Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-10 Thread Noel Butler via dovecot 
On 11/02/2019 09:48, Michael A. Peters via dovecot wrote:

> On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, 
> Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via 
> dovecot wrote:
> 
> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution, 
> 
> A general broad mailing list whitelist will be problematic, do work it needs 
> to look for specific list type hidden headers,  spammers and nasties will 
> incorporate those headers into their trash that impersonates mailing lists 
> and voila, they pass.

However the majority of spammers do not spam with a properly configured
Reverse DNS - so detect the list header and skip DMARC if list headers
are present AND Reverse DNS matched the HELO/EHLO

Also, DMARC isn't really anti-spam technology, it's anti-spoof
technology.

Rather than fake mail list headers, spammers will just use domains w/o a
DMARC policy. Much easier. 

I know your just nit picking but what the hell, I've got a few minutes
before my meeting 

anti spoofing is also anti spam, most legit emailers dont spoof, bad
guys love to, so anything that reduces noise in email can be considered
"anti spam" 

postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim,
whatever ... they all work to reduce noise and thats all the end users
care about. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-10 Thread Noel Butler via dovecot 

On 11/02/2019 09:46, Michael A. Peters via dovecot wrote:





However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header >and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO





A hell of a lot do, though (this is pretty average percentages here)

Accepted 70.07%
Rejected  29.93%
-
Total  100.00%
=

5xx Reject relay denied 4.27%
5xx Reject unknown user 7.93%
5xx Reject sender address 7.32%
5xx Reject unknown client host 52.44%
5xx Reject RBL 3.66%
5xx Reject milter 24.39%
=
Total 5xx Rejects 100.00%

unknown client host was high as 95% up till about 10 years ago, so they 
are slowly learning.





--
Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written 
authority
to do so. If you are not the intended recipient, please notify the 
sender
then delete all copies of this message including attachments, 
immediately.
Confidentiality, copyright, and legal privilege are not waived or lost 
by
reason of the mistaken delivery of this message. Only PDF and ODF 
documents

accepted, please do not send proprietary formatted documents

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-10 Thread Michael A. Peters via dovecot 

On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote:

On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:



fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution,



A general broad mailing list whitelist will be problematic, do work it 
needs to look for specific list type hidden headers,  spammers and 
nasties will incorporate those headers into their trash that 
impersonates mailing lists and voila, they pass.


However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO




Also, DMARC isn't really anti-spam technology, it's anti-spoof technology.

Rather than fake mail list headers, spammers will just use domains w/o a 
DMARC policy. Much easier.

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-10 Thread Michael A. Peters via dovecot 

On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:



fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution,



A general broad mailing list whitelist will be problematic, do work it 
needs to look for specific list type hidden headers,  spammers and 
nasties will incorporate those headers into their trash that 
impersonates mailing lists and voila, they pass.


However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-10 Thread Noel Butler via dovecot 
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:

> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution,

A general broad mailing list whitelist will be problematic, do work it
needs to look for specific list type hidden headers,  spammers and
nasties will incorporate those headers into their trash that
impersonates mailing lists and voila, they pass. there is no quick and
easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one
that gets narky at lists, and despite all the spf haters dreams, I've
never had a problem with spf and lists, and we were an early beta
adopter of spf) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-10 Thread Aki Tuomi via dovecot 


> On 10 February 2019 at 00:28 "A. Schulze via dovecot"  
> wrote:
> 
> 
> 
> 
> Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> > I'll review the settings when we manage to upgrade to mailman3
> 
> Hello Aki,
> 
> before updating to mailman3 consider an simpler update to latest mailman2.
> 
> you're using 2.1.15, current mailman2 is 2.1.29
> Your missing an /significant amount/ of DMARC fixes!
> 
> and: more off-topic:
> while my messages *to* the dovecot list are sent using STARTTLS,
> messages *from*  wursti.dovecot.fi are sent without encryption.
> any reason to stay on unencrypted SMTP?
> 
> Andreas
>

Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159])
by mail.dovecot.fi (Postfix) with ESMTPS id 7EE3B2B3C9C;
Sun, 10 Feb 2019 00:29:15 +0200 (EET)

ESMTPS indicates that TLS was used. Also I took the trouble to check the 
maillogs from talvi to verify that your mail was delivered using TLS.

Aki

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-09 Thread Benny Pedersen via dovecot 

Noel Butler via dovecot skrev den 2019-02-10 01:51:


... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around
the world, heh, like thats going to happen :)


fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution, even if openarc 
comes or not, in cpan Mail::Milter::Authenticated its solved, but who 
use it other then fastmail.fm ? :=)

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Benny Pedersen via dovecot 

A. Schulze via dovecot skrev den 2019-02-09 23:28:

Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:

I'll review the settings when we manage to upgrade to mailman3


before updating to mailman3 consider an simpler update to latest 
mailman2.


will any of this implement openarc sealing ? :=)


you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!


we all missing the point of missing opendmarc that can test for openarc 
sealing and be done with all the mess :(


or add a wiki to opendkim to make it autodetect maillists just like cpan 
Mail::Milter::Authenticated does it


if it cant be done in opendkim lua we loose all


and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?


maybe same reason dovecot have a mx record ? :=)

but good catch if in ip is same as out ip

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-09 Thread Noel Butler via dovecot 
On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:

> * Juri Haberland via dovecot:
> 
>> Blindly enabling DMARC checks without thinking about the consequences
>> for themselves should not be the problem of other well behaving
>> participants.
> 
> Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
> the issue was not on the receiving end, but the reject policy for the
> originating domain.
> 
> Personally, I choose to treat "reject" as if it was "quarantine",
> i.e. affected mail is rerouted to a specific folder.
> 
>> And Aki, please go back to "munge only if needed" - munging all
>> messages leads to a really bad "user experience".
> 
> Only speak for yourself please.
> 
> -Ralph

+1 (for entire post) 

... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around the
world, heh, like thats going to happen :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread A. Schulze via dovecot 



Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> I'll review the settings when we manage to upgrade to mailman3

Hello Aki,

before updating to mailman3 consider an simpler update to latest mailman2.

you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!

and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?

