Thread (12 messages) 12 messages, 4 authors, 2021-06-28

Re: linux-mm@kvack.org - limping on a backup

From: Jason Gunthorpe <jgg@ziepe.ca>
Date: 2021-06-28 16:20:36
Also in: lkml

On Mon, Jun 28, 2021 at 10:40:51AM -0400, Benjamin LaHaise wrote:
On Mon, Jun 28, 2021 at 11:26:59AM -0300, Jason Gunthorpe wrote:
quoted
Isn't a 7-bit conversion what I pointed at last time we talked about
this?
I changed several options in postfix last time this was raised, but as
nobody ever provided a test case, I had no way of knowing if it worked or
not.
I've been using a script like this against the lore public inbox git
repos to monitor my own domain's dkim cleanness and interaction with
list serves:

#!/usr/bin/python3
import subprocess
import collections

# Starting points
start = XXXXX # git commit id string

emails = collections.defaultdict(list)
commits = subprocess.check_output(["git","log","master","^" + start,'--pretty=format:%H %aN <%aE>']).decode()
for ln in commits.splitlines():
    commit,_,email = ln.partition(' ')
    if "nvidia.com" in email.lower():
        emails[email].append(commit)

fails = set()
not_empty = True;
while not_empty:
    not_empty = False;
    for email,commits in sorted(emails.items()):
        if email in fails or not commits:
            continue
        commit = commits[-1];
        del commits[-1]
        if commits:
            not_empty = True;
        msg = subprocess.check_output(["git","show",commit + ":m"]);
        try:
            subprocess.check_output(["dkimverify"], input=msg);
            #print(email)
        except:
            fails.add(email)
            print("Failed!", email, commit)

It has taken a lot of doing, but nvidia.com is now effectively DKIM
clean through vger.

You could run with with some known-good domains like nvidia.com,
facebook.com, google.com, to measure kvack's activity. Failures can
often be cross-correlated against a vger list and then you can do A/B
comparison to guess what is wrong.
spec that ignores decades of that philosophy at the IETF.  And even if a
DKIM signature passes, that's still not enough to trust the resulting
email.  All it does is ensure that a small subset of valid emails get
dropped on the floor.  This doesn't seem like an overall win.
I have no idea. It is here, people beyond us have made this decision,
we have to work within it. DMARC is ratcheting this up and is moving
to say if DKIM fails then emails should be discared.

Jason
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help