Mailing list questions (DMARC, ARC, more?)
Alessandro Vesely
vesely at tana.it
Mon Sep 26 18:24:51 UTC 2022
On Sat 24/Sep/2022 00:23:03 +0200 Matus UHLAR - fantomas wrote:
> another test done
Thanks for reporting.
This is slightly OT, as it concerns the list functioning rather than DNS. I hope it doesn't afflict...
>>>>>>>> I see the list operates both From: munging and ARC sealing. While I'm
>>>>>>>> clear about the former, I'm curious about how ARC works:
>>>>>>>>
>>>>>>>> Do any subscribers trust the seal by isc.org?
>>>>>
>>>>> I guess most of recipients use predefined configurations, e.g. no
>>>>> whitelisting.
>>>>>
>>>>> out of curiousity, I set my opendmarc.conf:
>>>>>
>>>>> DomainWhitelist lists.isc.org
>>>>>
>>>>> so we'll see next time mail comes.
>>>>>
>>>>> On 25.08.22 18:10, Alessandro Vesely wrote:
>>>> Please tell us.
>>
>> On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
>>> so far, not ex
>>>
>>> - opendmarc only uses header that's inserted by openarc milter
>>>
>>> - openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"
>
> On 04.09.22 12:56, Alessandro Vesely wrote:
>> They produce an ARC set on each internal passage, all having d=isc.org.
>> That's undoubtedly redundant, yet valid.
>
> I haven't studied the ARC standard, but this looks correct.
> However, I was repeatedly unable to make opendmarc to accept arc result:
>
> Authentication-Results: fantomas.fantomas.sk; dmarc=fail (p=none dis=none) header.from=gmail.com
> Authentication-Results: fantomas.fantomas.sk;
> dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=itqgpF3K;
> dkim-atps=neutral
IMHO, it is correct to say dkim=fail, but DMARC should have been redeemed by ARC if trusted.
> Authentication-Results: [...]
> Authentication-Results: fantomas.fantomas.sk; arc=pass smtp.remote-ip=149.20.1.60 arc.chain="isc.org:isc.org:isc.org"
That arc=pass doesn't say if it was trusted or not. As you say, trust doesn't seem to make any difference. Paradoxical.
> From: frank picabia <fpicabia at gmail.com>
Gmail has p=none. However, I tried to send to this list an unauthenticated message from a domain with p=reject and spf-all. It was rejected by:
550 5.7.1 Blocked by SpamAssassin
That looks like accumulating a score, not a formal rejection after policy requirements.
>>> - opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
>>> isc.org:isc.org:isc.org (will try)
>
> I have tried both, no result.
There is a school of thought according to which receivers should blindly trust ARC headers, except spam or known bad actors.
>> When enabled, arc=pass should override dmarc=fail p=reject. We never get
>> this, because bind-users rewrite From: if author's domain has p=reject.
>
> This should not be a problem, since we should trust isc.org servers when they
> provide wortking ARC-Seal:
Yes, but we still receive munged From:'s. The idea was that with ARC they could be avoided. The way to do it is the 1st method in my draft[*], but I cannot find a list willing to experiment.
>> Trusting isc.org should suffice. Logically, when multiple domains applied
>> message modifications, a receiver has to trust all of them. Not necessarily
>> any disposition of them.
>
> do you mean, I should trust all domains in ARC-Seal, listed in
> Authentication-Results header?
RFC8617 talks about "sealing domain" of a given ARC set, surmising that the d= tag should have the same value in ARC-Seal and ARC-Message-Signature.
>>> - openarc (I have installed beta from debian experimental) seems to insert
>>> Authentication-Result: header when no ARC seal is present, though not always.
>>>
>>> - arc for bind-users seems to fail when mailman rewrites From: header (but
>>> DKIM is fine in this case)
>
>> I tried the Perl ARC verifier included in Mail::DKIM. On your message it
>> outputs:
>>
>> ale at pcale:~/tmp$ arc-verify.pl < arc1.eml
>
> this is not in debian distribution.
> when tried it, it shows correct:
>
> uhlar at fantomas% perl ./scripts/arcverify.pl < /tmp/arc1.eml
> RESULT: pass
> uhlar at fantomas% perl ./scripts/arcverify.pl < /tmp/arctest
> RESULT: pass
>
>
> however, I was unable to make my dkim/dmarc PASS on a mail from this list that
> was:
>
> - arc-signed by ISC
> - DKIM fail (not munged)
The header is ok, but the body has an added footer. Using zdkimfilter (3rd method in that draft[*]) I get the following on your message:
INFO: zfilter: zdkimfilter[13097]:ip=NULL: domain isc.org whitelisted by list.dnswl.org
DEBUG: zfilter: zdkimfilter[13097]:ip=NULL: retrieved fantomas.sk->fantomas: rsa-sha256, 2048 bits
INFO: zfilter: zdkimfilter[13097]:ip=NULL: enabling body parse (sigs pass: 1, could pass: 0)
INFO: zfilter: zdkimfilter[13097]:ip=NULL: enabling retry (badsig, bh ok: 0; badsig, bh bad: 0; pass, bh bad: 1)
INFO: zfilter: zdkimfilter[13097]:ip=NULL: transformation enabled for "Matus UHLAR - fantomas <uhlar at fantomas.sk>" retry body only
INFO: zfilter: zdkimfilter[13097]:ip=NULL: transform message from base64 back to identity with footer.
INFO: zfilter: zdkimfilter[13097]:ip=NULL: sig failure d=fantomas.sk, s=fantomas: body hash mismatch
INFO: zfilter: zdkimfilter[13097]:ip=NULL: sig success (trans) d=fantomas.sk, s=fantomas
INFO: zfilter: zdkimfilter[13097]:ip=NULL: signature by fantomas.sk, s=fantomas recovered by transformation
INFO: zfilter: zdkimfilter[13097]:DMARC disabled (0), policy not found for fantomas.sk
INFO: zfilter: zdkimfilter[13097]:ADSP disabled (0), policy not found for fantomas.sk
Authentication-Results: wmail.tana.it;
spf=pass smtp.mailfrom=lists.isc.org;
dkim=pass reason="transformed" header.d=fantomas.sk
250 Ok.
Best
Ale
--
[*] https://datatracker.ietf.org/doc/html/draft-vesely-dmarc-mlm-transform
More information about the bind-users
mailing list