|
Size: 7690
Comment:
|
Size: 7746
Comment: dkim nolonger a draft.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #pragma page-filename DEV/versions/3047439 | #pragma page-filename DEV/versions/4030499 |
| Line 3: | Line 3: |
| [[http://www.dkim.org|DKIM]] is a draft specification for cryptographically signing certain parts of an email message. Signing using DKIM allows for domain name holders to vouch for the contents of headers and/or body text. The public keys for the signatures are available through DNS so only the DNS administrators corresponding to claimed domains in the signed components will be able to produce valid signatures. | [[http://www.dkim.org|DKIM]] is a specification ([[http://www.ietf.org/rfc/rfc4871.txt?number=4871|RFC 4871]])for cryptographically signing certain parts of an email message. Signing using DKIM allows for domain name holders to vouch for the contents of headers and/or body text. The public keys for the signatures are available through DNS so only the DNS administrators corresponding to claimed domains in the signed components will be able to produce valid signatures. |
DomainKey Identified Mail (DKIM)
DKIM is a specification (RFC 4871)for cryptographically signing certain parts of an email message. Signing using DKIM allows for domain name holders to vouch for the contents of headers and/or body text. The public keys for the signatures are available through DNS so only the DNS administrators corresponding to claimed domains in the signed components will be able to produce valid signatures.
DKIM affects Mailman in several ways. Most importantly, the transformations that Mailman can inflict on original postings can break DKIM signatures. Mailman can remove headers, add headers, concatenate header or footer text, add or remove MIME parts, completely reorganize the MIME structure of a message, perform character set transformations, and more. Any one of these things can break a DKIM signature.
Other ways in which Mailman and DKIM interact include whether Mailman should validate DKIM signatures on incoming messages and whether Mailman should sign outgoing list copies with its DKIM signature. (Note that when I say Mailman above, I really mean Mailman proper or any assistive mail component Mailman relies upon, such as the incoming or outgoing MTA.)
Signature breakage
Mailman's transformations can break DKIM signatures. The DKIM specifications are sparse about best common practices in the face of message transforming mailing list remailers. The question then is, what are the best common practices for mailing lists generally, and Mailman specifically, for playing nice in a world filled with DKIM? Make no mistake though, DKIM cannot be ignored; the big players such as Y! and G are already signing messages, and sites are already using DKIM signature validity as part of their spamminess decision making process.
At the time of this writing, the topic is being hotly debated on the mailman-developers mailing list.
We have several options for dealing with DKIM signature breakage. They are not necessarily mutually exclusive.
Ignore the problem. This is the simplest solution because it mean we don't have to change Mailman at all. If the original message has DKIM-Signature headers, we just leave them in there even if Mailman's transformations break the signature. We do no parsing or verification of the signature, nor do we limit any Mailman transformations we would otherwise apply to the message because of the signature. The effects of this are that recipients of list copies of the message may fail to verify the signature, potentially treating the message as spammy.
Parse the DKIM-Signature header in order to adjust or record the effects of Mailman transformations on it. Several outcomes could include refusing to perform transformations (such as adding footers) that break the signature, or removing the original DKIM-Signature header if we've broken the signature.
Sign headers under Mailman's control. For example, as per RFC 2369 Mailman adds a List-ID header which points to the posting address of the mailing list. Mailman could sign this header, and possibly also the Sender header (which Mailman also adds, though this is not without some controversy). Verifiers could then easily check for a verified List-ID header and reduce the spaminess of the message even if the From header signature were broken.
Remove all original DKIM-Signature headers just in case our transformations have broken the signature. This solution seems to be strongly disfavored by DKIM proponents.
Problems with Mailman signing headers
When Mailman (or its downstream components) signs list copies, it means that the list server system is vouching for the validity of the message. Could this get us into trouble?
