DKIM and mailman3

Article par nanoy le 7 juin 2020 22:33 (dernière modification : 11 août 2020 20:52).
Catégorie : Programmation
mail

Jui 07, 2020

Mailman3

Mailman3 is mailing-list software.

DKIM

DKIM (DomainKeys Identified Mail) is a norm that permits to verify the authenticity of the sender's name domain.

It works like this : you add a signature to outgoing emails and you also add a txt dns record with the public key in it. Then when an email is received, the client will check the DKIM signature in the email with the one in the dns record.

Problem

Mailman3 modify headers and append text at end of emails. This breaks DKIM signature and you will likely have the error DKIM: Invalid (email was modified).

Proposed solution

A possible solution to this issue is the following:

  1. Delete DKIM headers from incoming emails
  2. Replace sender with list address
  3. Sign email with the DKIM key of mail server

To delete the DKIM header from incoming emails, you can set the parameter remove_dkim_headers to yes in cat /etc/mailman3/mailman.cfg in the [mta] section. It will cause mailman to remove DKIM headers from any incoming email.

But some of you will already have spotted the problem. What if the sender uses a DMARC mitigation record. The email may be rejected if the DKIM header is not here.

So we can change the from header and sign the mail with our DKIM key.

To change the from header you can go to the list settings and then to DMARC mitigations, then change "DMARC mitigation action" to "Replace from: woth list address". If you want all messages to have the header replace, change " DMARC Mitigate unconditionally" from "no" to "yes".

Finally, you have to configure postfix (or any other software) to sign outgoing emails. For postfix, it will looks like 

#openDKIM
milter_default_action = accept
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

You then have to create a key, set up opendkim and add a txt dns record. Take a look at http://opendkim.org/.

By default, mailman3 add a reply-to field ot the original poster. It can be changed to have a reply-to filed to the list address in the alter messages settings tab.

Commentaires