On 31.10.2022 15.11, Geert Hendrickx wrote:
In the chain sender => list.archlinux.org => list members, I suspect it's Mailman (on the Arch list server) that does not support 8BITMIME; since OpenDKIM on that server succesfully verified the DKIM signature, the mail arrived there as 8bit, but is being distributed to list members as 7-bit.
Could the Arch listserver set "disable_mime_output_conversion=yes" in its master.cf at the point it is handing over mail to Mailman? (not globally!) As suggested in https://www.postfix.org/MILTER_README.html#workarounds
This way, 8-bit messages will not be converted to 7-bit QP or base64 when going through Mailman, and arrive intact at 8BITMIME capable recipients.
(After Mailman, Postfix' smtp client will still convert messages to 7-bit when delivering to non-8BITMIME capable recipients, which will still break DKIM validation for them, but non-8BITMIME capable DKIM-validators will have issues with a *lot* of mail anyway, forwarded or not.)
Geert
On Mon, Oct 31, 2022 at 00:04:29 +0100, Jaron Kent-Dobias wrote:
On Sunday, 30 October 2022 at 23:57 (+0100), Jaron Kent-Dobias wrote:
Confirmation: when Arch Linux forwards a base8 encoded email to the list, it mangles the DKIM. It does appear to be an Arch problem! One last email: what the lists are specifically doing is rewriting 8bit encoded emails in a base64 encoding.
From the email in my sent folder:
Content-Transfer-Encoding: 8bit From the email I received from the list: Content-Transfer-Encoding: base64 Rewriting the body in a new encoding breaks DKIM.
Jaron
Hi, Thanks for investigating and reporting the issue! Me and foutrelis[1]has been doing some debugging and after upgrading mailman3 from 3.3.5-6 -> 3.3.7-1, we are unable to reproduce the issue. Looking at the changelog[2] for mailman3 3.3.7, we suspect the issue was fixed as part of [3] and [4]. We are aware of one open issue[5] which can break the DKIM signature and with some luck it will be fixed in the future. [1] https://archlinux.org/people/developers/#foutrelis [2] https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/docs/NEWS.rst [3] https://gitlab.com/mailman/mailman/-/issues/965 [4] https://gitlab.com/mailman/mailman/-/issues/967 [5] https://gitlab.com/mailman/mailman/-/issues/636 P.S. Adding a emoji 😎 to verify that this is indeed fixed at your end. Cheers, Kristian Klausen Arch Linux DevOps