mailman break DKIM signature by modifying body
Hi,
I'm using mailman 3.3.8.
Some messages with attachments from Google users get rejected by spam filters because of invalid DKIM signatures.
It seems, that mailman alters some lines in the body. Here an example:
Original message:
--8<---------------cut here---------------start------------->8--- Lines: 2031
--000000000000f846c505fc494b7a-- --000000000000f846c705fc494b7c Content-Type: application/pdf; [...] Content-Disposition: attachment; [...] --8<---------------cut here---------------end--------------->8---
Altered message:
--8<---------------cut here---------------start------------->8--- Lines: 2032
--000000000000f846c505fc494b7a--
--000000000000f846c705fc494b7c Content-Type: application/pdf; [...] Content-Disposition: attachment; [...] --8<---------------cut here---------------end--------------->8---
An empty line is added, and the spaces after the semicolons are removed.
Perhaps related to https://gitlab.com/mailman/mailman/-/issues/1079.
What could I do please, to prevent such modifications of the body?
TIA for any help,
Peter
On 6/5/23 07:06, Peter Münster wrote:
Hi,
I'm using mailman 3.3.8.
Some messages with attachments from Google users get rejected by spam filters because of invalid DKIM signatures.
It seems, that mailman alters some lines in the body. Here an example:
Original message:
--8<---------------cut here---------------start------------->8--- Lines: 2031
--000000000000f846c505fc494b7a-- --000000000000f846c705fc494b7c Content-Type: application/pdf; [...] Content-Disposition: attachment; [...] --8<---------------cut here---------------end--------------->8---
Altered message:
--8<---------------cut here---------------start------------->8--- Lines: 2032
--000000000000f846c505fc494b7a--
--000000000000f846c705fc494b7c Content-Type: application/pdf; [...] Content-Disposition: attachment; [...] --8<---------------cut here---------------end--------------->8---
An empty line is added, and the spaces after the semicolons are removed.
Perhaps related to https://gitlab.com/mailman/mailman/-/issues/1079.
What could I do please, to prevent such modifications of the body?
Changes like those above are due to Python's stdlib email module. Short of actually modifying the email module, there's nothing you can do to prevent them.
Instead, you should be DKIM signing your outgoing mail and perhaps applying Mailman's DMARC mitigations if DMARC is an issue.
If you are DKIM signing your outgoing mail and mail is being rejected
because of prior invalid signatures, you can remove those by adding
remove_dkim_headers: yes to the [mta] section of mailman.cfg. Also,
ARC signing
<https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html>
may help.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, Jun 05 2023, Mark Sapiro wrote:
Changes like those above are due to Python's stdlib email module.
Ok, I'll submit a bug report.
Instead, you should be DKIM signing your outgoing mail and perhaps applying Mailman's DMARC mitigations if DMARC is an issue.
I would like to keep things as simple as possible.
Before changing my setup, I'll see, if there is any chance, that the email module gets fixed.
-- Peter
On Mon, Jun 05 2023, Mark Sapiro wrote:
Changes like those above are due to Python's stdlib email module.
Could you point me to the code please, where the module is called?
TIA,
PeterOn 6/5/23 10:07, Peter Münster wrote:
On Mon, Jun 05 2023, Mark Sapiro wrote:
Changes like those above are due to Python's stdlib email module.
Could you point me to the code please, where the module is called?
Basically, all over.
https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/email/message.p... defines a mailman.email.message.Message class which is a subclass of Python's email.message.Message class.
https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/runners/lmtp.py... makes a mailman.email.message.Message object from the incoming bytes. This object is passed around through many Mailman modules and ultimately https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/runners/outgoin... calls the delivery function which has multiple paths which all wind up at https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/mta/connection.... to send the message. and current code (Mailman >=3.3.6) will actually pass the message object to Python's smtplib <https://docs.python.org/3/library/smtplib.html#smtplib.SMTP.send_message> to send it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, Jun 05 2023, Mark Sapiro wrote:
Basically, all over.
Thanks. I would like to find out, which function is responsible for the modification of the body, before filling a bug report. Unfortunately I don't have any experience with Python, so any help is highly appreciated. My idea is to add "print(message)" at the places, that you mentioned. Where would I find the output then?
TIA for any hints,
PeterOn 6/5/23 14:59, Peter Münster wrote:
On Mon, Jun 05 2023, Mark Sapiro wrote:
Basically, all over.
Thanks. I would like to find out, which function is responsible for the modification of the body, before filling a bug report. Unfortunately I don't have any experience with Python, so any help is highly appreciated. My idea is to add "print(message)" at the places, that you mentioned. Where would I find the output then?
You don't want to use print statements. All those modules do logging to various logs so they pretty much all import logging. Then you add something like
dlog = logging.getLogger('mailman.debug')
near the beginning of the module and then add things like
dlog.info(msg.as_bytes())
to write the message to debug.log.
However, I would not proceed in that way. I would start by putting the
raw problem message as it comes to mailman in a file
and then use mailman shell do to things like
>>> import email
>>> import smtplib
>>> from mailman.email.message import Message
>>> with open('path/to/message/file', 'rb') as fp:
... msg = email.message_from_binary_file(fp, Message)
...
>>>
to create the message object, and then do something like
>>> conn = smtplib.SMTP()
>>> conn.sendmail(from_addr, to_addrs, msg)
to send the message to to_address and see if it has the added lines. Or maybe just
>>> print(msg.as_bytes())
to see if that has the added lines. It may be necessary to do things like
>>> msg['Message-ID-Hash'] = 'aaaaa'
to add a header to create the issue.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Mon, Jun 05 2023, Mark Sapiro wrote:
import email import smtplib from mailman.email.message import Message with open('path/to/message/file', 'rb') as fp: ... msg = email.message_from_binary_file(fp, Message)
Thanks, now it's very easily reproducible and I can send a bug report!
-- Peter
On Tue, Jun 06 2023, Peter Münster wrote:
I can send a bug report!
Oh, someone else has already done that: https://github.com/python/cpython/issues/105333
-- Peter
participants (2)
-
Mark Sapiro -
Peter Münster