Re: problem with mailing list and multipart/mime?

[Jameson Graef Rollins <jrollins@finestructure.net>]

[-- Attachment #1: Type: text/plain, Size: 3969 bytes --]

Hi, Laurent.  Thanks for the response.  Comments below.

On Sat, 22 Oct 2011 13:47:47 +0200, Laurent Bercot <ska-supervision@skarnet.org> wrote:
> The mailing-list software *modifies* the message - namely, it adds a
> few headers (such as List-Unsubscribe) and removes other headers (such
> as Return-Path - for obvious reasons). So, it's normal that you cannot
> verify the signature of a message after it goes through the list.

PGP/MIME signatures are made over the body (and possibly any
attachments) of the message, and specifically *not* the headers [0].
Signatures in fact can't be made over headers, since obviously the
headers change frequently during the delivery of a message, and if
signatures were made over the headers as well the signatures would
always break.

But in fact it has become clear that the problem is not with the
signatures.  Alex sent a PGP/MIME signed message to the list that
appeared to come through with no problems at all (that I can tell).  See
below for more information.

> The adding and removal of headers should be perfectly safe and I don't
> think there's a bug in there. On the other hand, there *might* be a
> problem with the handling of MIME types, because it's something
> complex. The set of MIME types that are forbidden (i.e. if such a MIME
> type is encountered in a multipart message, the corresponding part of
> the message will be deleted) is the default set for the version of
> ezmlm-idx I am using. It includes text/html; it does not include
> text/plain, of course; and it does not include
> application/pgp-signature.

The removal of MIME parts could definitely break signatures if the
signature was made over the removed part.
 
> Since messages are modified when going through the list, it makes no
> sense to sign them, so I might as well add application/pgp-signature
> to the list of removed MIME parts, and end this bit of confusion.

I disagree.  One of the main reason one signs messages is to verify that
they were not modified in transit.  But that said, I can understand that
a mailing list would want to scrub messages of potentially dangerous
parts.  However, OpenPGP signatures are not damaging, and as long as the
signatures cover only other benign parts, such as text/plain (as were my
messages), then there's no reason for the mailing list to mangle them.

I am subscribed to literally dozens of mailing lists, and I sign my
messages to all of them.  This is the only list I've ever encountered
where this is an issue.

> If you think you have exhibited a real bug, such as a text/plain part
> of a MIME message being removed, please send proof to me: a message
> sent 1. to the list and 2. directly to me (using the address in the
> "From:" header of this message, and replying to the confirmation
> request), so I can compare the two and use it to investigate. But
> ezmlm-idx has worked flawlessly for years, and the MIME filter has
> being treating us pretty well, so I don't think there's a bug involved
> - at most, a misconfiguration on my part is possible.

I actually think this is a real bug.  Even a misconfiguration should not
produce the effect that we're seeing.

I've attached two messages below: the original of a message I sent to
the list, and what I received back from the list.  The only problem is
that a single MIME content boundary has been removed, without removing
anything else in the message.  This of course breaks the MIME structure,
making the message unrenderable.

What's strange is that Alex's signed message sent to the list was *not*
mangled in the same way.  The only thing I can think of is that for some
reason the list software doesn't like the string used as the content
boundary in my message ("--=-=-="), but doesn't mind the one that Alex
used ("V88s5gaDVPzZ0KCq").

Anyway, thanks for looking into this, Laurent.  I hope you can find the
bug.  Let me know if there's anything else I can do to help.

jamie.

[0] http://tools.ietf.org/html/rfc3156


[-- Attachment #2: original message --]
[-- Type: message/rfc822, Size: 1891 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 114 bytes --]

This is another test signed message.  This message explicitly has a
"Content-Disposition: inline" header.

jamie.

[-- Attachment #2.1.2: Type: application/pgp-signature, Size: 835 bytes --]

[-- Attachment #3: message received from list --]
[-- Type: message/rfc822, Size: 3225 bytes --]

[-- Attachment #3.1.1: Type: text/plain, Size: 350 bytes --]

On Sat, 22 Oct 2011 04:31:06 +0300, Alex Efros <powerman@powerman.name> wro=
te:
> Hi!
>=20
> Test signed message.

Thanks, Alex.  Your messages seems to have gone through fine.  Which
unfortunately means the problem is specific to me.

I'm going to try sending this message signed message but with a spoofed
user-agent and see what happens.

jamie.

[-- Attachment #3.1.2: Type: application/pgp-signature, Size: 835 bytes --]