3zsttiFBwkhixQphmBxlddGhxl0CG5mp/7q/3SQRRZozNw+0FWymaqMrUlwXC6u9KRO
Y2TLajF5Og9Wuj5OCkqLaZdhSBM/SvZlPDpFswxf8xiuF9uEbVc4WQr+lPSEzJ5FWs6uBCo841rht
jVFH2/4r/JBxVCVJyz+p8p2QFaaeFGRNppmNwUx99FxErUo2n6VLgEWW7ESCoJiyP+NqM5VXwJdkH
HGroZ40A==;
X-Mailman-Original-Authentication-Results: smtp3.osuosl.org;
dmarc=none (p=none dis=none)
header.from=unixarea.de
X-Mailman-Original-Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key,
unprotected) header.d=unixarea.de header.i=@unixarea.de header.a=rsa-sha256
header.s=blu3434000 header.b=INTn3Hn+
X-BeenThere: mutt-users@mutt.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: <mutt-users.mutt.org>
List-Unsubscribe: <https://lists.mutt.org/mailman/options/mutt-users>,
<mailto:mutt-users-request@mutt.org?subject=unsubscribe>
List-Archive: <http://lists.mutt.org/pipermail/mutt-users/>
List-Post: <mailto:mutt-users@mutt.org>
List-Help: <mailto:mutt-users-request@mutt.org?subject=help>
List-Subscribe: <https://lists.mutt.org/mailman/listinfo/mutt-users>,
<mailto:mutt-users-request@mutt.org?subject=subscribe>
Reply-To: Matthias Apitz <guru@unixarea.de>
Errors-To: mutt-users-bounces@mutt.org
X-Envelope-To: @
Status: RO
Content-Length: 4445
Lines: 118
El día viernes, febrero 21, 2025 a las 01:21:02p. m. -0800, googly.negotiator862@aceecat.org escribió:
...
Why postgresql.org can not do the same?
Matthias
On 24.02.25 10:45, Matthias Apitz wrote: > > Hi Stefan, > > > > > grep ^DKIM mutt.mail > > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org <http:// > smtp1.osuosl.org> <http:// > > smtp1.osuosl.org <http://smtp1.osuosl.org>> C3A51819CC > > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org <http:// > smtp3.osuosl.org> <http:// > > smtp3.osuosl.org <http://smtp3.osuosl.org>> 5EB3A605E8 > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > > > not sure what you are try to tell us here - what is relevant is whether > the signature (if there is one) still validates and whether those lists > actually maintain List-* headers. > > > The mail I sent to the mutt-users mailing list contains what my provider > adds as DKIM-signature: > [...headers showing mailman forcibly removing dkim signatures...] > ... > > Why postgresql.org <http://postgresql.org> can not do the same? sorry to be blunt but that behaviour is completely broken in a modern mail world (though it might have worked like 10+ years ago) - it looks like that list is simply removing dkim signatures, per the standard that means the signature is invalid (because an invalid signature is treated the same as an unsigned). Unsigned mails(these days SPF, DKIM and DMARFC are not optional any more) are basically undeliverable at scale to all large mail providers other than if you are a super low volume sender - so that is a complete non-starter for us. Also note that that particular mailinglist setup seems to be unsuitable for large volumen lists to say google anyway because afaiks it does not support RFC8058 which is a google requirement for large senders. It might work for (no offense intended) for a super tiny mailinglist like mutt-users@ with a 2 figure number of mails per month (and probaly a very small amount of subscribers) but not for us where we have easily 100x if not more that volume. Stefan
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> Unsigned mails(these days SPF, DKIM and DMARFC are not optional any
> more) are basically undeliverable at scale to all large mail providers
> other than if you are a super low volume sender - so that is a complete
> non-starter for us.
Yeah. The key point here is that we are not constrained only by
what it says in the RFCs. We have to stay on the good side of the
anti-spam policies at gmail and other large email providers, or
we'll be blocked from delivering to large swaths of our user base.
regards, tom lane
On Mon, Feb 24, 2025 at 4:45 AM Matthias Apitz <gurucubano@googlemail.com> wrote:
Why postgresql.org can not do the same?
Honestly, it's worth pointing out that you are the only one complaining about this issue. Were it hundreds of others, we might react differently. But since it's only you, it further supports the "your problem, not ours" prognosis.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
On Mon, Feb 24, 2025 at 10:47:26AM -0500, Greg Sabino Mullane wrote: > On Mon, Feb 24, 2025 at 4:45 AM Matthias Apitz <gurucubano@googlemail.com> > wrote: > > Why postgresql.org can not do the same? > > > Honestly, it's worth pointing out that you are the only one complaining about > this issue. Were it hundreds of others, we might react differently. But since > it's only you, it further supports the "your problem, not ours" prognosis. He did point out that many other mailing lists are fine with his configuration, so that works in his favor. I think we are just more precise than those other lists. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Do not let urgent matters crowd out time for investment in the future.