Because Mailman is a remailer, such resigning could open an attack vector where spam sent through the list suddenly get verified by a third party (the mailing list). This could potentially legitimatize otherwise illegitimate messages. Thus if Mailman were to add its own DKIM signatures, you'd want to make sure Mailman were also checking the DKIM signatures of messages it receives, and potentially putting a hold on messages that had a broken or non-existent signature. You probably also want to do more aggressive spam filtering on the message before it even hits Mailman.
Spam directly mailed to the list isn't the only problem though; a much more likely scenario for some lists are that messages gated from Usenet come from a totally unverifiable source. Of course, Usenet gating is a pretty rare use case these days, but still, we shouldn't ignore it. Already python.org occassionally gets labeled as a spam source because of its gating of spam messages from comp.lang.python. It probably makes the most sense to simply not sign gated messages.
Proposal
Because we're in feature freeze for Mailman 2.1, we can't add any new functionality. However, in Mailman 2.1.9, we explicitly began stripping DKIM-Signature headers from incoming messages. This is what sparked the above mentioned developers thread. The original impetus for this change was a broken DKIM Sendmail milter which refused to sign outgoing messages that already contained a signature.
The proposal for Mailman 2.1.10 then is to add a variable to Defaults.py.in (configurable via mm_cfg.py) that controls whether DKIM-Signature headers are removed or not in outgoing list copies, e.g.:
# Controls whether all existing DKIM-Signature headers in posted messages # get stripped in the outgoing list copies. In general, you should leave # this disabled so that original DKIM signatures will be retained for # forensic purposes, even if broken. Enable this feature only if your site # has specific problems with outgoing pre-signed (broken or unbroken) messages. STRIP_DKIM_SIGNATURE = No
The default is No in order to restore the behavior that came to be expected before the 2.1.9 release.
For Mailman 2.2/3.0 then, we should explore adding DKIM signing code as a handler module, such that definitely List-ID, possibly Sender and potentially other Mailman added headers get valid signatures. We may instead encourage that sites that want to play nicely with DKIM configure their outgoing MTAs to sign these headers, reducing the computational burden on Mailman itself. However, if we do this, we'll need to have a way to tell the outgoing MTA not to sign certain messages (e.g. Usenet posts). That might require an MTA-specific solution.
We should also encourage the site's incoming MTA to check the validity of any DKIM-Signature header on posted messages. We'd like to see something like a DKIM validity status header added to the message Mailman sees. Then Mailman can put a hold on messages that its upstream MTA tells it has a bad DKIM signature.
Finally, we should encourage the DKIM working group to include language in the spec specifically relating to mailing list interoperability. Such language should say that verifiers SHOULD check for the existance of, and look favorably upon, a valid signed List-ID header even if other DKIM signatures fail to validate. IOW, a valid signed List-ID header should be indication enough that all other signatures were subject to breakage because of mailing list garbling.
Comments
Re: Problems with Mailman signing headers
You write that a Mailman signature could potentially "legitimize otherwise illegitimate message". Technically, this is confusing language. "Legitimate" is a local policy decision and will surely vary from site to site. I would express this kind of idea as "result in recipients accepting spam and undesired messages that they otherwise would reject."
You suggest not signing gated messages. This has its own problems, specifically that (1) it is useful to promise to sign all messages, but the list is deliberately not signing some of its output (2) many sites that know that this list signs will drop all unsigned posts. A plausible alternative strategy would be to sign Usenet-gated posts with a different key. I don't think this is generally going to be more than minor extra effort, as any decent signing agent will be prepared to deal with selectors. (I suppose this is mandated by DKIM, but I haven't checked.)
Re: Proposal
The language for 2.1.10 is excellent.
For 2.2/3.0, shouldn't all RFC 2369 headers be signed to prevent phishing attacks? Sender should be signed for Mailman's own potential benefit, I think, and of course DKIM itself mandates signing From.
The discussion of the DKIM status header should remark that DKIM does not even suggest a format for these headers, so they will be implementation-dependent. I think a call for Mailman advocates to participate in specification of a standard header, as well as to help with implementations' headers in the meantime, may be warranted.
