DKIM+disclaimer problems after upgrade to mail2 module

testing
mail2
mailserver

(Zimny) #81

With Amavisd we don’t have the disclaimer issue even if still body has been modified. Amavisd just added the header about it and not play with body hash.
DKIM accepted this so this mast be just milter implementation in order to proceed with sending message.

: There are some caveats you should be aware of before using MIMEDefang.
: MIMEDefang potentially alters e-mail messages. This breaks a “gentleman’s
: agreement” that mail transfer agents do not modify message bodies. This
: could cause problems, for example, with encrypted or signed messages.

I understand your concern but I think this is correct description because finally we are modifying.

https://www.howtoforge.com/community/threads/amavisd-new-disclaimer-and-dkim-signing.63668/

This is old thread and amavisd/milter described but have some sens and a bit of code and config.
Looks like in OpenDKIM should be options to which headers are restricted to sign in and which one not.


(Davide Principi) #82

Does the DKIM RFC allow to not add a body signature? If so, I’d expect a feature in OpenDKIM to disable it accordingly.


(Zimny) #83

https://stackoverflow.com/questions/13649129/body-has-been-altered-failure-on-dkim-validation

woo maybe this is easy fix for all of this?


(Stéphane de Labrusse) #84

it should but I did not found good documentation on it…I must admit I did not search a lot


(Stéphane de Labrusse) #85

not tested yet but done with python-milter


(Stéphane de Labrusse) #86

https://tools.ietf.org/html/rfc6376#section-5.3
It is thought for mailling list because the body is modified to add trailers to messages (eg: instructions on how to get off the list) but we go back to the same conclusion https://tools.ietf.org/html/rfc6376#section-8.2


(Stéphane de Labrusse) #87

then in /etc/opendkim.conf

-Canonicalization        relaxed/relaxed
+Canonicalization        relaxed/simple
+MaximumSignedBytes     0

Only the From: field will be signed in the header and you reach the goal…but read this https://tools.ietf.org/html/rfc6376#section-8.2


(Zimny) #88

You have mention this before and both agreed don’t sign content at all is not a way exactly from security point of view.
I read today this one also: ( I think you mention this as well )

http://www.postfix.org/SMTPD_PROXY_README.html

I think this can be the best solution. Just not sure how difficult is this one in implementation.

https://github.com/dploeger/disclaimr

This is interesting too.
Thank you that you don’t give up on this topic.
Hopefully next few days give us clear direction.


(Stéphane de Labrusse) #89

I was responding to

this has no updates since two years, it is an important step with a database interaction and a web interface to add a specific disclaimer following the email address (probably by doing a regex on the From: field)


(Davide Principi) #90

Let’s make a step back to this: the order of filters, which is the key of the issue.

:thinking: I wonder if it is possible to postpone the DKIM signature after alterMIME, by running opendkim-testmsg command in dfilt itself. Here:

https://github.com/NethServer/nethserver-mail/blob/85a3921d74bd12dfdc6b74f16764faa5e99f3f83/disclaimer/usr/libexec/nethserver/disclaimer-send#L48

We should disable DKIM milter wherever alterMIME is enabled; instead, run opendkim-testmsg in disclaimer-send wrapper wherever both are enabled. It could be done with some logic in /etc/opendkim/SigningTable and disclaimer-send.


(Davide Principi) #91

I’m experimenting a bug fix and it looks promising: my first test with gmail and another NethServer MTA are successful! @quality_team, @zimny do you want to check it out?

Just install

yum install http://packages.nethserver.org/nethserver/7.5.1804/autobuild/x86_64/Packages/nethserver-mail2-disclaimer-2.2.1-1.3.pr51.gef71036.ns7.noarch.rpm

These are the message headers from gmail:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@nethserver.net header.s=default header.b=jXUfOjEq;
       spf=pass (google.com: best guess record for domain of first.user@nethserver.net designates 206.189.5.67 as permitted sender) smtp.mailfrom=first.user@nethserver.net
Received: by mailx1.nethserver.net (Postfix, from userid 8)
	id 88A7240843D; Wed, 13 Jun 2018 09:12:02 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailx1.nethserver.net 88A7240843D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nethserver.net;
	s=default; t=1528881122;
	bh=VXQukySTlu0yBeapOLzbfJ08nlfQzTpTn7kpbApSToI=;
	h=Subject:From:To:Cc:Date:From;
	b=jXUfOjEq3p1deLM2N6jggPybqANUlyeE1M7KGSNQv33oFj1TuTp8f/1bqt6MlBl2H
	 4nA8Ff2o80Gl7Lv/80m+cS6/W1rxKy2wcbQby2GPp/tIh8HMl4q2OtGFoVqre4lsru
	 cHlBoUd3pSMpjxpA16PnPv4zXJlif72ZgR8M6AzPLKS0BMHpikmp07IkAz7ktfK5qw
	 wErO99odzTvCLWTyGQs9gdZhgHfrq81eCycF2DpoQEqmfCtjtmPspqYL4Kyp1tQr+n
	 TI35kzajLC7SaWoUVzcepplbGsnmHf4iI4yN8D0aqx4bx8Ynr3g+RbToPHio41vX9X
	 X/mHfJ6eolwrQ==

More info here:

https://github.com/NethServer/nethserver-mail/pull/51


(Zimny) #92

Will do and appreciate your involvement!!!
Like I always said this community should be an example even for commercial products.
But now is almost 11 o’clock in the morning so looks like Zimny is going bed :slight_smile:
Promise to test agains google, apple and my uk government subcontractor :slight_smile:
Fortunately I’m admin there and our test will not be threatened like a terrorist AlJasira :slight_smile: atak

Thank you for your work


(Davide Principi) #93

There are some packages in nethserver-testing now!

Please @zimny, you lobbied for this fix: now it’s time to test! Run the following commands

  yum --enablerepo=nethserver-testing update nethserver-mail2-\*

Please @saitobenkei, give it a spin too: if this issue is verified, you can easily expand the solution and create personal signatures from it :wink:

Other people interested? Please step in! /cc @quality_team @danb35 @GG_jr


(Davide Principi) #94

@stephdl found an issue. Patch added, download the new RPMs from nethserver-testing

 yum --enablerepo=nethserver-testing update nethserver-mail2-\*

(Zimny) #95

Hi Davide,

Sorry but not able to do the check earlier.
Can confirm that in all my cases the issue is resolved.
DKIM verified, excellent work!


(Zimny) #96

Davide do you think this is permanent fix or we get in to it again when altermime will gone from repo?


(Davide Principi) #97

As we got multiple confirmations that the problem is solved the fix is going to be released: in this way – yes – the fix is permanent.

The altermime package comes from RHEL/CentOS repositories. As the alterMIME project is dead since years everything depends on RHEL choices. I expect they’ll go on with it at least for the 7 lifecycle.

Altermime sends SIGSEGV sometimes, and is a dead project. The reason to still work on it for mail2 is providing backward compatibility and a smooth upgrade path. As said by the docs, new implementations shouldn’t use it at all. They should go to a client-based solution instead, which one I don’t know (maybe windows users can centralize the setup with GPOs?).

Let’s ask the @webtop_team: any improvement to disclaimer by your side?


(Luca Gasparini) #98

Currently in the WebTop 5 roadmap it is not planned to implement any option that allows to add an automatic client-side disclaimer.

We will evaluate with the other components of the @webtop_team if something can be done in the future :thinking:


(Stefano Zamboni) #99

with sogo it can be fully automated during the user creation/editing event (at neast on SME, dunno here)
HTH


(Saito Benkei) #100

If I found the option to add the disclaimer (it is disappeared) I could also try…