From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2125 Path: news.gmane.org!not-for-mail From: Jameson Graef Rollins Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: problem with mailing list and multipart/mime? Date: Sat, 22 Oct 2011 12:43:31 -0700 Message-ID: <87ehy46cd8.fsf@servo.finestructure.net> References: <87aa8vblyz.fsf@servo.finestructure.net> <87vcrja2xj.fsf@servo.finestructure.net> <87y5we8fcd.fsf@servo.finestructure.net> <20111022013106.GC27171@home.power> <87pqhp6ayz.fsf@servo.finestructure.net> <20111022104356.GD27171@home.power> <20111022114747.GA10042@skarnet.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="==-=-=" X-Trace: dough.gmane.org 1319312618 28186 80.91.229.12 (22 Oct 2011 19:43:38 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 22 Oct 2011 19:43:38 +0000 (UTC) To: Laurent Bercot , supervision@list.skarnet.org Original-X-From: supervision-return-2359-gcsg-supervision=m.gmane.org@list.skarnet.org Sat Oct 22 21:43:37 2011 Return-path: Envelope-to: gcsg-supervision@lo.gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1RHhTk-0003y8-Cz for gcsg-supervision@lo.gmane.org; Sat, 22 Oct 2011 21:43:36 +0200 Original-Received: (qmail 5625 invoked by uid 76); 22 Oct 2011 19:46:39 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 5617 invoked from network); 22 Oct 2011 19:46:39 -0000 X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new In-Reply-To: <20111022114747.GA10042@skarnet.org> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2125 Archived-At: Hi, Laurent. Thanks for the response. Comments below. On Sat, 22 Oct 2011 13:47:47 +0200, Laurent Bercot wrote: > The mailing-list software *modifies* the message - namely, it adds a > few headers (such as List-Unsubscribe) and removes other headers (such > as Return-Path - for obvious reasons). So, it's normal that you cannot > verify the signature of a message after it goes through the list. PGP/MIME signatures are made over the body (and possibly any attachments) of the message, and specifically *not* the headers [0]. Signatures in fact can't be made over headers, since obviously the headers change frequently during the delivery of a message, and if signatures were made over the headers as well the signatures would always break. But in fact it has become clear that the problem is not with the signatures. Alex sent a PGP/MIME signed message to the list that appeared to come through with no problems at all (that I can tell). See below for more information. > The adding and removal of headers should be perfectly safe and I don't > think there's a bug in there. On the other hand, there *might* be a > problem with the handling of MIME types, because it's something > complex. The set of MIME types that are forbidden (i.e. if such a MIME > type is encountered in a multipart message, the corresponding part of > the message will be deleted) is the default set for the version of > ezmlm-idx I am using. It includes text/html; it does not include > text/plain, of course; and it does not include > application/pgp-signature. The removal of MIME parts could definitely break signatures if the signature was made over the removed part. > Since messages are modified when going through the list, it makes no > sense to sign them, so I might as well add application/pgp-signature > to the list of removed MIME parts, and end this bit of confusion. I disagree. One of the main reason one signs messages is to verify that they were not modified in transit. But that said, I can understand that a mailing list would want to scrub messages of potentially dangerous parts. However, OpenPGP signatures are not damaging, and as long as the signatures cover only other benign parts, such as text/plain (as were my messages), then there's no reason for the mailing list to mangle them. I am subscribed to literally dozens of mailing lists, and I sign my messages to all of them. This is the only list I've ever encountered where this is an issue. > If you think you have exhibited a real bug, such as a text/plain part > of a MIME message being removed, please send proof to me: a message > sent 1. to the list and 2. directly to me (using the address in the > "From:" header of this message, and replying to the confirmation > request), so I can compare the two and use it to investigate. But > ezmlm-idx has worked flawlessly for years, and the MIME filter has > being treating us pretty well, so I don't think there's a bug involved > - at most, a misconfiguration on my part is possible. I actually think this is a real bug. Even a misconfiguration should not produce the effect that we're seeing. I've attached two messages below: the original of a message I sent to the list, and what I received back from the list. The only problem is that a single MIME content boundary has been removed, without removing anything else in the message. This of