OT: DKIM signatures on email messages from lists.gnupg.org

Alessandro Vesely vesely at tana.it
Mon Jun 12 18:45:37 CEST 2023 

On Mon 12/Jun/2023 13:05:51 +0200 Alexander Leidinger via Gnupg-users wrote:
> Quoting Alessandro Vesely via Gnupg-users <gnupg-users at gnupg.org> (from Mon, 12 Jun 2023 10:57:32 +0200):
> 
>> Hi,
>>
>> would someone please explain DKIM settings of lists.gnupg.org?
> 
> I'm not involved in gnupg.org administration, but it looks like there are none.


Sometimes there is a signature.  The Announce message of April 28 had two:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
  s=20181017;
  h=Sender:Content-Type:List-Subscribe:List-Help:List-Archive:
  List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:Date:Cc:To:From:
  Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date
  :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
  References:List-Post:List-Owner;
  bh=AaifcSnTnefRUURuPlCYtVlF0on0neCAn9vyAWrccMA=; b=GZor1crbzgMYZ0XztsHrHN0w3P
  d4QT2yOyZRUI1iA/Ys5St2fi/3ZIKghj/man3fY3c8bmN1N0fwEGCadSTzKO5YpM29kATZ8tDDLcf
  hX/49Mlk+X0sw5ecu3Z/Bm+2RJlpk8TPHWNM1wUy7yIlI4txDDSCsIlAawikJ4I4HTJY=;

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
  s=20181017;
  h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To:From:
  Sender:Reply-To:Content-Transfer-Encoding:Content-ID:Content-Description:
  Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
  In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
  List-Post:List-Owner:List-Archive;
  bh=waITwZnkLncVwES3fe/pbC3rS8gp+dpge17NQpRHvMU=; b=U9warAJAiKlE0f9mSRe61yIzqa
  TNpdihkg9KDQBb8px1ESE5/6/qPzsg2KOMt82hpGMJukxzKAoDMwOGvpN/TGO9ADjrjWz9Dk5Ry+p
  QIwg+x3PKxYoOGVU9cmpVmeGsu6yOemyfN3mz0fGdqEC7SBGWjbe4LusOc/Kb65Opd0k=;


There were a number of Received: by/from kerckhoffs.g10code.com in between, as 
if the message was sent back and forth to a signer.  Most likely some header 
fields are changed during the transaction.


>> Looking at recent posts, I counted 44 with a failed signature by d=gnupg.org, 
>> 22 with no DKIM signature at all and none with a good signature.
> 
> Can it be that those 44 are from real people which have a from-address @gnupg.org?


I only counted d=gnupg.org.


>> I'm asking because there was a proposal to eliminate SPF from DMARC 
>> authentication methods[*].  Opposers to such move note that in a number of 
>> cases SPF succeeds where DKIM fails.  The discussion concluded that it must 
>> be because of misconfiguration, since most in-transit alterations were 
>> eliminated.  As people on this list is certainly acknowledgeable,  I though 
>> I'd dare asking where does such misconfiguration stem from.
> 
> Your mail to the list had a DKIM signature from tana.it (your DKIM signature). 
> It specifies that in the header the date, to, from and subject lines are 
> subject to validation.


Those lines are enough to uniquely identify a message.  Signing more fields 
only makes the signature more fragile.  It is not enough to prevent crackerjack 
re-playing in any case.


> The From was re-written be the list and as such the 
> header check fails. The body check fails as the list adds the following:
> 
> ---snip---
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
> ---snip---


The message verifies after removing the footer.  It can be done routinely, on 
some kind of signatures.


> What the list-software would need to do is to strip the original DKIM signature


Why?  Original signatures can often be recovered.  They shouldn't be removed 
anyway.


> (and maybe sign itself, but there are drawbacks),


What drawback can there be to signing?  CPU resource consumption?


> or to not modify the message 
> (at least not the designated header lines, and the body). More info here:
>      https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html


Omitting subject tag and footer seems to me to be worse than From: munging.

See also this:
https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail


> For mailman there is some info here what could/should be done:
>      https://wiki.list.org/DEV/DKIM
>      https://wiki.list.org/DEV/DMARC
> 
> For listserv there is some info here what could/should be done:
>      
> https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html
>      
> https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html
> 
> There is also ARC (which you should see in the headers of my mail):
>      https://en.wikipedia.org/wiki/Authenticated_Received_Chain


I'd definitely recommend ARC, not the conceptual Mailman 3 version.  However, 
most receivers are not yet prepared to accept it.


Best
Ale
--

More information about the Gnupg-users mailing list