Bug 11635

Summary: mailman: Comply better with DKIM
Product: Infrastructure Reporter: Michael Tremer <michael.tremer>
Component: Mail & Mailing ListsAssignee: Peter Müller <peter.mueller>
Status: CLOSED WORKSFORME QA Contact: Michael Tremer <michael.tremer>
Severity: - Unknown -    
Priority: - Unknown - CC: peter.mueller
Version: unspecified   
Hardware: unspecified   
OS: Unspecified   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=11765
Bug Depends on:    
Bug Blocks: 11634    

Description Michael Tremer 2018-02-21 14:13:31 UTC 
Mailing Lists seem to have some compliance issues with DKIM by design.

Peter has tested that the situation is better with mailman 2.1.26 and possibly earlier versions. We are running a heavily patched version of mailman 2.1.15 from CentOS 7.

The changelog does however not suggest that any major changes have been done about DKIM (https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/changes/1744?start_revid=1744).

I suspect that we already have one very important patch in our version of mailman (https://git.centos.org/tree/rpms!mailman.git/c7): https://git.centos.org/blob/rpms!mailman.git/c7/SOURCES!mailman-2.1.12-dmarc.patch

Peter, can you confirm that this is the patch we need?
Comment 1 Peter Müller 2018-08-11 18:21:09 UTC 
Mailman needs to be updated so I am afraid we will have to build it ourselves.
Comment 2 Peter Müller 2020-03-15 14:12:48 UTC 
As far as I am concerned, if a mailing list does not alter messages by adding footers or rewriting subjects, Mailman is now DKIM-compliant.

@Michael: Please confirm. :-)
Comment 3 Michael Tremer 2020-03-15 14:14:27 UTC 
(In reply to Peter Müller from comment #2)
> @Michael: Please confirm. :-)

Confirm what again?
Comment 4 Peter Müller 2020-04-01 12:24:42 UTC 
Except for some mails which Mailman processes in a way it renders DKIM signatures invalid, it is now DMARC compliant.

Unfortunately, this kind of thing does not seem to be reproducible or deterministic, so I am leaving this opened for further investigations.
Comment 5 Michael Tremer 2020-04-01 13:19:12 UTC 
I am not sure what we can do about this here.

I do not want to wrap the messages into a new one. That brings all other sorts of problems.

Sender: and the envelope sender should allow us to sign any messages.

I am not sure if there is any improvement in Mailman 3, although I much more prefer Mailman 2.
Comment 6 Peter Müller 2022-04-24 08:46:51 UTC 
Closing this as WORKSFORME, since we run a "quarantine" DMARC policy for quite some time now, and I am unaware of any DKIM-caused issues with it.