Regarding the call for verifiers to "look favorably on" verified list signatures, I'm of two minds. Technically, I think it's a bug in the DKIM spec that it doesn't thoroughly distinguish between verifiers and policy agents (not to mention that it fails to mention the role of policy agents for the signing decision at all!) So I don't like language that suggests that verifiers make policy decisions. There's plenty of precedent for it in the latest DKIM draft, though.
Language to the effect that verifiers MAY make extra effort to find a valid list signature in the case where broken signatures are found is definitely appropriate, though.
As Michael has repeatedly emphasized, very little is known about the pragmatics of re-signing. Nonetheless, I think that a better way to try to accomplish this is to have a Mailman implementation that wants to take responsibility for broken signatures is to sign those signatures. (Remember, it can also create another signature without signing them. Then the signature signature might fail due to an intermediary reordering DKIM signatures, but the signature of the post itself would succeed.)
Then the BCP for policy agents could say that the presence of a broken signature which is nonetheless verified by a valid signature SHOULD be considered an indication that the verified signer verified the broken signatures on the way in, and that the verified signer then broke them. (This doesn't mean that a policy agent should trust the broken signature. That depends on how much it trusts the verified signer.)
Without signing the signatures, there's an obvious vector for reply attacks. I don't think that can be written into the standard or BCP.
Looking favorably on List-Id tags is just opening a big bypass in dkim email checking. I really like the propositions that say we're going to get with DKIM and continue on to a brave new internet.
Good practice plan:
1. Encourage List managers to reject email with broken signatures or that conflicts with http://tools.ietf.org/html/draft-ietf-dkim-ssp-03 Author Signing Practices. I think this will deal with the "vouching for the validity" problem of signing.
2. Encourage List managers to DKIM sign content. This is just making a statement that the content came through the server and that you've done DKIM checking on the input.
3. Provide a mechanism for List managers not to mangle DKIM signatures. Provide or refer to "DKIM - A list managers' guide"
4. Encourage DKIM implementers to have a policy of configuring favorable DKIM signatures that will allow an email though even if the Author Signing Practices fail. This is mainly for those List managers that insist on breaking signatures.
DKIM IETF Working Group have started DomainKeys Identified Mail (DKIM) Development, Deployment and Operations Draft RFC that covers what Mailing List List Managers should do with DKIM and list email.
I think you have to take the message as it originally came in, extract the DKIM signature and headers that it covers, and then re-sign all those headers and content (after modification).
Think of it like a chain of custody. You get a message that is signed, and which may have some additional stuff associated with it that is not signed (like the "Received:" headers). Because you're going to do something that is likely to destroy the signature and the original message as you received it, you need to re-sign the stuff you got which was signed on input, to be able to demonstrate to others that it had come into you signed, that you verified that signature, and you're certifying what it is that you verified.
I have a suggestion on how this can be fixed:
Take the *whole mail* as sent as the user, and put this into a new message/rfc822 container, that has the envelope from *AND* "From:" set to the list mailing adress (eg the mail adress that users send their list posts to).
So a list mail like this:
From: listuser@example.org To: list@list.org Subject: Fix this Content-Type: text/plain
This is broken.
Can be sent out from the list as:
From: list@list.org To: list_subscriber@someotherhost.org Subject: Fwd: Fix this Content-Type: message/rfc822; boundary="
1234"
This is a MIME Message
1234 From: listuser@example.org To: list@list.org Subject: Fix this Content-Type: text/plain
This is broken.
1234--
The fixed mail can additionally be DKIM signed by the list software.
The advantages of this, is that it will BOTH fix DKIM problems (since the signing is done from the list domain and not the sender domain), *AND* SPF, since the SPF will then be validated against the list domain and not sender domain).
Another advantage by encapsulating the mail into a new message/rfc822 container, is that you don't break any previous DKIM signatures, and also do not break any S/MIME or PGP signatures.
The suggestion in the comment by SebastianNielsen is exactly what is done by the from_is_list Wrap Message setting first implemented in Mailman 2.1.16 and made more generally available (not requiring site option to enable) in Mailman 2.1.18. See DEV/DMARC.