On Mon, Feb 24, 2025 at 10:55 AM Bruce Momjian <bruce@momjian.us> wrote:
He did point out that many other mailing lists are fine with his configuration, so that works in his favor. I think we are just more
precise than those other lists.
Yeah. Presumably if those lists become more popular, they would suffer the same ill effects from Google et. al.
Cheers,
Greg
--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support
On Mon, Feb 24, 2025 at 3:48 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> Unsigned mails(these days SPF, DKIM and DMARFC are not optional any
> more) are basically undeliverable at scale to all large mail providers
> other than if you are a super low volume sender - so that is a complete
> non-starter for us.
Yeah. The key point here is that we are not constrained only by
what it says in the RFCs. We have to stay on the good side of the
anti-spam policies at gmail and other large email providers, or
we'll be blocked from delivering to large swaths of our user base.
Yes, indeed.
At one point not too long ago we had something like 60+% of our emails to gmail getting delayed or dropped, leaving us with delivery queues exceeding I think 2 million emails to gmail based destinations. Implementing this DKIM fix is one of the things we did to get off that list...
//Magnus
My provider informed me and I see that they modified the DKIM signing
to:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de
; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=K2hfkuZCi802dfTu0VVFH8Hyjs
HtCy32IT5zriGVENgNVCIgaFBWAQsD7OwsZ5joN0BeiEUAn2f5oBsLPf1HyRmcg9ZWW9b1CF1Nvk3
algyaqs2z28yCJQOxASW7HV3f4fY/F1HTSZ81Yr6HBVKAky2Iw5ii5sXnXN2MM9vB9wKirF9qoQnK
QPQMJMKKP+T5mQ1B7R7pE62RaqivzVTBj4/lca9Jg4QmxZ3ir8W+Dh06pV0MfFR3gilUl4JInHJ3S
lQFs3XnGBV/24aSzeqePfp9Ogo5ypOUp4/S7JAUVRtPGh9/+E6rXRc02Q1jySLoQTe++ocy/iXY/Z
hL7XqoEQ==;
So the bug perhaps could be closed.
matthias
--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Hi Matthias! On 25.02.25 14:30, Matthias Apitz wrote: > My provider informed me and I see that they modified the DKIM signing > to: > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de > ; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version: > Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID: > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: > List-Subscribe:List-Post:List-Owner:List-Archive; > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=K2hfkuZCi802dfTu0VVFH8Hyjs > HtCy32IT5zriGVENgNVCIgaFBWAQsD7OwsZ5joN0BeiEUAn2f5oBsLPf1HyRmcg9ZWW9b1CF1Nvk3 > algyaqs2z28yCJQOxASW7HV3f4fY/F1HTSZ81Yr6HBVKAky2Iw5ii5sXnXN2MM9vB9wKirF9qoQnK > QPQMJMKKP+T5mQ1B7R7pE62RaqivzVTBj4/lca9Jg4QmxZ3ir8W+Dh06pV0MfFR3gilUl4JInHJ3S > lQFs3XnGBV/24aSzeqePfp9Ogo5ypOUp4/S7JAUVRtPGh9/+E6rXRc02Q1jySLoQTe++ocy/iXY/Z > hL7XqoEQ==; I think you copied the wrong one here ;) - the above snippet actually contains the previous DKIM-Siganture but the header in your actual mail looks good! > > So the bug perhaps could be closed. nice to hear and glad you found someone to talk to at your ISP to get this sorted! Stefan
El día martes, febrero 25, 2025 a las 03:03:33p. m. +0100, Stefan Kaltenbrunner escribió:
> Hi Matthias!
