Re: BUG #18822: mailing lists reject mails due to DKIM-signature

Hi Stefan,

Have you read what the RFC 6576 specifies about exactly this case?

matthias

On Sat, Feb 22, 2025 at 5:39 PM Stefan Kaltenbrunner <
stefan(at)kaltenbrunner(dot)cc> wrote:

> Hi Matthias!
>
>
> On 22.02.25 12:45, PG Bug reporting form wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 18822
> > Logged by: Matthias Apitz
> > Email address: gurucubano(at)googlemail(dot)com
> > PostgreSQL version: 16.5
> > Operating system: SuSE Linux SLES 15 SP6
> > Description:
> >
> > This is not strictly a PostgreSQL software problem, but one of the
> > configuration and administration of the community mailing list. Please
> > change the place for this issue accordingly.
> >
> > I'm an active member of the community for many years (check the archives
> for
> > my name). Since some days, all my mails to the PostgreSQL lists get
> rejected
> > with a message:
> >
> > Your message to pgsql-bugs with subject
> >
> >
>
> >
> > Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
> >
> > Logs
> >
> >
>
> >
> > has been rejected by a moderator and will not be posted.
> >
> > The reason given for rejection was:
> >
> >
>
> >
> > This email has a DKIM signature on the List- headers of
> >
> > the email, indicating that it is not allowed to pass this
> >
> > email on through a mailinglist
> > ...
> >
> > I investigated this on my side and the reason is that my ISP 1blu.de
> adds
> > since January 20 2025 a DKIM-Signature to all my outgoing mails of:
> >
> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> > d=unixarea.de
> > ; s=blu3434000;
> > h=Content-Transfer-Encoding:Content-Type:MIME-Version:
> > Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
> >
> >
> >
> Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
> >
> >
> >
> :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
> >
> > List-Subscribe:List-Post:List-Owner:List-Archive;
> >
> > bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
> > b=nlMvRnatrYiMjStI6F/rnF2zbZ
> >
> >
> DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
> >
> >
> >
> 5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
> >
> >
> >
> GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
> >
> >
> >
> MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog
> >
> > qw+9X8Sg==;
> >
> > i.e. the header lines of List-* are part of the DKIM signed lines.
> >
> > I can't change this, as the signing is done by the MTA of 1blu.de. I
> raised
> > a ticket there, but without any luck until now.
> >
> > On the other hand, the RFC 6576 explicitly allows this, see the chapter
> >
> > 5.4.1. Recommended Signature Content
> >
> > and explains in B.2.3. Mailing Lists and Re-Posters
> > what mailing-list should do:
> >
> > A Forwarder that does not modify the body or signed header fields of
> > a message is likely to maintain the validity of the existing
> > signature. It also could choose to add its own signature to the
> > message. ...
> >
> > Rejecting the mails should not be done and is IMHO a bug!
> > Please fix this.
>
> This is an issue on your ISPs side (and usually caused by people
> carelessly using for example exim with its default set of signing headers).
> You should never send email with a signed List-* header to any
> mailinglist because the mailinglist system needs to modify/control that
> header.
>
>
> This is documented it a number of places - see for example the
> documentation for debian:
>
>
> https://wiki.debian.org/Exim#For_running_a_mailing_list_and_ensuring_all_sent_mail_is_DMARC_compliant
>
> or
>
>
> https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F
>
> Some misconfigured mail servers sign the list-* headers. This is a bad
> idea, but it should especially never be done when submitting to a
> mailing list, since its telling that mailing list that the message can't
> be sent from any other mailing list without breaking DKIM.
>
>
>
> Stefan
>