>The way i read the specification ....
>Either SPF or DKIM has to align, then the Test passes.

This is right. But IMHO it makes no sense. If any of the SPF or DKIM 
alignment fails - or any of both ASSP SPF/DKIM checks fails - ASSP's 
DMARC-check  will fail.This is the current ASSP-implementation.

>Final disposition of a message is always a matter of local policy.

Call it "the ASSP local policy" - both have to match/align.

Is there any good reason why a mail from a BAD sender (by the SPF record 
of the mail domain) should consider to pass, if DKIM is OK.
or
Is there any good reason why a mail from a BAD sender (by the DKIM records 
of the mail domain) should consider to pass, if SPF is OK.

The DMARC check in ASSP is an additionally spam protection check based on 
the assumption, that nobody who published a SPF-record and DKIM-records 
(_adsp) and a DMARC-record, will send mails which breaks this rules.
Even if our final blocking/pass rule is not 100% RFC conform - the 
DMARC-reports are correct.

Let's see if this implementation will lead in to false positives (blocked 
good mails). I think it will not and currently I've got not a single 
related report form ~700 installations using the new code.

How ever - this issue is added to my watchlist.

Thomas


 




Von:    fr...@web.de
An:     assp-test@lists.sourceforge.net
Datum:  16.10.2018 13:28
Betreff:        Re: [Assp-test] DMARC Alignment



I think with the new version, DMARC alignment checks are still implemented 
wrong:
Now I get a DMARC fail, when there is a SPF entry that aligns and no DKIM 
signature.
 
The way i read the specification (and the way the dmarc module produces 
results) is: Either SPF or DKIM has to align, then the Test passes.
The dmarc module even passes the check if for example SPF passes and 
aligns and dkim fails. But I'm not 100% sure if thats the correct way.
 
From: https://tools.ietf.org/html/rfc7489#section-6.6.2
 
5.  Conduct Identifier Alignment checks.  With authentication checks
       and policy discovery performed, the Mail Receiver checks to see
       if Authenticated Identifiers fall into alignment as described in
       Section 3.  If one or more of the Authenticated Identifiers align
       with the RFC5322.From domain, the message is considered to pass
       the DMARC mechanism check...
...

DMARC evaluation can only yield a "pass" result after one of the
   underlying authentication mechanisms passes for an aligned
   identifier...
... 
Final disposition of a message is always a matter of local policy.
   An operator that wishes to favor DMARC policy over SPF policy, for
   example, will disregard the SPF policy, since enacting an
   SPF-determined rejection prevents evaluation of DKIM; DKIM might
   otherwise pass, satisfying the DMARC evaluation.
...
 
Gesendet: Mittwoch, 03. Oktober 2018 um 11:30 Uhr
Von: "Thomas Eckardt" <thomas.ecka...@thockar.com>
An: "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Betreff: Re: [Assp-test] DMARC Alignment
>Does ASSP actually check alignment when using DMARC?

Currently only fo 'adkim'. The 'aspf' alignment check will be implemented 
in a later release.

>There also exists a DMARC module for perl. One could probably use that 
(we're already using modules for DKIM and SPF, so why 
not)._______________________________________________

DMARC is implemented in ASSP V2 since 2012, the first trial version of 
Mail::DMARC was published in 2013.
I don't have the time to rewrite the complete ASSP DMARC code only to use 
this module and maybe to have some small improvements (e.g. send reports 
using http).
At the end, using this module would be problematic because it is unable to 
adopt authentication results from ARC-signatures and other authentication 
headers.

Thomas





Von:        fr...@web.de
An:        assp-test@lists.sourceforge.net
Datum:        02.10.2018 12:34
Betreff:        [Assp-test] DMARC Alignment 


Does ASSP actually check alignment when using DMARC?
 
I've sent a mail through ASSP with an obvious fake header "From:". The 
(header) domain has a DMARC entry, ASSP reports "DMARC pass".
If this was checked like the specification asks us to, it should not pass.
 
I've looked inside the code shortly and did not find anything that points 
in the direction of alignment checking.
Is this a desired behaviour so we don't get too many false positives? If 
that's the case I think it would be nice to have an option for the user to 
enable alignment checks.
There also exists a DMARC module for perl. One could probably use that 
(we're already using modules for DKIM and SPF, so why 
not)._______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________ Assp-test mailing list 
Assp-test@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to