Hi all,

We recently discovered that Gmail started to bounce email from mentors.debian.net with the following message:

550-5.7.26 This message does not have authentication information or
fails to 550-5.7.26 pass authentication
checks. To best protect our users from spam, the 550-5.7.26 message has
been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 5
50 5.7.26 information.

My debian address is also affected, and probably others that did not
setup DKIM for their @debian.org address.

As a reminder debian.org addresses does support DKIM. After
configuration on your mail server, you can publish your DKIM public key
to db.debian.org [1][2].

Best,

[1]: https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html
[2]: https://db.debian.org/doc-mail.html
--
Baptiste Beauplat - lyknode

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Stephan,

On 3/4/22 13:27, Stephan Lachnit wrote:

On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat <lyknode@cilg.org> wrote:

My debian address is also affected, and probably others that did not
setup DKIM for their @debian.org address.

As a reminder debian.org addresses does support DKIM. After
configuration on your mail server, you can publish your DKIM public key
to db.debian.org [1][2].

Can you point to some quick guide on how to do this for gmail? The
support page seems kinda confusing to me.

Looking at your email headers, I would guess that gmail is already doing it.

X-Google-DKIM-Signature: v=1; a=rsa-sha256...

There is somewhat some irony in Gmail blocking email without a DKIM
signature while they are using a non-standard header that other
provider/tools might miss. Just a thought.

--
Baptiste Beauplat - lyknode

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat <lyknode@cilg.org> wrote:

My debian address is also affected, and probably others that did not
setup DKIM for their @debian.org address.

As a reminder debian.org addresses does support DKIM. After
configuration on your mail server, you can publish your DKIM public key
to db.debian.org [1][2].

Can you point to some quick guide on how to do this for gmail? The
support page seems kinda confusing to me.

Regards,
Stephan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote:

On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat <lyknode@cilg.org>
wrote:

As a reminder debian.org addresses does support DKIM. After
configuration on your mail server, you can publish your DKIM public
key
to db.debian.org [1][2].

Can you point to some quick guide on how to do this for gmail? The
support page seems kinda confusing to me.

This usually requires you running your own mail server (for outgoing
mail).

I don't think mail providers like GMail allow you to set up DKIM for
individual IP addresses.

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote:

We recently discovered that Gmail started to bounce email from mentors.debian.net with the following message:

Can you please share the complete headers of the bounced message? Aka
the thing in the message/rfc822 part of the DSN message. Right now we
don't know what they see from your explanation.

Bastian

--
A woman should have compassion.
-- Kirk, "Catspaw", stardate 3018.2

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Hi Bastian,

On 3/4/22 14:40, Bastian Blank wrote:

On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote:

We recently discovered that Gmail started to bounce email from
mentors.debian.net with the following message:

Can you please share the complete headers of the bounced message? Aka
the thing in the message/rfc822 part of the DSN message. Right now we
don't know what they see from your explanation.

I'm attached the bounce.

Am I mistaken in thinking that's only a case of simply rejecting
unsigned DKIM email?

