[opendmarc-users] On opendmarc-users at trusteddomain.org

Lefteris Tsintjelis lefty at spes.gr
Sat Jun 15 07:44:41 PDT 2019 

On 15/6/2019 15:45, Дилян Палаузов wrote:
> Hello,
> 
> it is ridiculous that a mailing list for discussing a DMARC product has problems with DMARC handling.
> 
> The MLM could have rejected the message, or rewrite From:, but doing nothing implies that the message will not reach the
> subscribers and this is foreseenable by the MLM.

I agree. All email that have a reject DMATC policy will never reach any 
DMARC enabled servers. It is a joke actually.

> On Fri, 2019-06-14 at 13:31 +0200, Juri Haberland wrote:
>> On 14/06/2019 13:03, Дилян Палаузов wrote:
>>> Hello,
>>>
>>> this week I received answers from juri at sapienti-sat.org over opendmarc-users at trusteddomain.org, but the questions from
>>> lefty at spes.gr were rejected due faild DMARC validations.
>>>
>>> As a matter of fact, all mails contain:
>>>
>>> DKIM-Filter: OpenDKIM Filter v2.10.2 medusa.blackops.org x5DLIawD066933
>>>
>>> and the develop branch of OpenDKIM is known to fix problems, that are still present in OpenDKIM 2.10.3 (e.g. wrong
>>> relaxed canonicalization of headers, that have new line immediately after the colon).
>>>
>>> As a matter of fact, the mailing list manager inserts the header:
>>>
>>> Authentication-Results: medusa.blackops.org;
>>>          dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=spes.gr header.i=@spes.gr
>>> header.b=JuP1fun8; dkim-atps=neutral
>>>
>>> and keeps the RFC5822.From: From: Lefteris Tsintjelis <lefty at spes.gr> header.  The DMARC policy for spes.gr is Reject.
>>> Once the email is sent over alternative IP address it is only logical that this email will not reach the subscribers of
>>> this mailing list, which have deployed OpenDMARC.
>>
>> The Problem is not the version of OpenDKIM at medusa.blackops.org. It is
>> the list manager (Mailman) that rewrites the Subject header and adds a
>> footer to the body. This invalidates the DKIM signature.

A mailing list about DMARC that invalidates and defeats it's own purpose 
of security and authenticity of emails by invalidating DKIM 
signatures... this does not sound good now, does it!!! Needless to say 
that this problem should have been addressed long time ago by the 
mailing list and it really does not complement the list owner(s).

Regards,

Lefteris

>> And yes, this is
>> exactly the problem where DMARC currently has and why the ARC protocol is
>> currently in development. Best action a list curently can do is either to
>> stop altering Subject and/or body or to rewrite the From to take ownership
>> of the message.
>> Another possibility is to add a patch
>> (https://sourceforge.net/p/opendmarc/tickets/180/) to OpenDMARC that gives
>> you the possibility to whitelist mails from list servers that are known to
>> invalidate the DKIM signature (that's what I do).
>>
>>
>> Cheers,
>>    Juri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4151 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190615/18ea25f4/attachment.bin>

More information about the opendmarc-users mailing list