Andreas

Re: offtopic: rant about thoughtless enabling DMARC checks

2019-02-09 Thread Ralph Seichter via dovecot 
* Juri Haberland via dovecot:

> Blindly enabling DMARC checks without thinking about the consequences
> for themselves should not be the problem of other well behaving
> participants.

Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
the issue was not on the receiving end, but the reject policy for the
originating domain.

Personally, I choose to treat "reject" as if it was "quarantine",
i.e. affected mail is rerouted to a specific folder.

> And Aki, please go back to "munge only if needed" - munging all
> messages leads to a really bad "user experience".

Only speak for yourself please.

-Ralph

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Juri Haberland via dovecot 
On 09/02/2019 20:13, Michael A. Peters via dovecot wrote:
> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.
> 
> can you please let me know where to find those patches?

https://sourceforge.net/p/opendmarc/tickets/180/

Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/.

I have an Ubuntu-PPA where you can get a package with all of the above
patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc).


Cheers,
  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Michael A. Peters via dovecot 

On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

*snip*


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.




What I wanted to do, was sniff mailman in headers and if it was sent by 
mail, reject if reverse DNS didn't match HELO/EHLO and white list from 
OpenDMARC enforcement if it did. That would prevent most spoofed that 
tried to look like Mailman since spoofed mail rarely has reverseDNS 
properly set up but Mailman admins tend to.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Michael A. Peters via dovecot 

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:

For some reason mailman failed to "munge from" for senders with dmarc policy ;(

It's now configured to always munge to avoid this again.


I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.


can you please let me know where to find those patches?

I ran DMARC in testing on one domain and had to disable it because over 
95% of the reports were false positives from mailing lists, and the few 
that were genuine spoofed would have easily been caught by spam/malware 
filters anyway.


However a project I am working on, DMARC is highly desired. Designing a 
white-list for known mailing lists is something I want to do.


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Juri Haberland via dovecot 
On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:
>> On 09 February 2019 at 20:48 Juri Haberland via dovecot < 
>> dovecot@dovecot.org 
>> > wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.

> Wonder how many would do this though?

Yeah, unfortunately not enough...

>> And everyone using p=reject should think about it as well - as I said,
>> DMARC does not play well with mailing lists, so setting p=reject on a
>> domain used to participate on mailing lists is not wise, to say the least.
>> You should not follow Yahoo and AOL - you know, why they did it, don't you?

> Unfortunately this is usually required by many common providers such as 
> microsoft and google, otherwise they refuse your mail.

That is definitely not true. They might require you to have DKIM and/or SPF
and maybe even a DMARC policy, but they definitely don't require p=reject!
Most of my domains have p=none and our mails are accepted by all major
providers...

> Hope you understand .

Understood. Had to write that mail anyway ;-)

  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Aki Tuomi via dovecot 


 
 
  
   
  
  
   
On 09 February 2019 at 20:48 Juri Haberland via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
   
   

 For some reason mailman failed to "munge from" for senders with dmarc policy ;(


 


 It's now configured to always munge to avoid this again.

   
   
I'd say, let Mailman throw all people off the list that have enabled DMARC
   
   
checking without using exceptions for the lists they are on. It's a known
   
   
fact that DMARC does not cope well with mailing lists. Blindly enabling
   
   
DMARC checks without thinking about the consequences for themselves should
   
   
not be the problem of other well behaving participants.
   
   
  
  
   The problem is that it would drop all gmail users for a start, which there are plenty of. Also judging from the amount of bounces ww got it seemed like half the subscribers would drop out.
  
  
   
Most people use OpenDMARC and there are patches to mark certain hosts as
   
   
mailing lists senders, so it is possible.
   
   
  
  
   Wonder how many would do this though?
  
  
   
And everyone using p=reject should think about it as well - as I said,
   
   
DMARC does not play well with mailing lists, so setting p=reject on a
   
   
domain used to participate on mailing lists is not wise, to say the least.
   
   
You should not follow Yahoo and AOL - you know, why they did it, don't you?
   
   
  
  
   Unfortunately this is usually required by many common providers such as microsoft and google, otherwise they refuse your mail.
  
  
   
And Aki, please go back to "munge only if needed" - munging all messages
   
   
leads to a really bad "user experience".
   
   
  
  
   It does not seem to work correctly. I'll review the settings when we manage to upgrade to mailman3
  
  
   
Thanks.
   
   
  
  
   Hope you understand .
  
  
   
  
  
   Aki
  
  
   
   

   
   
Back to lurking,
   
   
Juri
   
  
  
   
  
  
   ---
   Aki Tuomi

offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Juri Haberland via dovecot 
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
> For some reason mailman failed to "munge from" for senders with dmarc policy 
> ;(
> 
> It's now configured to always munge to avoid this again.

I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.

And everyone using p=reject should think about it as well - as I said,
DMARC does not play well with mailing lists, so setting p=reject on a
domain used to participate on mailing lists is not wise, to say the least.
You should not follow Yahoo and AOL - you know, why they did it, don't you?

And Aki, please go back to "munge only if needed" - munging all messages
leads to a really bad "user experience".

Thanks.


Back to lurking,
  Juri