Thanks Sten
> On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen <m...@junc.eu> wrote: >>> Authentication-Results: lists.isc.org; >>> dkim=fail reason="signature verification failed" (1024-bit key; >>> unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5; >>> dkim=fail reason="signature verification failed" (1024-bit key; >>> unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z > > On 25.01.22 12:25, Dan Mahoney wrote: >> The headers you cite are lying to you. :) The message passed DKIM on the >> way IN to lists.isc.org (the dedicated vm that runs our lists), but then, >> when the message got to the mailman python scripts and then shot back out >> via the MTA, they had an altered body and no longer passed, and the header >> was rewritten to say "fail". (This is visible from the logging on the >> servers, but nowhere else). > > there were multiple headers when that mail came here: > > Authentication-Results: fantomas.fantomas.sk; > dkim=fail reason="signature verification failed" (1024-bit key; secure) > header.d=isc.org header.i=@isc.org header.b="q/vOEba5"; > dkim=fail reason="signature verification failed" (1024-bit key; secure) > header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z"; > dkim-atps=neutral > Authentication-Results: lists.isc.org; > dkim=fail reason="signature verification failed" (1024-bit key; > unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5; > dkim=fail reason="signature verification failed" (1024-bit key; > unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z > > obviously when the mail came to list, DKIM was fine, not so after it left > (thanks to list signature) > >>> will my dkim fail aswell ? > > it did... > >> Altering the body or headers at all (whch lists do) will often break the >> hashing. For this reason, most recent versions of mailman have an option >> to rewrite your mail from: When the dkim is set up, you can select which parts of the header you want to include in the signature. I have selected a smaller part of the headers for my signature, so does this go through? > > [...] > >> ...but only in the event you have a restrictive DMARC policy. > > this explains why both your and Benny's mail did fail here, while Eduard's > did not - that one was signed by mailman because of his domains' restrictive > policy. > > I missed this part before. > >> I've argued that it should be possible to do so for *any* dmarc policy, >> even p=none, but that option is not present in mailman 3, at least. > > I agree. > spam filter is something that can use dkim fail and should not be ignored. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Support bacteria - they're the only culture some people have. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
