Re: BUG #18822: mailing lists reject mails due to DKIM-signature

Hi Matthias!

On 22.02.25 12:45, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 18822
> Logged by: Matthias Apitz
> Email address: gurucubano(at)googlemail(dot)com
> PostgreSQL version: 16.5
> Operating system: SuSE Linux SLES 15 SP6
> Description:
>
> This is not strictly a PostgreSQL software problem, but one of the
> configuration and administration of the community mailing list. Please
> change the place for this issue accordingly.
>
> I'm an active member of the community for many years (check the archives for
> my name). Since some days, all my mails to the PostgreSQL lists get rejected
> with a message:
>
> Your message to pgsql-bugs with subject
>
>
>
> Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
>
> Logs
>
>
>
> has been rejected by a moderator and will not be posted.
>
> The reason given for rejection was:
>
>
>
> This email has a DKIM signature on the List- headers of
>
> the email, indicating that it is not allowed to pass this
>
> email on through a mailinglist
> ...
>
> I investigated this on my side and the reason is that my ISP 1blu.de adds
> since January 20 2025 a DKIM-Signature to all my outgoing mails of:
>
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=unixarea.de
> ; s=blu3434000;
> h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
>
>
> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
>
>
> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
>
> List-Subscribe:List-Post:List-Owner:List-Archive;
>
> bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> b=nlMvRnatrYiMjStI6F/rnF2zbZ
>
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
>
>
> 5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
>
>
> GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
>
>
> MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog
>
> qw+9X8Sg==;
>
> i.e. the header lines of List-* are part of the DKIM signed lines.
>
> I can't change this, as the signing is done by the MTA of 1blu.de. I raised
> a ticket there, but without any luck until now.
>
> On the other hand, the RFC 6576 explicitly allows this, see the chapter
>
> 5.4.1. Recommended Signature Content
>
> and explains in B.2.3. Mailing Lists and Re-Posters
> what mailing-list should do:
>
> A Forwarder that does not modify the body or signed header fields of
> a message is likely to maintain the validity of the existing
> signature. It also could choose to add its own signature to the
> message. ...
>
> Rejecting the mails should not be done and is IMHO a bug!
> Please fix this.

This is an issue on your ISPs side (and usually caused by people
carelessly using for example exim with its default set of signing headers).
You should never send email with a signed List-* header to any
mailinglist because the mailinglist system needs to modify/control that
header.

This is documented it a number of places - see for example the
documentation for debian:

https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant

or

https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F

Some misconfigured mail servers sign the list-* headers. This is a bad
idea, but it should especially never be done when submitting to a
mailing list, since its telling that mailing list that the message can't
be sent from any other mailing list without breaking DKIM.

Stefan