--
Baptiste Beauplat - lyknode RnJvbSBNQUlMRVItREFFTU9OICBGcmkgTWFyICA0IDAzOjE0OjA0IDIwMjIKUmV0dXJuLVBh dGg6IDw+ClgtT3JpZ2luYWwtVG86IGV4cG8rYm91bmNlQG1lbnRvcnMuZGViaWFuLm5ldApE ZWxpdmVyZWQtVG86IGV4cG8rYm91bmNlQG1lbnRvcnMuZGViaWFuLm5ldApSZWNlaXZlZDog Ynkgd3YtZGViaWFuLW1lbnRvcnMxLndhdmVjbG91ZC5kZSAoUG9zdGZpeCkKCWlkIEE2QTc1 OEI1RTI7IEZyaSwgIDQgTWFyIDIwMjIgMDM6MTQ6MDQgKzAwMDAgKFVUQykKRGF0ZTogRnJp LCAgNCBNYXIgMjAyMiAwMzoxNDowNCArMDAwMCAoVVRDKQpGcm9tOiBNQUlMRVItREFFTU9O QG1lbnRvcnMuZGViaWFuLm5ldCAoTWFpbCBEZWxpdmVyeSBTeXN0ZW0pClN1YmplY3Q6IFVu ZGVsaXZlcmVkIE1haWwgUmV0dXJuZWQgdG8gU2VuZGVyClRvOiBleHBvK2JvdW5jZUBtZW50 b3JzLmRlYmlhbi5uZXQKQXV0by1TdWJtaXR0ZWQ6IGF1dG8tcmVwbGllZApNSU1FLVZlcnNp b246IDEuMApDb250ZW50LVR5cGU6IG11bHRpcGFydC9yZXBvcnQ7IHJlcG9ydC10eXBlPWRl bGl2ZXJ5LXN0YXR1czsKCWJvdW5kYXJ5PSI1NUQxNjgyM0VDLjE2NDYzNjM2NDQvd3YtZGVi aWFuLW1lbnRvcnMxLndhdmVjbG91ZC5kZSIKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzog OGJpdApNZXNzYWdlLUlkOiA8MjAyMjAzMDQwMzE0MDQuQTZBNzU4QjVFMkB3di1kZWJpYW4t bWVudG9yczEud2F2ZWNsb3VkLmRlPgoKVGhpcyBpcyBhIE1JTUUtZW5jYXBzdWxhdGVkIG1l c3NhZ2UuCgotLTU1RDE2ODIzRUMuMTY0NjM2MzY0NC93di1kZWJpYW4tbWVudG9yczEud2F2 ZWNsb3VkLmRlCkNvbnRlbnQtRGVzY3JpcHRpb246IE5vdGlmaWNhdGlvbgpDb250ZW50LVR5 cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9dXRmLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGlu ZzogOGJpdAoKVGhpcyBpcyB0aGUgbWFpbCBzeXN0ZW0gYXQgaG9zdCB3di1kZWJpYW4tbWVu dG9yczEud2F2ZWNsb3VkLmRlLgoKSSdtIHNvcnJ5IHRvIGhhdmUgdG8gaW5mb3JtIHlvdSB0 aGF0IHlvdXIgbWVzc2FnZSBjb3VsZCBub3QKYmUgZGVsaXZlcmVkIHRvIG9uZSBvciBtb3Jl IHJlY2lwaWVudHMuIEl0J3MgYXR0YWNoZWQgYmVsb3cuCgpGb3IgZnVydGhlciBhc3Npc3Rh bmNlLCBwbGVhc2Ugc2VuZCBtYWlsIHRvIHBvc3RtYXN0ZXIuCgpJZiB5b3UgZG8gc28sIHBs ZWFzZSBpbmNsdWRlIHRoaXMgcHJvYmxlbSByZXBvcnQuIFlvdSBjYW4KZGVsZXRlIHlvdXIg b3duIHRleHQgZnJvbSB0aGUgYXR0YWNoZWQgcmV0dXJuZWQgbWVzc2FnZS4KCiAgICAgICAg ICAgICAgICAgICBUaGUgbWFpbCBzeXN0ZW0KCjwqKioqKioqKioqQGdtYWlsLmNvbT46IGhv c3QgZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb21bMTcyLjI1My4xMjAuMjZdIHNhaWQ6CiAg ICA1NTAtNS43LjI2IFRoaXMgbWVzc2FnZSBkb2VzIG5vdCBoYXZlIGF1dGhlbnRpY2F0aW9u IGluZm9ybWF0aW9uIG9yIGZhaWxzCiAgICB0byA1NTAtNS43LjI2IHBhc3MgYXV0aGVudGlj YXRpb24gY2hlY2tzLiBUbyBiZXN0IHByb3RlY3Qgb3VyIHVzZXJzIGZyb20KICAgIHNwYW0s IHRoZSA1NTAtNS43LjI2IG1lc3NhZ2UgaGFzIGJlZW4gYmxvY2tlZC4gUGxlYXNlIHZpc2l0 IDU1MC01LjcuMjYKICAgIGh0dHBzOi8vc3VwcG9ydC5nb29nbGUuY29tL21haWwvYW5zd2Vy LzgxMTI2I2F1dGhlbnRpY2F0aW9uIGZvciBtb3JlIDU1MAogICAgNS43LjI2IGluZm9ybWF0 aW9uLiBheTE2LTIwMDIwYTVkNmYxMDAwMDAwMGIwMDFlZmQ3ZThkYmI5c2kyMDM3NTQ0d3Ji LjIxOCAtCiAgICBnc210cCAoaW4gcmVwbHkgdG8gZW5kIG9mIERBVEEgY29tbWFuZCkKCi0t NTVEMTY4MjNFQy4xNjQ2MzYzNjQ0L3d2LWRlYmlhbi1tZW50b3JzMS53YXZlY2xvdWQuZGUK