Re: [chrony-users] DNS/DKIM issue with tuxfamily.org?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

> It wasn't spam that broke it, but the Big N "solutions" to spam like DKIM.

There are no other viable or better alternatives.

> Mails, which fail a DKIM verification can only be discarded safely, when the _adsp record of the sender says dkim=discardable in all other cases, the mail should get delivered, see under [...]

RFC 5617 is historic/deprecated, it has never been usable anywhere.

> This DKIM issue can only be addressed from your admin to take into account, that mailing list software do exist, are used and aren't 100% compatible with DKIM, and as well that some admins configure DKIM in a bad way for mailing lists.

It's very simple, a mailing list MUST respect the sender domain's DMARC. If you break DKIM you must rewrite From, add your own DKIM. You might want to remove the broken signature if some goofball rejects letters based on just DKIM fail. If the incoming letter does not have DKIM but the sender domain does have SPF, then you must rewrite From (and always add your own DKIM). If you don't break DKIM then you're good (unless some other goofball follows SPF fail instead of DKIM pass/DMARC pass). ARC is strongly recommended in all cases, but if you just break the chain, you should remove it entirely.

It's just how it is, forgery and phish are real problems, things have to adapt to stay secure.

On Tue, Dec 12, 2023 at 8:19 PM Adrian Zaugg <chrony.tuxfamily.org@xxxxxxxxxxxxxxx> wrote:
Hi Joe

Your admin should be more precise: The mailing list or the servers that send
the mail for the list do not add a DKIM header, only some of the member mail
server do add a DKIM header.

Because a mailing list software alters some headers, like the subject, such
headers should not be used in DKIM, it leads to a failed verification. Mails,
which fail a DKIM verification can only be discarded safely, when the _adsp
record of the sender says dkim=discardable in all other cases, the mail should
get delivered, see under [1].

This DKIM issue can only be addressed from your admin to take into account,
that mailing list software do exist, are used and aren't 100% compatible with
DKIM, and as well that some admins configure DKIM in a bad way for mailing
lists.

That means upon receiving a mail: Do not decide to never discard mails having
a failed DKIM verification, give them a higher SPAM score instead. Decrease
the SPAM score for mails having a List-... header (resp. use the corresponding
test from spamassassin, if applicable).

Furthermore your admin should change your DKIM record not to contain the
subject, content-type and mime-version, which helps to verify a DKIM
successfully even if the mail was altered by a mailing list software.

Regards, Adrian.

[1] https://dkim.org/specs/draft-ietf-dkim-ssp-04.html

In der Nachricht vom Tuesday, 12 December 2023 14:50:17 CET steht:
> Emails that I receive from tuxfamily.org for this group are being blocked by
> my organization, reportedly for security because of a failed DKIM lookup.
> My sysadmin indicated that the DKIM in DNS would need to be fixed. I tried
> sending an email to the tuxfamily.org admin a while back but got no
> response. I probably won't receive the responses to this if you respond to
> the group. Perhaps you can reply to me directly. I do apologize for this
> being off topic. I'd like to continue receiving these emails but can't if
> this DKIM issue isn't addressed. If any of you are able to look into this,
> it would be greatly appreciated. Thanks. Happy Holidays!

>
> Joe Smith
>
> Senior Software Engineer
>
> Phoenix Defense
>
> 200 East Palm Valley Drive | Suite 2000 | Oviedo, Florida 32765
> 800-RIPTIDE
>
> joe.s​mith@xxxxxxxxxxxxxxx
>
>
> This email and any attachments to it are intended only for the identified
> recipients. It may contain proprietary or otherwise legally protected
> information of Phoenix Defense.

> Any unauthorized use or disclosure of this communication is strictly
> prohibited. If you have received this communication in error, please notify
> the sender and delete or otherwise destroy the email and all attachments
> immediately.

> [cid:4d3eb688-9459-4092-9b00-510a3454416b]
> [cid:cefb756f-b8c3-47f6-8ceb-65f9b1e2c569]​


--
           -°)
~~~~~~~~~~~~(_^/~~~~

  Adrian Zaugg
  Zweierstrasse 56
  CH-8004 Zürich

  044 291 02 38
____________________


(This eMail gets best displayed
 using a monospace font.)

# Retrieve my public GPG key:
  gpg --locate-external-keys adi@xxxxxxxxxxxxxx


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/