On Mon 20/Feb/2023 09:13:30 +0100 Benny Pedersen wrote:
Alessandro Vesely via mailop skrev den 2023-02-20 08:47:
The point of ARC is to report authentication results. A post having
only spf=pass becomes unauthenticated after the first hop.
inccorect, nexthop can use spf aswell, or not
Both RFC 7208 Section 2.5 and RFC 7001 Appendix D recommend that authentication
be carried out at border MTAs. But then, I didn't delve into how Mailman 3
implements ARC. I just referred the considerations that prof. Stephen J.
Turnbull explained to me.
Right. Ditto for DMARC rejects/ quarantine, which I don't think many
ML receivers honor.
DMARC is greedy, if DKIM is breaked, to avoid DKIM problems if needed to post
to ml could be to configure dkim to be in test mode, ensureing mails are not
rejected based just on dkim fails, mailman can do this policy to not accept non
testing mode in dkim, its design fails that dkim should be used as a reject
factor :(
In theory, failed DKIM signatures should be just ignored. Ditto for testing
mode signatures, whether failed or not. In practice, receivers treat
authentication as just a factor to compute the overall worthiness of a message.
back to DMARC, it should imho use ARC results to know if original sender did
have dkim pass and spf pass, and make results based on it, then its no matter
if mailman breaks dkim or not, since it would not matter for dmarc testing
downstream, we can all raise the flag when developpers of mailman know this :=)
The risk of accepting ARC results is that anyone can produce a fake ARC
chain,saying that a message was received from whomever they like with good SPF
and DKIM authentication.
DMARC doesn't say that a verified ARC chain is a valid authentication. Some
receivers trust it. To check, create a subdomain with p=reject, compose a
message, DKIM sign it, modify it so as to break the signature, ARC seal it and
send it from an IP not authorized by the subdomain. If it passes, the target
domain accepts your ARC seals. Otherwise, you need to munge From:.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