Q29udGVudC1EZXNjcmlwdGlvbjogRGVsaXZlcnkgcmVwb3J0CkNvbnRlbnQtVHlwZTogbWVz c2FnZS9kZWxpdmVyeS1zdGF0dXMKClJlcG9ydGluZy1NVEE6IGRuczsgd3YtZGViaWFuLW1l bnRvcnMxLndhdmVjbG91ZC5kZQpYLVBvc3RmaXgtUXVldWUtSUQ6IDU1RDE2ODIzRUMKWC1Q b3N0Zml4LVNlbmRlcjogcmZjODIyOyBleHBvK2JvdW5jZUBtZW50b3JzLmRlYmlhbi5uZXQK QXJyaXZhbC1EYXRlOiBGcmksICA0IE1hciAyMDIyIDAzOjE0OjAzICswMDAwIChVVEMpCgpG aW5hbC1SZWNpcGllbnQ6IHJmYzgyMjsgKioqKioqKioqKkBnbWFpbC5jb20KT3JpZ2luYWwt UmVjaXBpZW50OiByZmM4MjI7KioqKioqKioqKkBnbWFpbC5jb20KQWN0aW9uOiBmYWlsZWQK U3RhdHVzOiA1LjcuMjYKUmVtb3RlLU1UQTogZG5zOyBnbWFpbC1zbXRwLWluLmwuZ29vZ2xl LmNvbQpEaWFnbm9zdGljLUNvZGU6IHNtdHA7IDU1MC01LjcuMjYgVGhpcyBtZXNzYWdlIGRv ZXMgbm90IGhhdmUgYXV0aGVudGljYXRpb24KICAgIGluZm9ybWF0aW9uIG9yIGZhaWxzIHRv IDU1MC01LjcuMjYgcGFzcyBhdXRoZW50aWNhdGlvbiBjaGVja3MuIFRvIGJlc3QKICAgIHBy b3RlY3Qgb3VyIHVzZXJzIGZyb20gc3BhbSwgdGhlIDU1MC01LjcuMjYgbWVzc2FnZSBoYXMg YmVlbiBibG9ja2VkLgogICAgUGxlYXNlIHZpc2l0IDU1MC01LjcuMjYKICAgIGh0dHBzOi8v c3VwcG9ydC5nb29nbGUuY29tL21haWwvYW5zd2VyLzgxMTI2I2F1dGhlbnRpY2F0aW9uIGZv ciBtb3JlIDU1MAogICAgNS43LjI2IGluZm9ybWF0aW9uLiBheTE2LTIwMDIwYTVkNmYxMDAw MDAwMGIwMDFlZmQ3ZThkYmI5c2kyMDM3NTQ0d3JiLjIxOCAtCiAgICBnc210cAoKLS01NUQx NjgyM0VDLjE2NDYzNjM2NDQvd3YtZGViaWFuLW1lbnRvcnMxLndhdmVjbG91ZC5kZQpDb250 ZW50LURlc2NyaXB0aW9uOiBVbmRlbGl2ZXJlZCBNZXNzYWdlCkNvbnRlbnQtVHlwZTogbWVz c2FnZS9yZmM4MjIKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKUmV0dXJuLVBh dGg6IDxleHBvK2JvdW5jZUBtZW50b3JzLmRlYmlhbi5uZXQ+ClJlY2VpdmVkOiBmcm9tIG1l bnRvcnMuZGViaWFuLm5ldCAobG9jYWxob3N0IFsxMjcuMC4wLjFdKQoJYnkgd3YtZGViaWFu LW1lbnRvcnMxLndhdmVjbG91ZC5kZSAoUG9zdGZpeCkgd2l0aCBFU01UUCBpZCA1NUQxNjgy M0VDCglmb3IgPCoqKioqKioqKipAZ21haWwuY29tPjsgRnJpLCAgNCBNYXIgMjAyMiAwMzox NDowMyArMDAwMCAoVVRDKQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0 Zi04IgpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0 ClN1YmplY3Q6IE5leHQgc3RlcDogQ29uZmlybSB5b3VyIGVtYWlsIGFkZHJlc3MKRnJvbTog bWVudG9ycy5kZWJpYW4ubmV0IDxzdXBwb3J0QG1lbnRvcnMuZGViaWFuLm5ldD4KVG86ICoq KioqKioqKipAZ21haWwuY29tCkRhdGU6IEZyaSwgMDQgTWFyIDIwMjIgMDM6MTQ6MDMgLTAw MDAKTWVzc2FnZS1JRDogPDE2NDYzNjM2NDMyOS40MDc0MDM1LjExMjI0NTA1NzE3NDYzMjUy NjMwQG1lbnRvcnMuZGViaWFuLm5ldD4KCkhlbGxvLAoKUGxlYXNlIGFjdGl2YXRlIHlvdXIg YWNjb3VudCBieSB2aXNpdGluZyB0aGUgZm9sbG93aW5nIGFkZHJlc3MKaW4geW91ciB3ZWIt YnJvd3NlcjoKCmh0dHBzOi8vbWVudG9ycy5kZWJpYW4ubmV0L2FjY291bnRzL3Jlc2V0L1tS RURBQ1RFRF0KCklmIHlvdSBkaWRuJ3QgY3JlYXRlIGFuIGFjY291bnQgb24gbWVudG9ycy5k ZWJpYW4ubmV0LAp5b3UgY2FuIHNhZmVseSBpZ25vcmUgdGhpcyBlbWFpbC4KClRoYW5rcywK Ci0tIAptZW50b3JzLmRlYmlhbi5uZXQKCi0tNTVEMTY4MjNFQy4xNjQ2MzYzNjQ0L3d2LWRl Ymlhbi1tZW50b3JzMS53YXZlY2xvdWQuZGUtLQo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 03:15:59PM +0100, Baptiste Beauplat wrote:

