[Koha-bugs] [Bug 34927] Adding DMARC compatibility to mailing lists

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Nov 28 13:45:44 CET 2023 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34927

--- Comment #8 from Thomas Dukleth <td-koha-bugs at agogme.com> ---
1. DKIM Not Working Properly for the Mailing List.

For DMARC which is dependent upon SPF and DKIM, the DKIM signature should be
re-signed using the mailing list sender, such as
koha-devel at lists.koha-community.org .  DKIM signatures from the message author
should not validate because we change the From header, moving the original From
header to Reply-To , adding "[koha-devel]" to the subject header, and add a
mailing list footer to the body.

I wrote about the issue on the koha-devel mailing list, "[Koha-devel] DMARC
testing for koha-devel" -
https://lists.koha-community.org/pipermail/koha-devel/2023-November/048405.html
.

It is currently evident as probably expected that the DKIM signatures in the
message headers are not being re-signed for lists.koha-community.org . 
Messages retain the DKIM signature of the original author and would not
validate properly even without DMARC changes because every message is altered
slightly for the mailing list.

Such a DKIM signature problem may have been more of an issue in past years
where popular mail systems had adopted excessive strictness in rejecting
messages.  Mailman 3 has code which might address the issue better when setting
remove_dkim_headers to yes but removing the header does not ensure that the
SMTP server will supply an appropriate DKIM header for the mailing list. 
Re-signing the outgoing message can be fixed by forcing Mailman to send to a
special port for which messages are designated as originating from the system
and re-signed.

The mailing lists are also not DKIM signing the monthly mailing list membership
messages despite a DKIM signature reported for lists.koha-community.org .

I have communicated with people at BibLibre in recent weeks about the
configuration details for fixing DKIM signing and mailing list message
re-signing.  The most important details of how to fix such a system as I sent
it to people at BibLibre follow below but I have not had confirmation
confirmation that Postfix as the Mailman default and most likely choice is what
they are actually using.  I had sent other details about fixing DKIM signing
more generally for lists.koha-community.org which is broken.  Priority had been
low but I have discovered announcements from Google and Yahoo about changes
coming in February 2024 which raise priority. 


2.  Settings for Mailing List DKIM Re-Signing.

Postfix can be forced to re-sign mailing list messages by having Mailman
send them to an additional Postfix listening port listening only on
localhost set in /etc/postfix/master.cf and /etc/mailman/mm_cfg.py.  Using
a special port for assuring that messages are originating from the system
and marked as such for DKIM using "  -o
milter_macro_daemon_name=ORIGINATING".

Getting DKIM to work with Mailman and Postfix -
https://groups.google.com/g/mailing.postfix.users/c/6xtGQNnfEWA .


2.1.  Postfix master.cf Settings for Mailing List DKIM Re-Signing.

In /etc/postfix/master.cf

# Default smtp listening on port 25 unchanged.
smtp inet n       -       -       -       -       smtpd
# Additional smtp listening port for resubmitting from Mailman to allow DKIM
# re-signing.  Connection over localhost
127.0.0.1:26 inet n       -       -       -       -       smtpd
# Mailman 2.1.26 running for lists.koha-community.org may
# have sufficient authentication support that disabling Mailman
authentication
# for Postfix port 26 on localhost is not necessary
# Use mailman authentication only if it is already being used.
# Mailman 3 has much better authentication support
# Uncomment if Mailman authentication fails.
#  -o smtpd_tls_security_level=none
# Uncomment if Mailman authentication fails.
#  -o smtpd_sasl_auth_enable=no
# Uncomment if Mailman authentication fails.
#  -o smtpd_client_restrictions=
# Uncomment if Mailman authentication fails.
#  -o smtpd_helo_restrictions=
# Uncomment if Mailman authentication fails.
#  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
# Uncomment if Mailman authentication fails.
#  -o smtpd_data_restrictions=
  -o milter_macro_daemon_name=ORIGINATING
  -o syslog_name=postfix/p26


2.2.  Mailman mm_cfg.py Settings for Mailing List DKIM Re-Signing.

In /etc/mailman/mm_cfg.py

HOST = 'localhost'
SMTPPORT = 26 # Changed to 26 for resubmitting to Postfix.
MTA = 'Postfix' # Probably Postfix which may be the default if not set.
# Check the configuration for authentication options if any.


2.3.  OpenDKIM opendkim.cfg Settings for Mailing List DKIM Re-Signing.

In /etc/opendkim.cfg

# Sets the expected designation from the MTA to force signing of messages.
MTA  ORIGINATING

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list