Mailing list questions (DMARC, ARC, more?)

Alessandro Vesely vesely at tana.it
Sun Sep 4 10:56:24 UTC 2022 

On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
>>> On 25.08.22 18:10, Alessandro Vesely wrote:
>>>>>> I see the list operates both From: munging and ARC sealing. While I'm 
>>>>>> clear about the former, I'm curious about how ARC works:
>>>>>>
>>>>>> Do any subscribers trust the seal by isc.org?
>>>
>>> I guess most of recipients use predefined configurations, e.g. no whitelisting.
>>>
>>> out of curiousity, I set my opendmarc.conf:
>>>
>>> DomainWhitelist lists.isc.org
>>>
>>> so we'll see next time mail comes.
>> 
>> Please tell us.
> 
> so far, not ex
> 
> - opendmarc only uses header that's inserted by openarc milter
> 
> - openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"


They produce an ARC set on each internal passage, all having d=isc.org.  That's 
undoubtedly redundant, yet valid.


> - opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
>    isc.org:isc.org:isc.org (will try)


When enabled, arc=pass should override dmarc=fail p=reject.  We never get this, 
because bind-users rewrite From: if author's domain has p=reject.

Trusting isc.org should suffice.  Logically, when multiple domains applied 
message modifications, a receiver has to trust all of them.  Not necessarily 
any disposition of them.


> - openarc (I have installed beta from debian experimental) seems to insert   
> Authentication-Result: header when no ARC seal is present, though not always.
> 
> - arc for bind-users seems to fail when mailman rewrites From: header   (but 
> DKIM is fine in this case)


I tried the Perl ARC verifier included in Mail::DKIM.  On your message it outputs:

ale at pcale:~/tmp$ arc-verify.pl < arc1.eml
ARC-Seal: v=3 pass
ARC-Message-Signature: v=3 pass
ARC-Seal: v=2 pass
ARC-Message-Signature: v=2 fail (body has been altered)
ARC-Seal: v=1 pass
ARC-Message-Signature: v=1 fail (body has been altered)

(arc-verify.pl is a copy of the module's synopsis[*].)

Then I tried it on Ged's message, earlier in this thread, and got:

ale at pcale:~/tmp$ arc-verify.pl < arc2.eml
ARC-Seal: v=3 pass
ARC-Message-Signature: v=3 pass
ARC-Seal: v=2 pass
ARC-Message-Signature: v=2 fail (message has been altered)
ARC-Seal: v=1 pass
ARC-Message-Signature: v=1 fail (message has been altered)

So both messages seem to be valid, if you trust isc.org.  The failure in the 
signature reflects that only the body was altered in your message, while also 
the header was altered in Ged's one.  As ARC allows mediators to modify 
messages, only the last signature is significant.


>> Mailman should know about your setting in order to skip From: munging in the 
>> copies sent to you.  Currently, the copies sent to pipermail for archiving 
>> seem to be non-munged, so this functionality exists.
> 
> do you mean I can turn off From: munging in mail sent to me?


Mailman options[†] don't include something like

    *From munging*:

    Set this option to /Disabled/ to receive messages with the original From:
    line intact.  Keep in mind that disabling this option will fail DMARC, so
    keep it enabled unless your MTA either doesn't check DMARC or accepts ARC
    overrides.

It doesn't seem difficult to implement.  It requires trusting the users, 
though.  I'm going to ask Mailman developers.


Best
Ale
-- 

[*] https://metacpan.org/pod/Mail::DKIM::ARC::Verifier
[†] https://lists.isc.org/mailman/options/bind-users

More information about the bind-users mailing list