On 3/4/22 14:40, Bastian Blank wrote:

On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote:

We recently discovered that Gmail started to bounce email from
mentors.debian.net with the following message:

Can you please share the complete headers of the bounced message? Aka
the thing in the message/rfc822 part of the DSN message. Right now we don't know what they see from your explanation.

I'm attached the bounce.

Am I mistaken in thinking that's only a case of simply rejecting
unsigned DKIM email?

I reproduced a similar problem, then set up DKIM for myself and
everything then worked, so I think you're correct.

The links in the original d-d-a email were mostly stale, but I found https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/
helpful in getting this going with my local Exim setup.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

On Fri, Mar 04, 2022 at 03:15:59PM +0100, Baptiste Beauplat wrote:

Am I mistaken in thinking that's only a case of simply rejecting
unsigned DKIM email?

This might be, but…

Return-Path: <expo+bounce@mentors.debian.net>
Received: from mentors.debian.net (localhost [127.0.0.1])
by wv-debian-mentors1.wavecloud.de (Postfix) with ESMTP id 55D16823EC
for <**********@gmail.com>; Fri, 4 Mar 2022 03:14:03 +0000 (UTC) Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Next step: Confirm your email address
From: mentors.debian.net <support@mentors.debian.net>
To: **********@gmail.com
Date: Fri, 04 Mar 2022 03:14:03 -0000
Message-ID: <164636364329.4074035.11224505717463252630@mentors.debian.net>

I don't see anything about debian.org in those headers? Do you?

- mentors.debian.net is not debian.org.
- gmail.com clearly isn't.

Bastian

--
"That unit is a woman."
"A mass of conflicting impulses."
-- Spock and Nomad, "The Changeling", stardate 3541.9

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: lyknode@cilg.org (Baptiste Beauplat)

On Friday, March 4, 2022 9:15:59 AM EST Baptiste Beauplat wrote:

mentors.debian.net with the following message:

Can you please share the complete headers of the bounced message? Aka
the thing in the message/rfc822 part of the DSN message. Right now we don't know what they see from your explanation.

I'm attached the bounce.

Am I mistaken in thinking that's only a case of simply rejecting
unsigned DKIM email?

I've just gone through the process of securing email with Google so I might be able to help a bit.

Google uses a number of criteria when blocking. A missing DKIM is just one.
See the referenced document:

https://support.google.com/mail/answer/81126

One of the problems here is that mentors.debian.net does not have the standard email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. This doesn't automatically cause Google to classify as spam but we really should have these in place to protect email.

As an example, we may be spoofing mentors.debian.net with wv-debian- mentors1.wavecloud.de (not 100% clear with the headers provided). SPF could handle this.

--
JP

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSKOSH6AF7P20mTG9tPT/eoJ80m1wUCYiIlJAAKCRBPT/eoJ80m 1//aAQDVHsmbpFlw9inrdDW96fuseKTaCqjAxVPHdrJqKd6lBAEAyny4aLDBYgho Adl8v5Pk8EadbOilZJxUdwb5hyGWvgM=
=JgEd
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/4/22 15:41, LeJacq, Jean Pierre wrote:

Google uses a number of criteria when blocking. A missing DKIM is just one. See the referenced document:

https://support.google.com/mail/answer/81126

One of the problems here is that mentors.debian.net does not have the standard
email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. This doesn't automatically cause Google to classify as spam but we really should have these
in place to protect email.

As an example, we may be spoofing mentors.debian.net with wv-debian- mentors1.wavecloud.de (not 100% clear with the headers provided). SPF could handle this.

Indeed we are looking into it for mentors.

However for SPF, if I'm not mistaken, this is not possible for
@debian.org addresses since Debian does not offers an MSA and therefor
not a single (or enumerable list of) exit point.

--
Baptiste Beauplat - lyknode

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!

On Fri, 2022-03-04 at 14:36:01 +0000, Colin Watson wrote:

I reproduced a similar problem, then set up DKIM for myself and
everything then worked, so I think you're correct.

The links in the original d-d-a email were mostly stale, but I found https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/
helpful in getting this going with my local Exim setup.

You might want to also fix the DKIM_SIGN_HEADERS macro in the Exim
config, as its default is currently broken (see #939808). The patch
attached there is not helpful for local usage, so you might want
something like what I've got in my config:

,--- exim4.conf ---
[…]

# The default headers to sign is broken, and includes things that should
# not be signed by default if they are missing, or they will break mailing
# lists.
DKIM_SIGN_HEADERS = \
From:From:Reply-To:Subject:Subject:Date:Message-ID:To:Cc:MIME-Version:\
Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:\
In-Reply-To:References:X-Debbugs-Cc:\
=Sender:\
=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:\
=Resent-Message-ID:\
=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:\
=List-Owner:=List-Archive

[…]
`---

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2022-03-04 at 15:45 +0100, Baptiste Beauplat wrote:

However for SPF, if I'm not mistaken, this is not possible for
@debian.org addresses since Debian does not offers an MSA and
therefor not a single (or enumerable list of) exit point.

Using SPF would be possible. Gentoo does that:

gentoo.org. IN TXT "v=spf1 [...] include:%{l}.%{o}.spf.gentoo.org ?all"

and their users can then add SPF entries for individual localparts.

But either way is quite complicated for "just" using a mail address for outgoing mail.

Also some infrastructure in Debian will break DKIM signatures. For
example, bugs.debian.org (always) and lists.debian.org (sometimes, for
example when List-* header fields are part of the DKIM signature). So
one can't rely on valid SPF/DKIM anyway and, as far as I understand,
rely on debian.org infrastructure being on providers' whitelists
instead (as it "impersonates" other domains in mail sender addresses).

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, March 4, 2022 9:45:21 AM EST Baptiste Beauplat wrote:

On 3/4/22 15:41, LeJacq, Jean Pierre wrote:

Google uses a number of criteria when blocking. A missing DKIM is just
one.
See the referenced document:

https://support.google.com/mail/answer/81126

One of the problems here is that mentors.debian.net does not have the standard email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. This doesn't automatically cause Google to classify as spam but we really should have these in place to protect email.

As an example, we may be spoofing mentors.debian.net with wv-debian- mentors1.wavecloud.de (not 100% clear with the headers provided). SPF
could
handle this.

Indeed we are looking into it for mentors.

However for SPF, if I'm not mistaken, this is not possible for
@debian.org addresses since Debian does not offers an MSA and therefor
not a single (or enumerable list of) exit point.

SPF can handle delegation like this without too much trouble.

--
JP

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 03:59:09PM +0100, Guillem Jover wrote:

On Fri, 2022-03-04 at 14:36:01 +0000, Colin Watson wrote:

I reproduced a similar problem, then set up DKIM for myself and
everything then worked, so I think you're correct.

The links in the original d-d-a email were mostly stale, but I found https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/ helpful in getting this going with my local Exim setup.

You might want to also fix the DKIM_SIGN_HEADERS macro in the Exim
config, as its default is currently broken (see #939808). The patch
attached there is not helpful for local usage, so you might want
something like what I've got in my config:

[...]

Useful to know - thanks!

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, March 4, 2022 10:14:09 AM EST Ansgar wrote:

On Fri, 2022-03-04 at 15:45 +0100, Baptiste Beauplat wrote:

However for SPF, if I'm not mistaken, this is not possible for
@debian.org addresses since Debian does not offers an MSA and
therefor not a single (or enumerable list of) exit point.

Using SPF would be possible. Gentoo does that:

gentoo.org. IN TXT "v=spf1 [...] include:%{l}.%{o}.spf.gentoo.org ?all"

and their users can then add SPF entries for individual localparts.

But either way is quite complicated for "just" using a mail address for outgoing mail.

Also some infrastructure in Debian will break DKIM signatures. For
example, bugs.debian.org (always) and lists.debian.org (sometimes, for example when List-* header fields are part of the DKIM signature). So
one can't rely on valid SPF/DKIM anyway and, as far as I understand,
rely on debian.org infrastructure being on providers' whitelists
instead (as it "impersonates" other domains in mail sender addresses).

There are standard best practices for forwarding support in SPF.

http://www.open-spf.org/Best_Practices/Forwarding/

--
JP

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2022-03-04 at 10:21 -0500, LeJacq, Jean Pierre wrote:

There are standard best practices for forwarding support in SPF.

http://www.open-spf.org/Best_Practices/Forwarding/

Having each individual user have to configure forwarders (i.e., per-
user whitelists), including services like mailing lists, our bug
tracker and so on, seems impractical. I also doubt many mail providers
allow user to do so.

And SRS also relies on whitelists again (otherwise it just allows
bypassing any SPF policy).

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mar 04, Baptiste Beauplat <lyknode@cilg.org> wrote:

Looking at your email headers, I would guess that gmail is already doing it.

X-Google-DKIM-Signature: v=1; a=rsa-sha256...

There is somewhat some irony in Gmail blocking email without a DKIM
signature while they are using a non-standard header that other provider/tools might miss. Just a thought.

No irony, you are just missing the point.
gmail uses this X header for internal purposes, and there is no DKIM
signature because the message has a @debian.org 822.from address hence
gmail obviously lacks a valid key for it.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYiJMfQAKCRDLPsM64d7X gSjNAP9w8rXd5scq8886qHdzrjarP8MxcBZ6kk54VyqtzRcm7wEAy8exCCL90Y1K IYVCL0KpmVrAx3nXWun+mgb9zXuKEwk=
=79tD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, March 4, 2022 12:37:38 PM EST Ansgar wrote:

On Fri, 2022-03-04 at 10:21 -0500, LeJacq, Jean Pierre wrote:

There are standard best practices for forwarding support in SPF.

http://www.open-spf.org/Best_Practices/Forwarding/

Having each individual user have to configure forwarders (i.e., per-
user whitelists), including services like mailing lists, our bug
tracker and so on, seems impractical. I also doubt many mail providers
allow user to do so.

I agree. What does make sense if any forwards that the Debian infrastructure uses.

And SRS also relies on whitelists again (otherwise it just allows
bypassing any SPF policy).

Again agree, so it's a scaling issue. Again, it makes sense to do for the Debian infrastructure, not necessarily every user.

--
JP

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote:

Can you point to some quick guide on how to do this for gmail? The
support page seems kinda confusing to me.

This usually requires you running your own mail server (for outgoing
mail).
I don't think mail providers like GMail allow you to set up DKIM for individual IP addresses.

I wonder if this is a good opportunity to share what I am doing for this.
I do not use gmail anymore, stopped using months back but that does not matter.

Also, do not have the b/w to setup own mailserver, so what I do is that I sign my mails
"locally" as MUAs can also support DKIM signing, and I send that via SMTP.

I use mutt primilarily, and months back I found this smart trick to do so, see this link[1] -- created dkim keys locally,
modified that script a little and the .msmtprc and .muttrc a little, and voila!

Saw something similar for emacs as well[2]
I actually found a very helpful advice in the 'comments' section(by Ucko) of Anarcat's blog[3] that helped.

Happy to share more details if someone needs.

[1]: https://bbs.archlinux.org/viewtopic.php?id=210976
[2]: https://github.com/BramvdKroef/dotemacs/blob/master/dkim.el
[3]: https://anarc.at/blog/2020-04-14-opendkim-debian/

Regards,
Nilesh

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEPpmlJvXcwMu/HO6mALrnSzQzafEFAmIihf0ACgkQALrnSzQz afEUjxAAkMSYNLOn8DpLnKMqtN6+fMVPXnrHiWsUF5aUirGIOsgxvc4X+aSWo1oX BOgggAUkqEVqnlqS7Xfy6iqkWt2Od1EUTUYy0bamiA27Nw10jGVDnC7SA2dK/ydc 2O+SXQfFW581qHbEn6uAfJOyYabImqstbbb0qsdynBEQm7zxA5O1ApqkM9k108T3 mYAHw0juUcbCpf1FYanjGeeJoAYTf9R9zMwdsC7C7oJB71EhmK4u6yvAdBaVmI0O xUXu4uimMpSsMhYNyMg8W5CdiqI1b/xRfOOUW7vCvcIG5QbdwlCc3f4Masj9bN7Y ZYcNZwywNyKYuUkxrsq6Pc53byvkjunhXSLlbtXkksO+xEYHiixTz7oBbleEWSW4 yxX/PdIusl3SMPavz6ruXTx20sIKPH3nv03dF3QFZwuNYkXJ5BmA/jq3R/oSSdtL naSmPIo3NbEZbnaTTxKNozqW1D9kdLopK6o0Maw6Ic6Sxu3AyvgXZvm3zvuC6Xlb SuBA8yX2Bm8WQJjr3VmRi/n3b/Q7QOHTPLdmnd0RGnB8fVF23gDokRhYlbG+kGkn wCNkym9xZHYmV2ZXsuQFHdO+JEM/HmummGZmDYb9RsNjRlhgiRhfjvqxEbQKoxiY sh1K/0RgrNK49+s3w7SZrAxSHsj2v0QKZPw0n9ZEtMuQo7cyd3o=
=wlXe
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/4/22 18:29, Marco d'Itri wrote:

On Mar 04, Baptiste Beauplat <lyknode@cilg.org> wrote:

Looking at your email headers, I would guess that gmail is already doing it. >>
X-Google-DKIM-Signature: v=1; a=rsa-sha256...

