From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 18 14:04:12 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: FreeBSD-questions@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4A8141065675
	for <FreeBSD-questions@FreeBSD.org>;
	Thu, 18 Dec 2008 14:04:12 +0000 (UTC)
	(envelope-from nikola.lecic@anthesphoria.net)
Received: from anthesphoria.net (anthesphoria.net [200.46.204.219])
	by mx1.freebsd.org (Postfix) with ESMTP id E4CC68FC28
	for <FreeBSD-questions@FreeBSD.org>;
	Thu, 18 Dec 2008 14:04:11 +0000 (UTC)
	(envelope-from nikola.lecic@anthesphoria.net)
X-Bogosity: No, tests=bogofilter
X-DKIM: Sendmail DKIM Filter v2.4.1 anthesphoria.net mBIE46W0078676
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anthesphoria.net;
	s=phero; t=1229609051; bh=pnF+6ajDKdl/0M3YThSNmDqx1vz/2FgUFvr1IL9oo
	0E=; l=2193; h=X-Bogosity:Date:From:To:Cc:Subject:Message-ID:
	In-Reply-To:References:X-Mailer:X-Face:X-Operating-System:
	X-OpenPGP-Fingerprint:X-OpenPGP-Preferred-Keyserver:Mime-Version:
	Content-Type:Content-Transfer-Encoding; b=hZffYLWQcPdFRDMdlHC4VpCJ
	JHaiqqMKqLwFXAdxDm36saoA/USz0LsHslljO61ORFbX+B8a5bMW6azo2NLR2T+Lra+
	Ox5I+vjtsX9zIA2P5f4JIg7DjbQXZWuAwofekJk1HVwLBER4nLIFtoS7iCQsqZrG4Et
	nLxhDSoU5fV80=
Received: from anthesphoria.net (adsl-200-199.eunet.yu [213.198.200.199])
	(authenticated bits=0)
	by anthesphoria.net (8.14.2/8.14.2) with ESMTP id mBIE46W0078676
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 18 Dec 2008 15:04:09 +0100 (CET)
	(envelope-from nikola.lecic@anthesphoria.net)
Date: Thu, 18 Dec 2008 14:59:59 +0100
From: Nikola =?UTF-8?B?TGXEjWnEhw==?= <nikola.lecic@anthesphoria.net>
To: Michael Scheidell <scheidell@secnap.net>
Message-ID: <20081218145959.2d428ec8@anthesphoria.net>
In-Reply-To: <494A3835.30302@secnap.net>
References: <494A3835.30302@secnap.net>
X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.1)
X-Face: pbl6-.[$G'Fi(Ogs2xlXP-V6{3||$Y[LOYs&~GJoikj'cVjcFC[V7du;;0~6nO=
	[Vi2?uU1Pq~,=Adj@,T:|"`$AF~il]J.Nz#2pU',<?aVE8W5LBM@2dN&qv2<Kqb$A/;
	afQws-NE\>Y7.{B;m/?{#sO^Dvo$rnmY6]
X-Operating-System: FreeBSD 7.0-RELEASE/i386
X-OpenPGP-Fingerprint: FEF3 66AF C90E EDC3 D878  7CDC 956D F4AB A377 1C9B
X-OpenPGP-Preferred-Keyserver: x-hkp://pgpkeys.pca.dfn.de
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: FreeBSD-questions@FreeBSD.org
Subject: Re: listserver problems?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2008 14:04:13 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Thu, 18 Dec 2008 06:47:01 -0500
Michael Scheidell <scheidell@secnap.net> wrote:
=20
> might be generic listserver issues, but I noticed that at least on=20
> freebsd-jail list, it does NOT strip out dkim/domainkeys signatures.
>=20
> that might not be to bad, but it does 'mung' the headers, so dkim
> signed email passed through freebsd mailing list server comes back as
> a forged signature.

Three objections to your DKIM signature:

(1)

Your canonicalization is "relaxed/simple", i.e. the mail is signed with
"simple" bodycanon:

  DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/simple; d=3Dsecnap.net=
; h=3D

That's why you have

  Authentication-Results: [...] dkim=3Dneutral (body hash did not verify)
    header.i=3D@secnap.net

- -- the list software appends some lines at the end of mail. You should
use=20

  Canonicalization relaxed/relaxed

in dkim-filter.conf or

  milterdkim_flags=3D"-c relaxed/relaxed"

in rc.conf if you use Sendmail. (See headers of my mail.)


(2)

You have "Received" header field included in the signature, while
RFC4871 states that it SHOULD NOT be the case:

  http://tools.ietf.org/html/rfc4871#section-5.5


(3)

You do not specify body length (l=3D in DKIM header). According to

  http://tools.ietf.org/html/rfc4871#section-3.4.5

it could be a good idea to use it, especially when mailing lists are in
question.


In total, mailing list owners don't have an obligation to strip DKIM
signatures. Instead, other methods can be used on both sides, see
section 4.1.

HTH
- --=20
Nikola Le=C4=8Di=C4=87 =3D =D0=9D=D0=B8=D0=BA=D0=BE=D0=BB=D0=B0 =D0=9B=D0=
=B5=D1=87=D0=B8=D1=9B
fingerprint : FEF3 66AF C90E EDC3 D878  7CDC 956D F4AB A377 1C9B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iJwEAQEDAAYFAklKV2MACgkQ/MM/0rYIoZhsnwQAowQy2nwd3IVYMtv9p7PVaoGZ
FQPpZZse/6PFi3KeegZcbOBFhOcNV3DzATt3z+VXdVYybajRXArj7WJtyEI2shGn
ssBmBdkD1bpoRzgf7jNYj6a9w8cVS/BC7gl07GBIhILEGLnpG8bjj7MtWhynj9SB
vn8jT/XF4QEKmDJSUwk=3D
=3D1fpm
-----END PGP SIGNATURE-----