[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210628162027.GC4604@ziepe.ca>
Date: Mon, 28 Jun 2021 13:20:27 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: Benjamin LaHaise <ben@...munityfibre.ca>
Cc: James Bottomley <James.Bottomley@...senPartnership.com>,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: linux-mm@...ck.org - limping on a backup
On Mon, Jun 28, 2021 at 10:40:51AM -0400, Benjamin LaHaise wrote:
> On Mon, Jun 28, 2021 at 11:26:59AM -0300, Jason Gunthorpe wrote:
> > Isn't a 7-bit conversion what I pointed at last time we talked about
> > this?
>
> I changed several options in postfix last time this was raised, but as
> nobody ever provided a test case, I had no way of knowing if it worked or
> not.
I've been using a script like this against the lore public inbox git
repos to monitor my own domain's dkim cleanness and interaction with
list serves:
#!/usr/bin/python3
import subprocess
import collections
# Starting points
start = XXXXX # git commit id string
emails = collections.defaultdict(list)
commits = subprocess.check_output(["git","log","master","^" + start,'--pretty=format:%H %aN <%aE>']).decode()
for ln in commits.splitlines():
commit,_,email = ln.partition(' ')
if "nvidia.com" in email.lower():
emails[email].append(commit)
fails = set()
not_empty = True;
while not_empty:
not_empty = False;
for email,commits in sorted(emails.items()):
if email in fails or not commits:
continue
commit = commits[-1];
del commits[-1]
if commits:
not_empty = True;
msg = subprocess.check_output(["git","show",commit + ":m"]);
try:
subprocess.check_output(["dkimverify"], input=msg);
#print(email)
except:
fails.add(email)
print("Failed!", email, commit)
It has taken a lot of doing, but nvidia.com is now effectively DKIM
clean through vger.
You could run with with some known-good domains like nvidia.com,
facebook.com, google.com, to measure kvack's activity. Failures can
often be cross-correlated against a vger list and then you can do A/B
comparison to guess what is wrong.
> spec that ignores decades of that philosophy at the IETF. And even if a
> DKIM signature passes, that's still not enough to trust the resulting
> email. All it does is ensure that a small subset of valid emails get
> dropped on the floor. This doesn't seem like an overall win.
I have no idea. It is here, people beyond us have made this decision,
we have to work within it. DMARC is ratcheting this up and is moving
to say if DKIM fails then emails should be discared.
Jason
Powered by blists - more mailing lists