On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:
Keeping header From: and DKIM signatures is perfectly fine, if ML does
not modify the mail, which afaik is the default setting.
This also depends on how you set DKIM's canonicalization
there is also a mailman setting to remove existing DKIM sigs, so when
you get the post, you should not see the OP sigs, which should have
been verified by the mailing list server upon receipt of that message.
This makes sense if ML modifies body and then replaced original From:
with its own. In such case new signature for ML domain has to be
created.
I'd like to repeat that *this* list does the former and it's perfectly
OK.
I repeat depends upon canonicalization, like only if you set c =
relaxed/relaxed.
The fact this list does not modify the body by adding a footer also
helps those who use relaxed/simple.
Anyone using simple/simple should have a DKIM fail and plenty use that
setting, prior to July this year - when I was using this address on file
with Federal Law Enforcement agencies for receiving shall we say certain
formal requests ;) I used fully strict with simple/simple - as earlier
posts on this list would show
dkim=fail reason="signature verification failed" (2048-bit key)
header.d=ausics.net
I believe the issue lies in bad formulation of condition for fo:
1: Generate a DMARC failure report if any underlying
authentication mechanism produced something other than an
aligned "pass" result.
I've never had an fo=1 SPF failure report, because DKIM would pass, even
when used on lists, I don't get them, my weekly reports do say we get
plenty of DKIM unaligned, but no forensic reports, I used to get them
when I posted to dovecot users, but I think Aki's fixed the settings as
last couple posts I never got any forensic reports.
...I understand this as SPF unaligned with header From: should be
reported for domain in header From:.
SPF should only check and report on envelope-sender/return-path, if and
only if that does not exist it should use the EHLO domain, it should not
care about From, last time I looked - a decade or so ago - it never did,
but lets try something...
telnet mail.ausics.net 25
Trying 120.88.115.158...
Connected to mail.ausics.net.
Escape character is '^]'.
220 mail.ausics.net ESMTP Postfix - Hello, is there anybody in there,
just nod if you can hear me, is there anyone at home
ehlo roswell.ausics.net
250-mail.ausics.net
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
mail from:r...@ns2.ausics.net
250 2.1.0 Ok
rcpt to: noel.but...@ausics.net
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
From: mickeymo...@mi6.gov
To: noel.but...@ausics.net
Subject: rattrap
test
.
250 2.0.0 Ok: queued as 20350200097
..... Message passed, of course it got a rather high spam score for
missing Date and a few other impersonate gov rules SA rules lol
It makes sense to report missing/unaligned DKIM.
Then set fo=d :)
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.