>
> On 25.02.25 14:30, Matthias Apitz wrote:
> > My provider informed me and I see that they modified the DKIM signing
> > to:
> >
> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de
> > ; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> > Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
> > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
> > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
> > List-Subscribe:List-Post:List-Owner:List-Archive;
> > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=K2hfkuZCi802dfTu0VVFH8Hyjs
> > HtCy32IT5zriGVENgNVCIgaFBWAQsD7OwsZ5joN0BeiEUAn2f5oBsLPf1HyRmcg9ZWW9b1CF1Nvk3
> > algyaqs2z28yCJQOxASW7HV3f4fY/F1HTSZ81Yr6HBVKAky2Iw5ii5sXnXN2MM9vB9wKirF9qoQnK
> > QPQMJMKKP+T5mQ1B7R7pE62RaqivzVTBj4/lca9Jg4QmxZ3ir8W+Dh06pV0MfFR3gilUl4JInHJ3S
> > lQFs3XnGBV/24aSzeqePfp9Ogo5ypOUp4/S7JAUVRtPGh9/+E6rXRc02Q1jySLoQTe++ocy/iXY/Z
> > hL7XqoEQ==;
>
> I think you copied the wrong one here ;) - the above snippet actually
> contains the previous DKIM-Siganture but the header in your actual mail
> looks good!
You're correct. This looks like the old one. But when I write to my
company account, it is also only this one:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de
; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:In-Reply-To:References;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=ZYVR5g2i7fFIerrPqWcHSZrYy1
vum6yy3LdF1Gkm/ZUDrgBO+SOYmMXzjf9ZPvjNT5KpNn62UhlPKNFSnZOpWH+ZBGHFRiiRX2SPPu1
v/epIArkhSLXNoWs/UpiHAD+xN5qgA4KmSGuusMsVu1aTePUDRghSF/AbMa5UMYZ92nD4VJ2HSREU
obF2tfob0lT0mo3GkXk6Ea83OG2PX4zAwIAI3Zvvf+bbe2pR2hhWeM3Od5pOq4JIDk7BHOom/H7JI
X0JjZBnhrZyVHCfZzWzGaCpy4wVuaGU+MFBfBDYV3lY2xIdGxXM1ScoNj2JAKbXKioER2vWMzw4j1
kCDbFhHQ==;
How this depends of the mail recipient addr?
> >
> > So the bug perhaps could be closed.
>
> nice to hear and glad you found someone to talk to at your ISP to get this
> sorted!
Or should I ask my ISP?
matthias
--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
On 25.02.25 15:30, Matthias Apitz wrote: > El día martes, febrero 25, 2025 a las 03:03:33p. m. +0100, Stefan Kaltenbrunner escribió: > >> Hi Matthias! >> >> On 25.02.25 14:30, Matthias Apitz wrote: >>> My provider informed me and I see that they modified the DKIM signing >>> to: >>> >>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de >>> ; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version: >>> Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID: >>> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc >>> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: >>> List-Subscribe:List-Post:List-Owner:List-Archive; >>> bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=K2hfkuZCi802dfTu0VVFH8Hyjs >>> HtCy32IT5zriGVENgNVCIgaFBWAQsD7OwsZ5joN0BeiEUAn2f5oBsLPf1HyRmcg9ZWW9b1CF1Nvk3 >>> algyaqs2z28yCJQOxASW7HV3f4fY/F1HTSZ81Yr6HBVKAky2Iw5ii5sXnXN2MM9vB9wKirF9qoQnK >>> QPQMJMKKP+T5mQ1B7R7pE62RaqivzVTBj4/lca9Jg4QmxZ3ir8W+Dh06pV0MfFR3gilUl4JInHJ3S >>> lQFs3XnGBV/24aSzeqePfp9Ogo5ypOUp4/S7JAUVRtPGh9/+E6rXRc02Q1jySLoQTe++ocy/iXY/Z >>> hL7XqoEQ==; >> >> I think you copied the wrong one here ;) - the above snippet actually >> contains the previous DKIM-Siganture but the header in your actual mail >> looks good! > > You're correct. This looks like the old one. But when I write to my > company account, it is also only this one: > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de > ; s=blu3434000; h=Content-Transfer-Encoding:Content-Type:MIME-Version: > Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID: > Content-Description:In-Reply-To:References; > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=; b=ZYVR5g2i7fFIerrPqWcHSZrYy1 > vum6yy3LdF1Gkm/ZUDrgBO+SOYmMXzjf9ZPvjNT5KpNn62UhlPKNFSnZOpWH+ZBGHFRiiRX2SPPu1 > v/epIArkhSLXNoWs/UpiHAD+xN5qgA4KmSGuusMsVu1aTePUDRghSF/AbMa5UMYZ92nD4VJ2HSREU > obF2tfob0lT0mo3GkXk6Ea83OG2PX4zAwIAI3Zvvf+bbe2pR2hhWeM3Od5pOq4JIDk7BHOom/H7JI > X0JjZBnhrZyVHCfZzWzGaCpy4wVuaGU+MFBfBDYV3lY2xIdGxXM1ScoNj2JAKbXKioER2vWMzw4j1 > kCDbFhHQ==; > > How this depends of the mail recipient addr? I dont think it does depend on the recipient address - the signature of the mails you are sending now is fine - I suspect you simply had a c&p error in your mail... > >>> >>> So the bug perhaps could be closed. >> >> nice to hear and glad you found someone to talk to at your ISP to get this >> sorted! > > Or should I ask my ISP? no need for that I think, afaiks everything is right now. Stefan
