Re: BUG #18822: mailing lists reject mails due to DKIM-signature

Sorry, to mixup the number. The correct one is RFC 6376.
It states cleary that a forwarder which does not want to change the body
should do:

A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature. It also could choose to add its own signature to the
message.

i.e. should pass the message as it is or could add own signatures.

matthias

On Sat, Feb 22, 2025 at 6:14 PM Stefan Kaltenbrunner <
stefan(at)kaltenbrunner(dot)cc> wrote:

> On 22.02.25 17:56, Matthias Apitz wrote:
> > Hi Stefan,
>
> Hi Matthias!
>
>
> >
> > Have you read what the RFC 6576 specifies about exactly this case?
>
> I think you are talking about 6376 (which has been augmented and updated
> in various ways already) - we are very well aware of what it says and we
> are fully compliant because we do not modify messages we want to pass
> through. I order to be able to do that we need to make sure we only
> accept messages where that is possible.
> Incoming mails with a signed List-* header cannot be forwarded
> unmodified because we need to add/change those headers ourselfs (because
> _WE_ are the mailinglist and we need that for our mails to be accepted
> downstream) so what we do is rejecting those through our moderation
> system with an explaination.
>
> taking the RFC
>
> " A Forwarder that does not modify the body or signed header fields of
> a message is likely to maintain the validity of the existing
> signature. It also could choose to add its own signature to the
> message."
>
> we are a forwarder that (in the case of a List-* header) NEEDS to modify
> the message so we cannot forward it without breaking.
>
>
>
>
> Stefan
>
> >
> > matthias
> >
> > On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner
> > <stefan(at)kaltenbrunner(dot)cc <mailto:stefan(at)kaltenbrunner(dot)cc>> wrote:
> >
> > Hi Matthias!
> >
> >
> > On 22.02.25 12:45, PG Bug reporting form wrote:
> > > The following bug has been logged on the website:
> > >
> > > Bug reference: 18822
> > > Logged by: Matthias Apitz
> > > Email address: gurucubano(at)googlemail(dot)com
> > <mailto:gurucubano(at)googlemail(dot)com>
> > > PostgreSQL version: 16.5
> > > Operating system: SuSE Linux SLES 15 SP6
> > > Description:
> > >
> > > This is not strictly a PostgreSQL software problem, but one of the
> > > configuration and administration of the community mailing list.
> > Please
> > > change the place for this issue accordingly.
> > >
> > > I'm an active member of the community for many years (check the
> > archives for
> > > my name). Since some days, all my mails to the PostgreSQL lists
> > get rejected
> > > with a message:
> > >
> > > Your message to pgsql-bugs with subject
> > >
> > >
> > >
> > > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure
> in
> > >
> > > Logs
> > >
> > >
> > >
> > > has been rejected by a moderator and will not be posted.
> > >
> > > The reason given for rejection was:
> > >
> > >
> > >
> > > This email has a DKIM signature on the List- headers of
> > >
> > > the email, indicating that it is not allowed to pass this
> > >
> > > email on through a mailinglist
> > > ...
> > >
> > > I investigated this on my side and the reason is that my ISP
> > 1blu.de <http://1blu.de> adds
> > > since January 20 2025 a DKIM-Signature to all my outgoing mails
> of:
> > >
> > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> > > d=unixarea.de <http://unixarea.de>
> > > ; s=blu3434000;
> > > h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> > > Reply-To:Message-
> > ID:Subject:To:From:Date:Sender:Cc:Content-ID:
> > >
> > >
> > > Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-
> > To:Resent-Cc
> > >
> > >
> > > :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-
> > Unsubscribe:
> > >
> > > List-Subscribe:List-Post:List-Owner:List-Archive;
> > >
> > > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> > > b=nlMvRnatrYiMjStI6F/rnF2zbZ
> > >
> > >
> >
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
> > >
> > >
> > > 5zDhdwYSgxaU6fW4CbtGfhZT+v/
> > lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
> > >
> > >
> > > GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/
> > Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
> > >
> > >
> > > MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/
> > Tr8gMAPGluXkdpC8kKog
> > >
> > > qw+9X8Sg==;
> > >
> > > i.e. the header lines of List-* are part of the DKIM signed lines.
> > >
> > > I can't change this, as the signing is done by the MTA of 1blu.de
> > <http://1blu.de>. I raised
> > > a ticket there, but without any luck until now.
> > >
> > > On the other hand, the RFC 6576 explicitly allows this, see the
> > chapter
> > >
> > > 5.4.1. Recommended Signature Content
> > >
> > > and explains in B.2.3. Mailing Lists and Re-Posters
> > > what mailing-list should do:
> > >
> > > A Forwarder that does not modify the body or signed header
> > fields of
> > > a message is likely to maintain the validity of the existing
> > > signature. It also could choose to add its own signature to
> the
> > > message. ...
> > >
> > > Rejecting the mails should not be done and is IMHO a bug!
> > > Please fix this.
> >
> > This is an issue on your ISPs side (and usually caused by people
> > carelessly using for example exim with its default set of signing
> > headers).
> > You should never send email with a signed List-* header to any
> > mailinglist because the mailinglist system needs to modify/control
> that
> > header.
> >
> >
> > This is documented it a number of places - see for example the
> > documentation for debian:
> >
> > https://wiki.debian.org/
> >
> Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant
> <
> https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant
> >
> >
> > or
> >
> > https://wiki.list.org/DOC/
> >
> What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F
> <
> https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F
> >
> >
> > Some misconfigured mail servers sign the list-* headers. This is a
> bad
> > idea, but it should especially never be done when submitting to a
> > mailing list, since its telling that mailing list that the message
> > can't
> > be sent from any other mailing list without breaking DKIM.
> >
> >
> >
> > Stefan
> >
>
>