Date: Tue, 4 Sep 2018 18:17:09 -0400 From: William Dudley <wfdudley@gmail.com> To: Jim Ohlstein <jim@mailman-hosting.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: DKIM is driving me nuts Message-ID: <CAFsnNZ%2BHXxrn7%2B3sYxWtBuA1%2BrCjvhbtrAg6Y5Tkm_icAte-fg@mail.gmail.com> In-Reply-To: <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com> References: <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ%2BiHrnQAzJPwj%2Bb8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com> <a57ff4870e5d68211e673a5383892017.squirrel@webmail.harte-lyne.ca> <CAFsnNZL-C%2B_VTw7YXvUeyM_BfiikZqgADo%2BS5KP_zpu7xcUvAg@mail.gmail.com> <47bf9a4f8499073f6b29bf7b29d82039.squirrel@webmail.harte-lyne.ca> <CAFsnNZ%2B%2B4xxgjiRa3t_RGV4cQ5hF7k8=p9HU87NHXfpQ6grPyg@mail.gmail.com> <CAFsnNZJ8em-FPE7z1bPhG3wQ7K8qk-Nq_m01Uqa4zzOzR6qbeQ@mail.gmail.com> <1f9110ef-7cc6-a359-58a6-290a3d16ff47@mailman-hosting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was hoping that having my server "do" DKIM would improve my "reputation" with other mail servers. This was prompted by bounce messages from some clown with a " us.army.mil" address, whose server bounces *everything* without a valid 1024 bit DKIM signature. I'm just running a hobby mail server, but I provide about a dozen mailing lists to small organizations. The problems with DKIM for me are: 1. It's "impossible" (read: "I'm not spending any more time on this") to get DKIM working with different MUAs. I can get it to work when I send email using Thunderbird, but not when I send email from the command line (mailx). "Works" means that the inserted DKIM headers pass the checks at the other end. 2. My server sends automated reminder emails to the mailing lists, and any emails sent by my system through Mailman fail DKIM checks (even though my system is inserting DKIM stuff in the headers). In both cases, apparently there's some magic involved with hostnames in the mail headers and the matching DNS records, and I have given up because hours and hours of experimenting have gotten me exactly bupkus. I read a bit on the intersection of Mailman and DKIM, and it isn't pretty. It's not even clear *what* Mailman should DO with DKIM signed emails from people submitting emails to their list. I was only worrying about signing my OWN emails (machine generated) using DKIM, and hadn't even considered what would happen to *other's* DKIM signatures. If I wasn't running Mailman, I might be interested in figuring out the magic, but since the Mailman/DKIM thing is so borked, it's time to declare victory and move on. Perhaps one day, my children will be able to get DKIM working with Mailman, but it's clearly science fiction right now. AOL and Yahoo can't go out of business fast enough. Yahoo broke all mailing lists with their stupid policy of "email that has From: domain different from sending domain is spam" and that's enough damage that it should result in the corporate death penalty. When the majority of the emails from my own server are bouncing from lack of DKIM, I'll shut off my mail server. That's why I have a gmail account, as a secondary channel. Thanks, Bill Dudley This email is free of malware because I run Linux. On Tue, Sep 4, 2018 at 5:41 PM, Jim Ohlstein <jim@mailman-hosting.com> wrote: > Hello, > > On 09/04/2018 11:48 AM, William Dudley wrote: > > I have decided to abandon this quest. > > > > The intersection of DKIM and Mailman is a huge cluster f--k, and will not > > be sorted out > > any time soon, if ever. > > > > Since I value the mailing lists I host, and am unwilling to stop those > > services, > > it makes sense to give up on DKIM. > > Before you give up on DKIM, it sounds as though this is a Mailman > problem. There are "fixes" for some issues in Mailman (both 2.1 and 3.1) > that can be easily applied. > > In short, DKIM is a digital signature using a private key. The signature > can be verified with the public key. If anything in the message is > changed (as Mailman and other list software is apt to do by changing > headers or adding a footer), DKIM will fail. Also, some large freemail > providers (Yahoo and AOL) have published DMARC policies to reject any > emails from them that fail DKIM. Many smaller servers do the same. > > Here's the DKIM results from your last email via Gmail: > > Authentication-Results: maurice.jlkmail.com (amavisd-new); > dkim=fail (2048-bit key) reason="fail (body has been altered)" > header.d=gmail.com > > More and more large servers are requiring not only DKIM, but DMARC > policies as well. Running a small mail server is only going to get more > cumbersome. Taking down a working system may not be the best choice. > > What is the specific problems that this one user is having? Is it that > his emails to the list are being rejected? Or is his mail server at > "us.army.mil" rejecting emails from the list? Can you post the relevant > entries from your mail log (usually /var/log/maillog on FreeBSD)? > > > > > DKIM doesn't solve any problems (except for one poor schmuck who has a ". > > us.army.mil" > > email address, that rejects all email without DKIM), I don't find DKIM > > valuable > > enough to fight with it any more. > > > > Thanks to all for their suggestions. I have learned somethings, which > was > > the point, > > after all. > > > > Bill Dudley > > > > > > > > -- > Jim Ohlstein > Professional Mailman Hosting > https://mailman-hosting.com > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZ%2BHXxrn7%2B3sYxWtBuA1%2BrCjvhbtrAg6Y5Tkm_icAte-fg>