El día miércoles, febrero 26, 2025 a las 03:14:16 +0100, Stefan Kaltenbrunner escribió: > On 25.02.25 15:30, Matthias Apitz wrote: > > El día martes, febrero 25, 2025 a las 03:03:33p. m. +0100, Stefan Kaltenbrunner escribió: > > > > > Hi Matthias! > > > > > > On 25.02.25 14:30, Matthias Apitz wrote: > > > > My provider informed me and I see that they modified the DKIM signing > > > > to: > > > > > > > > How this depends of the mail recipient addr? > > I dont think it does depend on the recipient > address - the signature of the mails you are > sending now is fine - I suspect you simply had a > c&p error in your mail... Hi Stefan, I double checked it: sending to my company account gives correct DKIM, sending to me the broken one. -- Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub
Hi Matthias! On 26.02.25 15:59, Matthias Apitz wrote: > El día miércoles, febrero 26, 2025 a las 03:14:16 +0100, Stefan Kaltenbrunner escribió: > >> On 25.02.25 15:30, Matthias Apitz wrote: >>> El día martes, febrero 25, 2025 a las 03:03:33p. m. +0100, Stefan Kaltenbrunner escribió: >>> >>>> Hi Matthias! >>>> >>>> On 25.02.25 14:30, Matthias Apitz wrote: >>>>> My provider informed me and I see that they modified the DKIM signing >>>>> to: >>>>> >>> >>> How this depends of the mail recipient addr? >> >> I dont think it does depend on the recipient >> address - the signature of the mails you are >> sending now is fine - I suspect you simply had a >> c&p error in your mail... > > Hi Stefan, > > I double checked it: sending to my company account gives correct DKIM, > sending to me the broken one. so if I have to make a very wild guess I would think that your ISP runs a multi-stage MTA setup - one set of boxes responsible for relaying/sending externally and one set of boxes for local delivery - maybe the configuration change was only applied for mail that is sent externally/relayed over them and not for mail sent to local mailboxes. Stefan
On Mon, 24 Feb 2025 10:55:31 -0500 Bruce Momjian <bruce@momjian.us> wrote: > On Mon, Feb 24, 2025 at 10:47:26AM -0500, Greg Sabino Mullane wrote: > > On Mon, Feb 24, 2025 at 4:45 AM Matthias Apitz > > <gurucubano@googlemail.com> wrote: > > > > Why postgresql.org can not do the same? > > > > > > Honestly, it's worth pointing out that you are the only one > > complaining about this issue. Were it hundreds of others, we might > > react differently. But since it's only you, it further supports the > > "your problem, not ours" prognosis. > > He did point out that many other mailing lists are fine with his > configuration, so that works in his favor. I think we are just more > precise than those other lists. Well to be clear, I think lots of us don't love DKIM. If I recall correctly, Amazon turned it on somewhat recently and broke all their employees ability to use company email with the any major mailing lists. Not just postgresql but also LKML, IETF, etc. And Amazon is not the first. There is documentation on the internet of Intel [1] and Google [2] doing the same. And don't use Yahoo for your personal email, who famously back in 2014 broke every mailing list in the world [3]. Back when I worked at Amazon and they started enforcing, I didn't bother complaining - I just permanently switched to using my personal gmail account for open source mailing list participation. I think the whole DKIM thing is a mess but I don't think it's a postgres problem. -Jeremy 1: https://lore.kernel.org/lkml/20211214150032.nioelgvmase7yyus@meerkat.local/ 2: https://news.ycombinator.com/item?id=13425802 3: https://mailarchive.ietf.org/arch/msg/ietf/J-IsfA0Lb-6T_NeMD1ENKZyb9tA/
I asked my ISP about the diff between DKIM in my Bcc: and public
destinations and they wrote over the night to me:
Sehr geehrter Herr Apitz,
gerne haben wir das auch für lokale Mails geändert. Einen technischen
Unterschied macht das allerdings nicht.
Mit freundlichen Grüßen aus Berlin,
Ihr 1blu-Support-Team
i.e. they changed it now for "local mails" also.
matthias
--
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub