[plug] mailing lists and DKIM

Mon Apr 29 08:46:44 UTC 2013

G'day PLUG,

After a bit of research and testing, I've come up with a semi-reasonable 
solution to this problem. The following handler script will replace the 
 From address with the address of the list, and set the Reply-To to be 
the original sender's address. This allows the original sender to be 
reasonably easily identified, while still allowing the mailing list to 
modify and re-sign the emails on transmission.

/usr/lib/mailman/Mailman/Handlers/ReplyTo.py:
#!/usr/bin/env python
#
from email.Utils import formataddr, getaddresses, parseaddr

def process(mlist, msg, msgdata):
orig_from = parseaddr(msg.get('from'))
orig_rt = msg.get_all('reply-to')
del msg['from']
msg['From'] = formataddr((mlist.description, mlist.GetListEmail()))
del msg['reply-to']
if orig_rt:
rt_list = getaddresses(orig_rt)
rt_addr = [x[1] for x in rt_list]
if orig_from[1] not in rt_addr:
rt_list += [orig_from]
else:
rt_list = [orig_from]
msg['Reply-To'] = ', '.join([formataddr(x) for x in rt_list])

To activate this Handler, add the following line to 
/etc/mailman/mm_cfg.py:

GLOBAL_PIPELINE.insert(15, 'ReplyTo')

This will apply to all lists hosted by the system. The down-side is that 
mailing list members need to explicitly choose to reply to the list, 
rather than to the original emailer (ie choose Reply To List, rather 
than just Reply).

It's a little bit of a hack, but its working ok so far. I'll also 
investigate getting mailman to insert the original emailer's address 
into the top of the message body, to make it blatantly obvious who sent 
the email.

Cheers,

Adrian

On 2013-04-24 18:29, Adrian Woodley wrote:
> G'day PLUG,
> 
> I run a small not-for-profit ISP (bfb.asn.au) for my volunteer fire
> brigade, which offers Internet services (namely DNS, email and web
> hosting) for other volunteer fire brigades. One of the popular
> services is mailing lists, which use mailman.
> 
> Recently gmail started bouncing mail from the server, which has
> prompted me to implement DKIM. This works really well for mail
> originating from bfb.asn.au and it's sub-domains, but I'm a little
> unsure about how I should handing the mailing list.
> 
> As far as I can tell, there are two options:
> 
> 1) prevent mailman from modifying any of the DKIM signed headers. This
> would include the From, Reply-to and Subject headers, which would
> prevent the mailing list from easily identifying itself (rather than
> email being from the original sender).
> 
> 2) remove all DKIM signing, re-write the From header to be from the
> mailing list and re-sign the email upon transmission. This would make
> it potentially more difficult to identify who sent the email
> originally.
> 
> Any thoughts on what the best practise is here?
> 
> Cheers,
> 
> Adrian
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership