Mailing list questions (DMARC, ARC, more?)
Matus UHLAR - fantomas
uhlar at fantomas.sk
Fri Sep 23 22:23:03 UTC 2022
another test done
>>>>>>>I see the list operates both From: munging and ARC
>>>>>>>sealing. While I'm clear about the former, I'm curious
>>>>>>>about how ARC works:
>>>>>>>
>>>>>>>Do any subscribers trust the seal by isc.org?
>>>>I guess most of recipients use predefined configurations, e.g. no whitelisting.
>>>>
>>>>out of curiousity, I set my opendmarc.conf:
>>>>
>>>>DomainWhitelist lists.isc.org
>>>>
>>>>so we'll see next time mail comes.
>>>>On 25.08.22 18:10, Alessandro Vesely wrote:
>>>Please tell us.
>On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
>>so far, not ex
>>
>>- opendmarc only uses header that's inserted by openarc milter
>>
>>- openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"
On 04.09.22 12:56, Alessandro Vesely wrote:
>They produce an ARC set on each internal passage, all having
>d=isc.org. That's undoubtedly redundant, yet valid.
I haven't studied the ARC standard, but this looks correct.
However, I was repeatedly unable to make opendmarc to accept arc result:
Authentication-Results: fantomas.fantomas.sk; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: fantomas.fantomas.sk;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=itqgpF3K;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=lists.isc.org (client-ip=149.20.1.60;
helo=lists.isc.org;
envelope-from=bind-users-bounces+uhlar=fantomas.sk at lists.isc.org;
receiver=<UNKNOWN>)
Authentication-Results: fantomas.fantomas.sk; arc=pass smtp.remote-ip=149.20.1.60 arc.chain="isc.org:isc.org:isc.org"
From: frank picabia <fpicabia at gmail.com>
>>- opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
>> isc.org:isc.org:isc.org (will try)
I have tried both, no result.
>When enabled, arc=pass should override dmarc=fail p=reject. We never
>get this, because bind-users rewrite From: if author's domain has
>p=reject.
This should not be a problem, since we should trust isc.org servers when
they provide wortking ARC-Seal:
>Trusting isc.org should suffice. Logically, when multiple domains
>applied message modifications, a receiver has to trust all of them.
>Not necessarily any disposition of them.
do you mean, I should trust all domains in ARC-Seal, listed in Authentication-Results
header?
>>- openarc (I have installed beta from debian experimental) seems to
>>insert Authentication-Result: header when no ARC seal is present,
>>though not always.
>>
>>- arc for bind-users seems to fail when mailman rewrites From:
>>header (but DKIM is fine in this case)
>I tried the Perl ARC verifier included in Mail::DKIM. On your message it outputs:
>
>ale at pcale:~/tmp$ arc-verify.pl < arc1.eml
this is not in debian distribution.
when tried it, it shows correct:
uhlar at fantomas% perl ./scripts/arcverify.pl < /tmp/arc1.eml
RESULT: pass
uhlar at fantomas% perl ./scripts/arcverify.pl < /tmp/arctest
RESULT: pass
however, I was unable to make my dkim/dmarc PASS on a mail from this list
that was:
- arc-signed by ISC
- DKIM fail (not munged)
- not from ISC
>ARC-Seal: v=3 pass
>ARC-Message-Signature: v=3 pass
>ARC-Seal: v=2 pass
>ARC-Message-Signature: v=2 fail (body has been altered)
>ARC-Seal: v=1 pass
>ARC-Message-Signature: v=1 fail (body has been altered)
>
>(arc-verify.pl is a copy of the module's synopsis[*].)
>
>Then I tried it on Ged's message, earlier in this thread, and got:
>
>ale at pcale:~/tmp$ arc-verify.pl < arc2.eml
>ARC-Seal: v=3 pass
>ARC-Message-Signature: v=3 pass
>ARC-Seal: v=2 pass
>ARC-Message-Signature: v=2 fail (message has been altered)
>ARC-Seal: v=1 pass
>ARC-Message-Signature: v=1 fail (message has been altered)
>
>So both messages seem to be valid, if you trust isc.org. The failure
>in the signature reflects that only the body was altered in your
>message, while also the header was altered in Ged's one. As ARC
>allows mediators to modify messages, only the last signature is
>significant.
>
>
>>>Mailman should know about your setting in order to skip From:
>>>munging in the copies sent to you. Currently, the copies sent to
>>>pipermail for archiving seem to be non-munged, so this
>>>functionality exists.
>>
>>do you mean I can turn off From: munging in mail sent to me?
>
>
>Mailman options[†] don't include something like
>
> *From munging*:
>
> Set this option to /Disabled/ to receive messages with the original From:
> line intact. Keep in mind that disabling this option will fail DMARC, so
> keep it enabled unless your MTA either doesn't check DMARC or accepts ARC
> overrides.
>
>It doesn't seem difficult to implement. It requires trusting the
>users, though. I'm going to ask Mailman developers.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
More information about the bind-users
mailing list