course breaks the MIME structure, making the message unrenderable. What's strange is that Alex's signed message sent to the list was *not* mangled in the same way. The only thing I can think of is that for some reason the list software doesn't like the string used as the content boundary in my message ("--=-=-="), but doesn't mind the one that Alex used ("V88s5gaDVPzZ0KCq"). Anyway, thanks for looking into this, Laurent. I hope you can find the bug. Let me know if there's anything else I can do to help. jamie. [0] http://tools.ietf.org/html/rfc3156 --==-=-= Content-Type: message/rfc822 Content-Disposition: attachment; filename*0*=us-ascii''1319310984.19900_680703_68.servo.finestructure.net; filename*1*=%3a2%2cS Content-Description: original message From: Jameson Graef Rollins To: Alex Efros , supervision@list.skarnet.org Subject: Re: problem with mailing list and multipart/mime? In-Reply-To: <87pqhp6ayz.fsf@servo.finestructure.net> References: <87aa8vblyz.fsf@servo.finestructure.net> <87vcrja2xj.fsf@servo.finestructure.net> <87y5we8fcd.fsf@servo.finestructure.net> <20111022013106.GC27171@home.power> <87pqhp6ayz.fsf@servo.finestructure.net> User-Agent: Mutt/1.5.21 (2010-09-15) Content-Disposition: inline Date: Sat, 22 Oct 2011 12:16:24 -0700 Message-ID: <87fwik6dmf.fsf@servo.finestructure.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" --=-=-= This is another test signed message. This message explicitly has a "Content-Disposition: inline" header. jamie. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOoxaIAAoJEO00zqvie6q8de8P/14g5aG6k05Kvnl1gyVCX6tF 9gwyTOww8kJmUS6ZTcITndgaYAXJ1hEEDF6VL1RFB6E8ijb57acGJPu+RGKofuhf MGdQq4o6giJ82/FtS+5QivqoULeLFIUBDDTg3bKna5MZoudcDhD8tF2ntBJHegbU Z8Ah3kfeX5eNulG7mMeSt7Aa8ZC1OmqELzqI5gFtwfBq2GdKaSQHh9PKzZuzvaXp C/Ybw9haeKVdIxAGjiHMbg9+Qsyc2cgLdj2hBafUjJy/Z456KP6jGpY672OCzhnZ Ewaa6BG6GeCI3vWXcfHgeYUDrAVUs6bm2Otk8evmxs10JshWR5BqN7M+5srgPzGa 5o0hDOGGdeUQDmGCTXt4NPMp1gnYNn0qr2xuyLmziehUDtgUu5+QnazhIGggY/r8 S14AWQ7wBE+yqjx3IdR50LJNZlpLA02QxTC0Q7a27wvQQg2iF5R/jGy2tIQkc6px /YTRyLG6yXis0KYgaf9dkvsuZBgU8EwhY9sQ5BtbZw32jJnSEswZ6rtoRXNL+M8b Ollyj/VLGWu6Qy0SDnXuvbrsNmPF+daHu3Q2xXrvaxM6Bc/aLuTRbobC80nfcbJE cCxMvGMOuzPeBgj/C2rtPYPhjIxn8oJ4sfIp+siT477d0EMBt3YlcX0X4LHvsRQx wRhrruWCQo81K+VNRT81 =0zJw -----END PGP SIGNATURE----- --=-=-=-- --==-=-= Content-Type: message/rfc822 Content-Disposition: attachment; filename=1319248905.Vfd03I46a10M390327.snapper Content-Description: message received from list Return-Path: X-Original-To: jrollins-mail@localhost Delivered-To: jrollins-mail@localhost Received: by snapper (Postfix, from userid 110) id 55597EE83; Fri, 21 Oct 2011 22:01:45 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on snapper X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_MIME_NO_TEXT autolearn=ham version=3.3.2 Received: from antah.skarnet.org (antah.skarnet.org [212.85.147.14]) by snapper (Postfix) with SMTP id D7E1EEE80 for ; Fri, 21 Oct 2011 22:01:37 -0400 (EDT) Received: (qmail 7025 invoked by uid 76); 22 Oct 2011 02:04:40 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Delivered-To: mailing list supervision@list.skarnet.org Received: (qmail 7017 invoked from network); 22 Oct 2011 02:04:40 -0000 From: Jameson Graef Rollins To: Alex Efros , supervision@list.skarnet.org Subject: Re: problem with mailing list and multipart/mime? In-Reply-To: <20111022013106.GC27171@home.power> References: <87aa8vblyz.fsf@servo.finestructure.net> <87vcrja2xj.fsf@servo.finestructure.net> <87y5we8fcd.fsf@servo.finestructure.net> <20111022013106.GC27171@home.power> User-Agent: Mutt/1.5.21 (2010-09-15) Date: Fri, 21 Oct 2011 19:01:24 -0700 Message-ID: <87pqhp6ayz.fsf@servo.finestructure.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" On Sat, 22 Oct 2011 04:31:06 +0300, Alex Efros wro= te: > Hi! >=20 > Test signed message. Thanks, Alex. Your messages seems to have gone through fine. Which unfortunately means the problem is specific to me. I'm going to try sending this message signed message but with a spoofed user-agent and see what happens. jamie. --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOoiP0AAoJEO00zqvie6q8RXoP/A5ARRlfWdyfnraT1o0yDQ/k Yznxu99FatYyldHkn+Twn232N216WJ68jTIi2rkKo6RWSHEaEpQiWjEX9yNMDPz6 MN7tKkK3xjIm754LL5biIr3Lo1pWd4QpU9rDWu+o8tBobwLXf8wLu0QQ1Bv0OjaQ DhWCQ3bYChvFj/ymDJmah8G2+IzIuqDNR+HuvgD0h2xu63UAG/rsQ7bTGW09e4jx latm7dqjTwVZw0vfm0YskweTReIbaUvpV6mIYuzaDf4omuwjfUMUCQkLAacV2Nmp O1GH1bKgYAQOidC2rREg0aNBlzK2CrpYzh0BYq6jYo/aj10CI8rN4M48yFwtkuMb MD3f/HrGf9aFGpPqgPeMxWYg5LHglhFDYY5U5V2nMtDrAb16Yps2xR4ywNwLcBfd NSuI/nn85T9eYoflbJ39ynzUE4AqFFP8h4PCs09irBaqbqQI+djlM3Xts1D3WRli GdRmvZMIOhI+vdwjm19yh835lU31F5ikDsebq6WGQDzQpG9vGXf/PvXIaYlE3TBT LK6qgOowPoLIutajdPut0YgfaB810xRq6sxzqX5cvwFKmWjo7N8mUslDZp/opBIP oN4lY1XZl2q+3CTEcYalQI3xdVjqy4YBkMLSWiqJnfCQ9B7cSuBJ+u1IRRXGnvDn xXqksszpp0utxKeqtx8P =QZH7 -----END PGP SIGNATURE----- --=-=-=-- --==-=-=--