Mailing list questions (DMARC, ARC, more?)
Matus UHLAR - fantomas
uhlar at fantomas.sk
Fri Sep 2 12:27:55 UTC 2022
>>On 25.08.22 18:10, Alessandro Vesely wrote:
>>>The lack of interest by others proves that From: munging is not so
>>>much of a nuisance as they say...
>On Mon 29/Aug/2022 12:09:10 +0200 Matus UHLAR - fantomas wrote:
>>This will come sooner or later, however:
>>
>>earlier this year I've done small dmarc research for our client:
>>
>>- microsoft software (on-premise exchange and 365) does not
>>DKIM-sign DSN e-mail (delivery and non-delivery notifications)
>>although those have sending domain in From: (I guess domain is
>>added after sig generated)
On 01.09.22 12:07, Alessandro Vesely wrote:
>So do I, relying on SPF for DNSs.
if DSN contains domain in From: address, they can be signed as well.
microsoft messed this up.
>>- only a few % of domains has other DMARC policy than none
>>- mailman 2 (used here) only munges From: when domain DMARC policy
>>for the sending domain is other than none.
>Which is insecure.
yes, but due to the above, since DSNs aren't DKIM-signed, they could be
easily dropped, I assume either nobody tried to set DMARC policy to other
than none or they had problems.
> While I keep p=none, anyone can post a spoof using
>my email address as From: and pretend to be me. It never happens, but
>some people believe it /cannot/ happen.
>>>>>I see the list operates both From: munging and ARC sealing.
>>>>>While I'm clear about the former, I'm curious about how ARC
>>>>>works:
>>>>>
>>>>>Do any subscribers trust the seal by isc.org?
>>
>>I guess most of recipients use predefined configurations, e.g. no whitelisting.
>>
>>out of curiousity, I set my opendmarc.conf:
>>
>>DomainWhitelist lists.isc.org
>>
>>so we'll see next time mail comes.
>Please tell us.
so far, not ex
- opendmarc only uses header that's inserted by openarc milter
- openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"
- opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
isc.org:isc.org:isc.org (will try)
- openarc (I have installed beta from debian experimental) seems to insert
Authentication-Result: header when no ARC seal is present, though not always.
- arc for bind-users seems to fail when mailman rewrites From: header
(but DKIM is fine in this case)
>Mailman should know about your setting in order to skip From: munging
>in the copies sent to you. Currently, the copies sent to pipermail
>for archiving seem to be non-munged, so this functionality exists.
do you mean I can turn off From: munging in mail sent to me?
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
More information about the bind-users
mailing list