DKIM signature rejected
Matthias Apitz
guru at unixarea.de
Sat Feb 22 12:06:16 UTC 2025
El día viernes, febrero 21, 2025 a las 01:21:02p. m. -0800, googly.negotiator862 at aceecat.org escribió:
...
> DNS stores the key, but if signing is done at all and which headers
> are covered is a config item for the MTA -- in my case, exim. When I wrote
> my reply to you I thought that back then I'd tweaked the list of signed
> headers, but as it turns out I'd rather disabled signing completely for
> messages going to lists:
...
I created a new account in the PostgreSQL community with my gmail
address and raised a bug issue in the ticket system there. We will see
how this ends up.
The following bug has been logged on the website:
Bug reference: 18822
Logged by: Matthias Apitz
Email address: gurucubano at googlemail.com
PostgreSQL version: 16.5
Operating system: SuSE Linux SLES 15 SP6
Description:
This is not strictly a PostgreSQL software problem, but one of the
configuration and administration of the community mailing list. Please
change the place for this issue accordingly.
I'm an active member of the community for many years (check the archives for
my name). Since some days, all my mails to the PostgreSQL lists get rejected
with a message:
Your message to pgsql-bugs with subject
Re: BUG #18817: Security Bug Report: Plaintext Password Exposure in
Logs
has been rejected by a moderator and will not be posted.
The reason given for rejection was:
This email has a DKIM signature on the List- headers of
the email, indicating that it is not allowed to pass this
email on through a mailinglist
...
I investigated this on my side and the reason is that my ISP 1blu.de adds
since January 20 2025 a DKIM-Signature to all my outgoing mails of:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=unixarea.de
; s=blu3434000;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:
Reply-To:Message-ID:Subject:To:From:Date:Sender:Cc:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=mUXCo4CB5VS0jsNsC2LeR8NOxLomD73G556GgsVmluA=;
b=nlMvRnatrYiMjStI6F/rnF2zbZ
DqqjgqpA4fezouBgwHPPz+VAN+msCPqY+I6oQa1B6eP5bNZhr9bi8UCvVvRmTWX+LC74GdzsYsfR9
5zDhdwYSgxaU6fW4CbtGfhZT+v/lH+x2sPi3OEdBPIEdeuHstof32yzBm00xnRX0MttjZx8E9ReyG
GHBKSuWo9f80m9Y4VamhplV99V5aMxJZOU+MNVU/Jfdj9h4Q5aMfEtwT+SOCPBBoze7wFOpXRvQOd
MdYA7FtH3uUlpMn0FwqpopXHqTl7Xs+cKxT/AZwRnogqdwsFmQg3fMf0/Tr8gMAPGluXkdpC8kKog
qw+9X8Sg==;
i.e. the header lines of List-* are part of the DKIM signed lines.
I can't change this, as the signing is done by the MTA of 1blu.de. I raised
a ticket there, but without any luck until now.
On the other hand, the RFC 6576 explicitly allows this, see the chapter
5.4.1. Recommended Signature Content
and explains in B.2.3. Mailing Lists and Re-Posters
what mailing-list should do:
A Forwarder that does not modify the body or signed header fields of
a message is likely to maintain the validity of the existing
signature. It also could choose to add its own signature to the
message. ...
Rejecting the mails should not be done and is IMHO a bug!
Please fix this.
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
Annalena Baerbock: "We are fighting a war against Russia ..." (25.1.2023)
I, Matthias, I am not at war with Russia.
Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.
More information about the Mutt-users
mailing list