There is somewhat some irony in Gmail blocking email without a DKIM
signature while they are using a non-standard header that other
provider/tools might miss. Just a thought.

No irony, you are just missing the point.
gmail uses this X header for internal purposes, and there is no DKIM signature because the message has a @debian.org 822.from address hence
gmail obviously lacks a valid key for it.

Thanks for pointing this out Marco. I did check a mail coming from
@gmail.com and indeed the correct header was used.

Stephan, sorry then. I don't use gmail and I won't be able to point you
to the correct how-to :/
--
Baptiste BEAUPLAT - lyknode

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Baptiste Beauplat wrote:

We recently discovered that Gmail started to bounce email from >mentors.debian.net with the following message:

550-5.7.26 This message does not have authentication information or
fails to 550-5.7.26 pass authentication
checks. To best protect our users from spam, the 550-5.7.26 message has
been blocked. Please visit 550-5.7.26 >https://support.google.com/mail/answer/81126#authentication for more 5
50 5.7.26 information.

Yup. I've seen this too. Thanks for starting the thread here, which
has prompted useful clues on how to deal with this.

It's maddening to see Google continue to f*ck up mail requirements for everybody else. Of course, they continue to be (one of?) the biggest
sources of spam on the net and show no interest in doing anything
about it. "Don't be evil" indeed... :-(

--
Steve McIntyre, Cambridge, UK. steve@einval.com "We're the technical experts. We were hired so that management could
ignore our recommendations and tell us how to do our jobs." -- Mike Andrews

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 4 Mar 2022 at 23:34, Ansgar <ansgar@43-1.org> wrote:

On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote:

On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat <lyknode@cilg.org>
wrote:

As a reminder debian.org addresses does support DKIM. After
configuration on your mail server, you can publish your DKIM public
key
to db.debian.org [1][2].

Can you point to some quick guide on how to do this for gmail? The
support page seems kinda confusing to me.

This usually requires you running your own mail server (for outgoing
mail).

I don't think mail providers like GMail allow you to set up DKIM for individual IP addresses.

This is basically how I do it. My setup is I have G-Suite or whatever its
name is this week and a separate outbound server. I'm not sure what the "to
do this for gmail" means here, so there is three parts to this:
* What Gmail does with DKIM
* How I send emails from @debian.org using mutt etc
* How I send emails from @debian.org using Gmail

First, Gmail likes DKIM signed mails; some of these bounces are caused by
DKIM problems. DKIM is basically a signature to say the senders server is
allow to send those emails. You have to set it up (sign) on the outbound servers and check it on the inbound servers.

For any of my servers/laptops I send outbound email to my own outbound
server. This server signs emails using opendkim with the dropbear.xyz key
or the debian key depending on the from address. It's no good sending email from joe@cow.com with a key good for joe@sheep.net

Last of all, to send emails within Gmail using csmall@debian.org as my from address, you go into Settings->Accounts->Send mail as. The outbound
mailserver is my server (that signs my debian emails). Of course my
outbound server requires a username and password to send emails so that is recorded in the settings too (and is unique for each sending system/server).

The result is this goodness I can see with an email from my laptop into
Gsuite using my debian email address:
Authentication-Results: mx.google.com;
dkim=pass header.i=@debian.org header.s=debian1.csmall.user header.b=uVHcNrjO;

header.i is identity, e.g. what domain are you trying to prove you can use. header.s is selector, which is what method/key am I using to prove this. header.b is the hash/signature.

I'm a network engineer, not a mail server admin so this might not be 100%,
but it does give me the happy mailserver headers I want.

