DKIM header not added to subscribe/unsubscribe notification email
I have a Mailman 3 server set up with OpenDKIM and Postfix. Each of the lists has been configured so that the DMARC mitigation is "Replace From: with list address" and DMARC Mitigate unconditionally is selected.
Everything seems to be working fine *except* when the system sends a notification email to the list owners of someone subscribing or unsubscribing. *Those* emails do not have the DKIM header added and are getting trapped by anti-spam systems as a result.
Any suggestions as to why this might be, please? I cannot see anything in the configuration for OpenDKIM or Postfix that might allow just those messages to go out unsigned.
In case it is relevant/important, this system is running:
mailman 3.3.5 mailman-hyperkitty 1.2.0 mailman-web 0.0.5 mailmanclient 3.3.3
Thank you.
Regards
Philip
Philip Colmer writes:
Everything seems to be working fine *except* when the system sends a notification email to the list owners of someone subscribing or unsubscribing. *Those* emails do not have the DKIM header added and are getting trapped by anti-spam systems as a result.
My guess is that the address Mailman uses for From in those messages is not in OpenDKIM's SigningTable. This is probably the $LIST-owner@$LISTDOMAIN address. You should also add the mailman@$LISTDOMAIN address.
I cannot see anything in the configuration for OpenDKIM or Postfix that might allow just those messages to go out unsigned.
Neither can we, although for a different reason. ;-) Please don't hesitate to send full configuration files to us on the grounds of absolute size or bandwidth. Such reports are relatively rare, they're not actually that big, and almost everybody on our lists are admins who know that it could be them tomorrow. Unfortunately at present I don't think you can send it as attachments.
If you're worried about system security, you can either redact sensitive information such as passwords, domain names, mailboxes, and IP addresses, or you can send it to one of the developers directly (me, at the moment; Mark, when he gets back in a few weeks -- I believe Mark prefers a zipfile if there are multiple files, and I know I do) if you're willing to trust us.
Steve
On Fri, 19 Aug 2022 at 18:11, Stephen J. Turnbull < stephenjturnbull@gmail.com> wrote:
My guess is that the address Mailman uses for From in those messages is not in OpenDKIM's SigningTable. This is probably the $LIST-owner@$LISTDOMAIN address. You should also add the mailman@$LISTDOMAIN address.
Thank you - it was precisely this bit (the Signing Table) that I was missing. Adding that configuration has fixed it.
Neither can we, although for a different reason. ;-) Please don't hesitate to send full configuration files to us on the grounds of absolute size or bandwidth. Such reports are relatively rare, they're not actually that big, and almost everybody on our lists are admins who know that it could be them tomorrow. Unfortunately at present I don't think you can send it as attachments.
If you're worried about system security, you can either redact sensitive information such as passwords, domain names, mailboxes, and IP addresses, or you can send it to one of the developers directly (me, at the moment; Mark, when he gets back in a few weeks -- I believe Mark prefers a zipfile if there are multiple files, and I know I do) if you're willing to trust us.
Thanks, Steve. I appreciate that gesture.
Thanks again for your help. Very much appreciated.
Regards
Philip
participants (2)
-
Philip Colmer -
Stephen J. Turnbull