On 26 Mar 2019, at 13:39, Ralph Seichter wrote:
* Bill Cole:
Hence I wrote "break existing DKIM signatures".
Which is not a bad thing, in this context.
The OP made no mention of implementing DMARC himself, just modifying
headers.
It's not about whether the list operator implements DMARC or DKIM.
Consider list members Alice and Bob:
Alice's domain has a p=reject DMARC policy.
Bob's mail provider honors p=reject DMARC policies.
Without From munging:
Alice sends a message to the list which gets signed by her domain on
the way out and passed to the list operator.
The list operator does something to the message that breaks the DKIM
signature.
The list server tries to deliver the message to Bob, whose provider
rejects the message due to Alice's domain in the From header.
With From munging:
Alice sends a message to the list which gets signed by her domain on
the way out and passed to the list operator.
The list operator does something to the message that breaks the DKIM
signature.
The list operator replaces the address in the From header with the
list submission address.
The list server tries to deliver the message to Bob, whose provider
accepts the message.
One solution would be to not break DKIM signatures. However, this is
harder than it seems. For example, I see 24 recent DKIM-signed messages
from you to 3 different mailing lists that we both use. 6 have broken
signatures, all of those on 2 lists where not all of your messages have
broken signatures. I have no idea why the signatures broke.
In that scenario, I consider breaking existing signatures a bad
thing. I am aware of alignment mechanics, but I see that tools like
SpamAssassin or Rspamd score signature (mis)matches individually, not
only in the context of DMARC policies.
True. The convenience of having content scanners validate an aligned
signature has value. Unfortunately, the cost of NOT munging From for
list operators is either a large number of rejections at the outbound
border OR a constant battle with the DKIM-breaking edge and corner cases
of their particular mail-handling stack and its various configurations.
As far as I can tell, modifying headers alone does not resolve the
OP's
issues. By the way, I have recently started evaluating Mailman 3,
which
comes with some interesting features re DMARC:
https://mailman.readthedocs.io/en/latest/src/mailman/rules/docs/dmarc-mitigation.html
Mailman 2.1.x has similar features. You'll note that the mitigations
available are: discard, reject, munge the From header, or embed the
signed message with its pristine headers in a new message using a munged
From header on the wrapper. None of these preserve an existing DKIM
signature in a generally useful form on a delivered message.
It would have been nice if the DKIM spec had defined the 'relaxed'
canonicalizations for headers and bodies more robustly but that can't be
fixed now.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