- Craig

<div dir="ltr"><div dir="ltr">On Fri, 4 Mar 2022 at 23:34, Ansgar &lt;<a href="mailto:ansgar@43-1.org" target="_blank">ansgar@43-1.org</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-
left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote:<br>
&gt; On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat &lt;<a href="mailto:lyknode@cilg.org" target="_blank">lyknode@cilg.org</a>&gt;<br>
&gt; wrote:<br>
&gt; &gt; As a reminder <a href="http://debian.org" rel="noreferrer" target="_blank">debian.org</a> addresses does support DKIM. After<br>
&gt; &gt; configuration on your mail server, you can publish your DKIM public<br>
&gt; &gt; key<br>
&gt; &gt; to <a href="http://db.debian.org" rel="noreferrer" target="_blank">db.debian.org</a> [1][2].<br>
&gt; <br>
&gt; Can you point to some quick guide on how to do this for gmail? The<br> &gt; support page seems kinda confusing to me.<br>

This usually requires you running your own mail server (for outgoing<br> mail).<br>

I don&#39;t think mail providers like GMail allow you to set up DKIM for<br> individual IP addresses.</blockquote><div>This is basically how I do it. My setup is I have G-Suite or whatever its name is this week and a separate outbound server. I&#39;m not sure what the &quot;to do this for gmail&quot; means here, so there is three
parts to this:</div><div>* What Gmail does with DKIM</div><div>* How I send emails from @<a href="http://debian.org" target="_blank">debian.org</a> using mutt etc</div><div>* How I send emails from @<a href="http://debian.org" target="_blank">debian.
org</a> using Gmail</div><div><br></div><div>First, Gmail likes DKIM signed mails; some of these bounces are caused by DKIM problems. DKIM is basically a signature to say the senders server is allow to send those emails. You have to set it up (sign) on
the outbound servers and check it on the inbound servers.</div><div><br></div><div>For any of my servers/laptops I send outbound email to my own outbound server. This server signs emails using opendkim with the <a href="http://dropbear.xyz" target="_
blank">dropbear.xyz</a> key or the debian key depending on the from address. It&#39;s no good sending email from <a href="mailto:joe@cow.com" target="_blank">joe@cow.com</a> with a key good for <a href="mailto:joe@sheep.net" target="_blank">joe@sheep.net<

</div><div><br></div><div>Last of all, to send emails within Gmail using <a href="mailto:csmall@debian.org" target="_blank">csmall@debian.org</a> as my from address, you go into Settings-&gt;Accounts-&gt;Send mail as. The outbound mailserver is my

server (that signs my debian emails).  Of course my outbound server requires a username and password to send emails so that is recorded in the settings too (and is unique for each sending system/server).</div><div><br></div><div>The result is this
goodness I can see with an email from my laptop into Gsuite using my debian email address:</div><div>Authentication-Results: <a href="http://mx.google.com">mx.google.com</a>;<br>       dkim=pass header.i=@<a href="http://debian.org">debian.org</a>
header.s=debian1.csmall.user header.b=uVHcNrjO;<br></div><div><br></div><div>header.i is identity, e.g. what domain are you trying to prove you can use. header.s is selector, which is what method/key am I using to prove this. header.b is the hash/
signature.</div><div><br></div><div>I&#39;m a network engineer, not a mail server admin so this might not be 100%, but it does give me the happy mailserver headers I want.</div><div><br></div><div> - Craig</div><div><br></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"LeJacq, Jean Pierre" <jeanpierre.lejacq@quoininc.com> writes:

There are standard best practices for forwarding support in SPF.

http://www.open-spf.org/Best_Practices/Forwarding/

Well, if it only was that simple.

There is NO working SRS software/example config for sendmail in Debian
or anywhere else AFAICS.

The only thing we have is the python3-srs packages, which are still full
of python2 specific code. None of the included tools even run on
bullseye. For example:

bjorn@canardo:~$ /usr/bin/srs2envtol
Traceback (most recent call last):
File "/usr/bin/srs2envtol", line 14, in <module>
from ConfigParser import ConfigParser, DuplicateSectionError ModuleNotFoundError: No module named 'ConfigParser'
bjorn@canardo:~$ dpkg -S /usr/bin/srs2envtol
pysrs-bin: /usr/bin/srs2envtol
bjorn@canardo:~$ apt-cache policy pysrs-bin
pysrs-bin:
Installed: 1.0.3-2
Candidate: 1.0.3-2
Version table:
*** 1.0.3-2 700
700 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status

(yes, I could fix that and the remaining issues - but that's not the
point)

IMHO, modifying postsrsd looks like a much better alternative if I were
to write something. Should be pretty easy to make it optionally use the sendmail socketmap protocol instead of the postfix tcp_table protocol.
Or alternatively just write a simple proxy protocol translater. Then it
could be plugged right into the example sendmail config from pysrs.

But as have been the result each time I've considered SRS: I got bored
with it long before I got it running. Why do I care whether google can
send a bounce back? So I've just added owner-aliases for all my
forwarded accounts (only a handful), pointing to a /dev/null address.

That does it for me. SRS and SPF can continue to burn in the hell where
it was invented.


Stay tuned for the next episode of Mail Server Frustrations, where we'll
look at Exim and mixed TLS (port 465) and STARTTLS (port 587) submission.



Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)