DKIM+disclaimer problems after upgrade to mail2 module

zimny · June 2, 2018, 10:51am

Stéphane do you still like to test and go that way?
If you like I can test it against Apple setup but this is not solution and just like you mention is security flaw. Or we are thinking of NS like some kind of Kali distro

giacomo · June 2, 2018, 10:53am

I agree with Davide: DKIM (and other cryptographic features like PGP) can’t leave with software which alter the mail body before sending. I strongly support this statement since ages.
And, even if I can appear harsh and rude, I think that server-side disclaimer feature shouldn’t exists at all.

IMHO, we can add a note into the manual and not changing anything.

zimny · June 2, 2018, 11:05am

Giacomo I understand you have heavy Friday
We need to resolve it from 3 point:

I love your distro to much
From company point of view it’s not possible control your domain outgoing emails when you put this task at your employees
NS will not compile with lot of regulations like ISO, etc

And DKIM is not a crypto future this is just another way to validate original sender of message.
PGP is completely different from it.

zimny · June 2, 2018, 1:58pm

Ok guys all of us have been in the office some point but you don’t like at al.
I’m piss off because this make me to buy something not to be involved.
Let me know if you thing that is not affect NS distro because we are using thirdpart sowft.
I like to contribute to this project because in my meaning is really start up for every admin who is allowed to use unix. I love concept also and start implemented in my environment.

dnutan · June 2, 2018, 2:12pm

Looks like this feature won’t be integrated into rspamd:

github.com/rspamd/rspamd

Feature: Integrate alterMIME support to Rspamd

opened 05:51AM - 05 May 18 UTC

closed 11:52AM - 20 Dec 18 UTC

tachtler

enhancement

### Classification (Please choose *one* option): * [ ] Crash/Hang/Data loss …* [ ] WebUI/Usability * [ ] Serious bug * [ ] Other bug * [x] Feature * [ ] Enhancement ### Reproducibility (Please choose *one* option): * [x] Always * [ ] Sometimes * [ ] Rarely * [ ] Unable * [ ] I didn’t try * [ ] Not applicable ### Rspamd version: ### Operation system, CPU, memory and environment: ### Description (Please provide a descriptive summary of the issue): Please intergrate alterMIME support into Rspamd like done in AMaViS. ### Compile errors (if any): ### Steps to reproduce: ### Expected results: Integration of alterMIME. ### Actual results: No possibility to add a Footer on outgoing email before DKIM-signing. ### Debugging information (see details [here](https://rspamd.com/doc/faq.html#how-to-figure-out-why-rspamd-process-crashed)): ### Configuration: ### Additional information:

Mimedefang? …I’ve read it could be overkill for this solely use and have performance penalty (IDK mailserver stuff so bear with me).

…but consider

zimny · June 2, 2018, 2:24pm

Good point and considerations, I’m not a coder / and we need one. This is a kind of usability which every admin will do. Company and finally NS ISO will need. I understand that alterMIME is not longer supporting, but we have start point, where are the coders?

stephdl · June 3, 2018, 6:32am

created an issue https://github.com/NethServer/dev/issues/5514

stephdl · June 3, 2018, 1:28pm

a commercial disclaimer solution with a cheap price
http://www.yuntechnologies.com/autodisclaimer.html

stephdl · June 3, 2018, 2:08pm

mailscanner should be able to add a disclaimer but postfix doesn’t recommend to work with

zimny · June 4, 2018, 12:52am

Stephen great news. There is the solution and you have founding for this “cheap” offer
Yuppie yay you we have a sponsor
But seriously this can be done and you just find an example
Why not implement this functionality the same way like with Amivisd?
I think all this upgrade to 7.5 was to rush and harry
Plenty issues, incompatiblites, etc
Like in some kinde of panic

jaegermeister · June 8, 2018, 8:53am

I perfectly agree with this.

I have spent some days to figure out what was wrong with my DKIM failing checks and now the answer has finally come.

The vast majority of users couldn’t care less of adding disclaimers at server level (which can be always added at client level) and DKIM not validated is a serious show-stopper for most big companies like microsoft and apple (try mailing @outlook.com and @me.com with a rotten DKIM).

Also, putting “MaximumSignedBytes 1” looks like a good receipt for catastrophic results, as antispam contraints are being made stricter and stricter every day. Imagine a flood of such mails being received, and clearly see the provider mass blacklisting domains in zero time.

So now the question is: waiting for an official correction in 7.5, how can one deactivate the “add disclaimer” feature, considering that, in my case, it was never activated?

Second question: are you sure that is it only that feature that fiddles with DKIM validation?

Thanks

saitobenkei · June 8, 2018, 8:58am

LOL

"Auto Disclaimer is Open Source/Free Software. Customers get the source code. "

So it’s a Open Source/Free Software but, to have the source, you have to pay for it…

Stefano_Zamboni · June 8, 2018, 9:26am

this is not against GPL, assuming that the code is released with GPL license.

BTW, if I where Nethesis, I’d drop a mail to have some clarifications about license, meaning that if buying the code permits the redistribution (it’s OOSS, they say), we’re done

stephdl · June 8, 2018, 9:28am

I emailed myself, no answer so far, project seems dead.

Stefano_Zamboni · June 8, 2018, 9:45am

well… for incoming mails the milter filters must be executed since the beginning… for outgoing emails, they should not.
I’m not saying that outgoing mail should not checked against virus, but that the filter to add the disclaimer must be executed before the virus checking.

with something like qpsmtpd in front of postfix it can be made quite easily (SME server, even if using qmail, does so)

zimny · June 8, 2018, 1:38pm

Latest update to email2 module did not fix the issue

zimny · June 8, 2018, 3:55pm

Home users you mean or in company with several number of users and without strict policy?
In large environment with lot of users is not possible to keep you domain disclaimer under control of employees/end users.
Some companies or government agencies are very strict with their policies.
Users are allowed editing their signatures but newer domain disclaimer.

In this threat that was never considered like a solution.

You can uninstall disclaimer module from your server.

giacomo · June 8, 2018, 4:20pm

The released fix just prevent the user to enable DKIM and disclaimer feature at the same time.
It’s not a real fix, just a way to prevent bad configuration.

Sorry, but for now no further development on this part will be done.
But we will gladly review (and eventually merge) any code contribution.

Thank you for reporting the issue!

zimny · June 8, 2018, 5:01pm

Very upset to hear that statement from NS developers.
I have already introduce and implemented your soft for several customers. One of them is contractor in software development for UK government and have very strict policies to follow.
You need take more responsibility when implementing some futures and then simply not provide support for it.
If you like to be comparable with other SMB distributions or you need think abut your project like for home users I believe.
Unfortunately I’m not a coder and can’t contribute to this project with my own code.
But I was always much appreciate to this community for knowledge, responsiveness and excellent ideas.
Hope someone will like to be a second alterMIME like open source coder.

giacomo · June 8, 2018, 5:51pm

You can still have the disclaimer using a pre-configured web client like WebTop (and probably SOGo and Roundcube can have the same feature).
As an alternative, you can disable the DKIM option (but I’d rather disable the disclaimer).

We will help anyone who want to join the effort!
And who knows, maybe some of our customers will be interested in this feature and we will have a sponsor for it!