Re: Mailman lists (reply-to) break OpenDKIM signatures

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Mon, 14 Jan 2013 11:00:12 -0800 (PST)

On Mon, 14 Jan 2013, Benoit Panizzon wrote:
> I noticed that the DKIM verification fails if an email is forwarded via
> a Mailman Mailinglist.
>
> I suppose the problem is, that we have configured most of the
> mailinglists to add a reply-to header to have repliest sent to the list
> and reply-to is a header that was signed in the original email.

It's more likely that the footers mailman adds to the message body are
causing signatures to become invalidated. The ideal would be to have
mailman sign the message after it's passed through there, so the list
signature is more likely to be intact. This won't preserve the author
signature, but the list signature would be valid.

You could also ask the signer to use "l=" to tolerate the appended
content, but that's a bit of a security concern (because anyone could add
any content to the end of the message and the signature would still pass).
You probably also won't get all signers to comply.

-MSK
Received on Mon Jan 14 2013 - 19:00:38 PST