openSUSE admin

On Sun, Feb 28, 2021 at 6:18 AM redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #89227 has been updated by pjessen.

Category set to Mailing lists
Status changed from New to Feedback
Assignee set to pjessen
Private changed from Yes to No

bcooksley@kde.org wrote:

Recently we at KDE were doing some maintenance on our mail servers and
observed that a significant amount of email had been held by the
opendmarc
filter which had originated from OpenSUSE mailing lists.

In particular, this email appears to originate specifically from the SUSE
Bugzilla, as suse.com publishes a DMARC policy of quarantine, and
OpenSUSE's Mailman setup breaks the DKIM signatures attached to the
emails.

Hi Ben

thanks for bringing this to our attention, much appreciated.
I thought we had actually dealt with this issue, so I'm a little
surprised.

Is it still happening or is it more like a collection of older mails that
have been filtered out?

Unfortunately the issue is still occuring. An excerpt from our logs:

Feb 26 14:16:45 letterbox postfix/smtpd[28195]: 9087B2848B9: client=
proxy-nue1.opensuse.org[195.135.221.145]
Feb 26 14:16:45 letterbox postfix/cleanup[27664]: 9087B2848B9: message-id=<
bug-1181874-21960-Qf81SJS3Dt@http.bugzilla.opensuse.org/>
Feb 26 14:16:48 letterbox mimedefang.pl[23039]: 9087B2848B9:
MDLOG,9087B2848B9,ham,-2.049:
BAYES_50%2CDKIM_INVALID%2CDKIM_SIGNED%2CHEADER_FROM_DIFFERENT_DOMAINS%2CHTML_MESSAGE%2CMAILING_LIST_MULTI%2CRCVD_IN_DNSWL_MED%2CSPF_HELO_NONE%2CSPF_PASS,195.135.221.145,<
bugs-bounces@opensuse.org>,<[removed]@kde.org>,[Bug 1181874] GCC 11:
libzypp package fails
Feb 26 14:16:48 letterbox opendkim[881]: 9087B2848B9: s=susede1 d=suse.com
SSL
Feb 26 14:16:48 letterbox opendkim[881]: 9087B2848B9: bad signature data
Feb 26 14:16:48 letterbox opendmarc[807]: 9087B2848B9: SPF(mailfrom):
bugs-bounces@opensuse.org pass
Feb 26 14:16:48 letterbox opendmarc[807]: 9087B2848B9: suse.com fail

You may wish to investigate adjusting the configuration of your Mailman
installation to minimize the DMARC compliance issues that it generates.
Specifically this involves not modifying subjects or message bodies
(footers/headers/html stripping/etc).

Yup, that's exactly what we did - stopped adding a prefix to the subject
and stopped adding some friendly advice in the footer.

Awesome, that generally covers things off..

Digging out the precise failure details reveals the following:
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=suse.com header.i=@suse.com header.b="rXK8vI5M";

and looking at the actual DKIM-Signature reveals that they're signing the
Reply-To header - yet the email from the mailing list is distinctly lacking
a reply-to header.

As this is a common one for Mailman and other re-mailers to want to change,
what we've done at KDE with our setup is explicitly changed our signing
infrastructure to exclude the Reply-To header from our signatures. This
allows Bugzilla, etc. to continue to send mail to mailing lists without
issue (with users being pretty much unaffected, as humans don't usually set
Reply-To)

Thoughts?