[opendmarc-users] On opendmarc-users at trusteddomain.org

Дилян Палаузов dilyan.palauzov at aegee.org
Sat Jun 15 05:45:29 PDT 2019 

Hello,

it is ridiculous that a mailing list for discussing a DMARC product has problems with DMARC handling.

The MLM could have rejected the message, or rewrite From:, but doing nothing implies that the message will not reach the
subscribers and this is foreseenable by the MLM.

Regards
  Дилян

On Fri, 2019-06-14 at 13:31 +0200, Juri Haberland wrote:
> On 14/06/2019 13:03, Дилян Палаузов wrote:
> > Hello,
> > 
> > this week I received answers from juri at sapienti-sat.org over opendmarc-users at trusteddomain.org, but the questions from 
> > lefty at spes.gr were rejected due faild DMARC validations.
> > 
> > As a matter of fact, all mails contain:
> > 
> > DKIM-Filter: OpenDKIM Filter v2.10.2 medusa.blackops.org x5DLIawD066933
> > 
> > and the develop branch of OpenDKIM is known to fix problems, that are still present in OpenDKIM 2.10.3 (e.g. wrong
> > relaxed canonicalization of headers, that have new line immediately after the colon).
> > 
> > As a matter of fact, the mailing list manager inserts the header:
> > 
> > Authentication-Results: medusa.blackops.org;
> >         dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=spes.gr header.i=@spes.gr
> > header.b=JuP1fun8; dkim-atps=neutral
> > 
> > and keeps the RFC5822.From: From: Lefteris Tsintjelis <lefty at spes.gr> header.  The DMARC policy for spes.gr is Reject. 
> > Once the email is sent over alternative IP address it is only logical that this email will not reach the subscribers of
> > this mailing list, which have deployed OpenDMARC.
> 
> The Problem is not the version of OpenDKIM at medusa.blackops.org. It is
> the list manager (Mailman) that rewrites the Subject header and adds a
> footer to the body. This invalidates the DKIM signature. And yes, this is
> exactly the problem where DMARC currently has and why the ARC protocol is
> currently in development. Best action a list curently can do is either to
> stop altering Subject and/or body or to rewrite the From to take ownership
> of the message.
> 
> Another possibility is to add a patch
> (https://sourceforge.net/p/opendmarc/tickets/180/) to OpenDMARC that gives
> you the possibility to whitelist mails from list servers that are known to
> invalidate the DKIM signature (that's what I do).
> 
> 
> Cheers,
>   Juri
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

More information about the opendmarc-users mailing list