On Tue, Aug 30, 2022 at 07:26:11PM +0200, Martijn van Duren wrote:
> On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote:
> > Hi,
> >
> > For my $DAYJOB I had to please big mail corporations and configured
> > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC
> > records). This was easy using instruction in the
> > opensmtpd-filter-dksim port and works fine to send messages to
> > bigmailcorp accounts.
> >
> > The mail server is used to manage few mailing lists using mlmmj. At
> > first glance, things appear to work:
> >
> > - The envelope address (aka smtp "mail from:" address or retrun-path)
> > matches the mailing list server domain (not sender address domain),
> > which has the proper SPF record.
>
> This should be fine, although for DMARC to be correct the "MAIL FROM:"
> and From-header should be in line, or else DMARC fails. So mailing
> lists will fail, unless you rewrite the from-header as well.
This is the part I'm unsure, I've found contradictory claims on the
internet.
I've found no such requirement in the RFC (see refs below) and the two
major bigmailcorps I've tested just work (say "dmarc=pass" in header
and/or user interface).
But I found many claims that the "MAIL FROM:" domain is required to
match the From-header domain. Maybe this requirement is only for list
servers that modify the original mail (to add a footer, drop
attachments, tweak headers, etc), which invalidates the orinal sender
DKIM signature. In turn a new DKIM signature is needed but as the list
server can only sign with its own domain, a new From-header with the
list server domain is needed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
refs & reasoning:
The rfc7489, sec. 6.6.2 [*] says the receiver does 3 things: (1) DKIM
signatures checks, (2) SPF checks and (3) "Identifier Alignement"
checks. The later is defined as:
"If one or more of the Authenticated Identifiers align with the
RFC5322.From domain, the message is considered to pass the
DMARC mechanism check. All other conditions (authentication
failures, identifier mismatches) are considered to be DMARC
mechanism check failures."
where "Identifier Alignment" is defined in sec. 3 as:
Identifier Alignment: When the domain in the RFC5322.From
address matches a domain validated by SPF or DKIM (or both),
it has Identifier Alignment.
In other words:
- sender IP must belong to HELO & MAIL FROM (to pass SPF)
- DKIM signatures must be valid (to pass DKIM)
- From-header must match the signature or the envelope (to pass DMARC)
Consequently, a "bounced" email should pass DMARC provided that the
mail body and signed headers are preserved. Indeed:
- IP of the relay would match the new envelope domain SPF record
- body & header are preserved, so original DKIM signature is valid
- From-header still matches the DKIM sign. so DMARC passes.
[*] https://www.rfc-editor.org/rfc/rfc7489.html#section-6.6
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> >
> > - Is there a way to make smtpd(8) add the DKIM signature only if the
> > sender domain is the local domain? (this would avoid the extra
> > irrelevant DKIM signature).
>
> filter-dkimsign is complex enough as it is. I don't really want to add
> too much more complexity. But if you make a strong enough case I'll
> certainly consider it.
please don't, simpler is better ;-)
