FreeBSD lists and DKIM
dg at pki2.com
Sun Aug 3 18:27:09 UTC 2014
On Sun, 2014-08-03 at 09:11 +0100, Matthew Seaman wrote:
> On 02/08/2014 21:32, Dennis Glatting wrote:
> > Mail coming through the FreeBSD lists often breaks messages signed
> > through DKIM. What is the policy to resolve this issue?
> > Turning off DKIM isn't an option. If there is a signature, such as
> > someone in the chain coming through gmail, it must validate or the
> > message is rejected. I understand this is a common problem for email
> > lists and there are patches available to reformat messages.
> > http://tools.ietf.org/html/rfc6377
> > The best general recommendation for dealing with MLMs is that the MLM
> > or an MTA in the MLM's domain apply its own DKIM signature to each
> > message it forwards and that assessors on the receiving end consider
> > the MLM's domain signature in making their assessments. (See
> > Section 5, especially Section 5.2.)
> If you're in charge of the systems *sending* the DKIM signed messages,
> then choose the set of mail headers the signature is based on carefully:
> avoid any headers that would tend to be re-written during processing by
> the mailing list software.
> On the receiving side: allow for mailing lists to add trailers to
> messages that pass. Don't base your acept/reject decisions entirely on
> whether the message passes or fails DKIM or other tests. The way
> Spamassassin handles such things is the way to go: DKIM, SPF, automatic
> white-listing all make a weighted contribution to calculating the score.
> The advice for the MLM to apply it's own signature to a message is
> problematic in that it magnifies the cpu load required to process
> messages quite a lot. At least with DKIM it is possible to do that:
> compare to what would be needed with SPF, where the MLM would be forced
> to resend the message as *originating* from the mailing list itself.
That's not my experience. I operate five email servers: two in, two out,
and one in/out; servicing about 1,000 users. Although relatively small,
we're using 2048 bit keys on the outbound side and see negligible load
increase on these 8-16 core servers. These servers are also doing AV,
DNS, custom MILTER daemons, IPS daemons, and other services.
On the incoming side, the verification load is next to nothing compared
to MailScanner/SpamAssasin/AV/DKIM/DMARC/RBL, and other loads. I also
see a lot of broken stuff including bad keys (e.g., CostCo), small keys
(typically 512 bits), and forgeries/spam but signed with invalid
What I am finding useful is DMARC reports. They are interesting although
I can't do anything about forgeries (typically from China). However,
these go into the quarterly roll-up justifying my existence, meager as
There are two fundamental problems with ignoring broken signatures. The
first is obvious -- you might as well not have them. The second is large
email providers are imposing DMARC (p=reject) and other providers are
honoring it. Consequently, I argue, NOT fixing signatures in an email
list increasingly limits it breadth.
Regardless, I'd like to know the FreeBSD lists policies. I don't see
them posted anywhere but that could just be me. I can insert exceptions
but @freebsd.org isn't enough.
Dennis Glatting <dg at pki2.com>
More information about the freebsd-questions