Re: BUG #18822: mailing lists reject mails due to DKIM-signature

I'm subscribed to some hundred technical mailing lists and do not face this
problem with any other list, only with the PostgreSQL lists. For example,
when I write to the list mutt-users(at)mutt(dot)org and my ISP 1blu.de sends the
same DKIM-Signature containing these List-* entries (which might be there
or not, what I count a religious war depending of how one reads the RFC in
question), what gets delivered by the mutt-users(at)mutt(dot)org list server to
the subscribers, like me, DKIM related is only:

grep ^DKIM mutt.mail
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C3A51819CC
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5EB3A605E8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

On Sat, Feb 22, 2025 at 6:47 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:

> On Sat, Feb 22, 2025 at 12:25:57PM -0500, Tom Lane wrote:
> > Stefan Kaltenbrunner <stefan(at)kaltenbrunner(dot)cc> writes:
> > > On 22.02.25 17:56, Matthias Apitz wrote:
> > >> Have you read what the RFC 6576 specifies about exactly this case?
> >
> > > we are a forwarder that (in the case of a List-* header) NEEDS to
> modify
> > > the message so we cannot forward it without breaking.
> >
> > Yeah. Regardless of what may be written in the RFC, there are only
> > these possibilities when the mailing list forwarder receives a
> > message like this:
> >
> > 1. Add the PG list headers, don't touch the DKIM header, forward.
> > Most modern recipients will reject the result as spam because it
> > fails DKIM checks.
> >
> > 2. Don't add the PG list headers, don't touch the DKIM header,
> > forward. Many list recipients will discard or at least
> > misclassify the result for lack of PG list headers.
> >
> > 3. Add the PG list headers, discard the DKIM header, forward.
> > This may well end up marked as spam too, and it's certainly
> > not complying with the intent of DKIM.
> >
> > 4. Reject the message.
> >
> > To the extent that including List-* in a DKIM signature has any
> > real-world use, it is precisely to disavow the message if it's
> > forwarded by a mailing list.
> >
> > The short answer here is that your ISP are fools, or else are
> > intentionally preventing their users from participating in
> > mailing lists.
>
> I will admit I was shocked to realize I have to modify the default
> Debian exim4 DKIM header signing to submit to email lists, and I am
> confused why there is a header signing default on Debian that includes
> List-* headers.
>
> With the help of Magnus, I was able to use this script:
>
> exim -bP macros | grep '^_DKIM_SIGN_HEADERS=' | sed
> --regexp-extended 's/:?\<(Resent-|List-)[^:]*//g'
>
> to prevent signing of all Resent and List headers, and use this line in
> exim4.conf.localmacros:
>
>
> DKIM_SIGN_HEADERS=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:In-Reply-To:References
>
> --
> Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
> EDB https://enterprisedb.com
>
> Do not let urgent matters crowd out time for investment in the future.
>