Re: [dmarc-ietf] Add MLS/MLM subscription/submissions controls to DMARCbis

Hector Santos <hsantos@isdg.net> Mon, 01 May 2023 14:18 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBB72C13AE28 for <dmarc@ietfa.amsl.com>; Mon, 1 May 2023 07:18:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YaPAEen-D7Lh for <dmarc@ietfa.amsl.com>; Mon, 1 May 2023 07:18:13 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AAF5C15155E for <dmarc@ietf.org>; Mon, 1 May 2023 07:18:13 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6869; t=1682950684; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=XKqbnGjFLaADXLIbCI/yNvTo/gnjGU2wmreNT+b2UT4=; b=QD03 di1dQBKA7mf5htVZ9M/bxsilUwTZPi2REydpYG8CICwomddKhJx5pP/eG2DBRgLQ I2wgqqaYqov2dPdbWW5CcVZxnxzmxyXYaJG77NtojCRcp+wRMCsaPldVWTp1q3Mt kyd1/C2lKvsGDZcdsIms+E9YEp1T1LkMe3+AZYY=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Mon, 01 May 2023 10:18:04 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3343454629.1.6784; Mon, 01 May 2023 10:18:03 -0400
Message-ID: <644FCA1A.3030706@isdg.net>
Date: Mon, 01 May 2023 10:18:02 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <29216533.CRhL9lMF2B@localhost> <3141092.K83ThNGNZP@zini-1880> <CAH48ZfzS+MCC4-Dk3mZhF_bwc9hzWowApgPG3am14bjB9ZDz3Q@mail.gmail.com> <630A8A65-E04D-4C48-AE80-516F610EB93A@isdg.net> <CAH48ZfzmQJBb3xNSvVn84wpwf5SK2F0RSNQnSNObtxKfdHaY1w@mail.gmail.com> <B4E79EF6-E5F5-4969-824A-329576ECF20C@isdg.net> <CAH48ZfxaW5qO01HO-ESj4Sgy9gHM2rx8h_zA2-vHdS0s=yCcBg@mail.gmail.com> <CAFcYR_VBXmqT++8bS94Q1v9MPoHLXYn-0yCWy5U4FMj4gY6=XQ@mail.gmail.com> <8d9eda3e-6d72-ccbc-41ee-148a75698682@tana.it> <644FBDF6.3000207@isdg.net> <MN2PR11MB435152293B779BD3B6DAA904F76E9@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB435152293B779BD3B6DAA904F76E9@MN2PR11MB4351.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/B2AIX-3T-DBqcC33ZT3j8lSbjTY>
Subject: Re: [dmarc-ietf] Add MLS/MLM subscription/submissions controls to DMARCbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 May 2023 14:18:17 -0000

Alex,

I agree with a suggestion to have a separate document, a great 
starting point is to update the ATPS RFC document.  However, DMARCbis 
MUST open up the door for it and address the potential new security 
issues with From Rewrite.

1) Address the MUST NOT p=reject with a new small section, a few 
paragraphs citing the basic non-compliance issues with legacy MLS/MLM 
verifiers of not following DMARC policy and instead creating a new 
potential security threat which may required a security threat section 
or add it to the current "Display Attack" security section.  I don't 
believe we can get by this by saying it will "never happen."

2) Update section 4.4.3 Extended Tag Extensions to update the door up 
to 3rd party authorization, ATPS and possibly others.

Thanks

--
HLS



On 5/1/2023 9:49 AM, Brotman, Alex wrote:
> This sounds like a separate document to me. (yes, I see Ale's draft below) And IMO, I don't think we should hold up DMARCbis for that work.
>
> --
> Alex Brotman
> Sr. Engineer, Anti-Abuse & Messaging Policy
> Comcast
>
>> -----Original Message-----
>> From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Hector Santos
>> Sent: Monday, May 1, 2023 9:26 AM
>> To: dmarc@ietf.org
>> Subject: Re: [dmarc-ietf] Add MLS/MLM subscription/submissions controls to
>> DMARCbis
>>
>> On 5/1/2023 6:51 AM, Alessandro Vesely wrote:
>>> Been there, done that.  For the message I'm replying to, I have:
>>>
>>> Authentication-Results: wmail.tana.it;
>>>    spf=pass smtp.mailfrom=ietf.org;
>>>    dkim=pass reason="Original-From: transformed" header.d=google.com;
>>>    dkim=pass (whitelisted) header.d=ietf.org
>>>      header.b=jAsjjtsp (ietf1);
>>>    dkim=fail (signature verification failed, whitelisted)
>>> header.d=ietf.org
>>>      header.b=QuwLQGvz (ietf1)
>>>
>>> However, not all signatures can be verified.  Mailman tries and
>>> preserve most header fields, but not all.  For example, they rewrite
>>> MIME-Version: from scratch and don't save the old one.  So if a poster
>>> signs that field and writes it differently (e.g. with a
>>> comment) MLM transformation cannot be undone.
>>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draf
>>> t-vesely-dmarc-mlm-transform__;!!CQl3mcHX2A!DfPhD9QIFk5QZaU-
>> JPkz748sZC
>> QtLXqL1FIxGonW_xDwc9pXdioEnY546GZUnzjzSNW1BdDF27VjLabqZaB5XtMgrS
>> WZ9HPP
>>> m2s$
>>>
>> And this was my result for your message, separating lines for easier
>> reading:
>>
>> Authentication-Results: dkim.winserver.com;
>>    dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
>>    adsp=none author.d=tana.it signer.d=ietf.org;
>>    dmarc=fail policy=none author.d=tana.it signer.d=ietf.org (unauthorized
>> signer);
>>
>>    dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
>>    adsp=none author.d=tana.it signer.d=ietf.org;
>>    dmarc=fail policy=none author.d=tana.it signer.d=ietf.org (unauthorized
>> signer);
>>
>>    dkim=fail (DKIM_BAD_SYNTAX) header.d=none header.s=none header.i=none;
>>    adsp=dkim-fail author.d=tana.it signer.d=;
>>    dmarc=dkim-fail policy=none author.d=tana.it signer.d= (unauthorized signer);
>>
>>    dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=tana.it header.s=delta
>> header.i=tana.it;
>> 	 adsp=dkim-fail author.d=tana.it signer.d=tana.it;
>> 	 dmarc=dkim-fail policy=none author.d=tana.it signer.d=tana.it
>> (originating signer);
>>
>> Four signatures were added to your submission and the only one that counts is
>> the top one, the last one added.
>>
>> It failed DMARC because tana.it did not authorized ietf.org.   You can
>> easily resolve this by adding atps=y to your DMARC record:
>>
>>       v=DMARC1; p=none; atps=y; rua=mailto:dmarcaggr@tana.it;
>> ruf=mailto:dmarcfail@tana.it;
>>
>> and add an ATPS sub-domain record authorizing ietf.org in your dana.it
>> zone:
>>
>>       pq6xadozsi47rluiq5yohg2hy3mvjyoo._atps  TXT ("v=atps01; d=ietf.org;")
>>
>> Do that and all ATPS compliant verifiers should show a DMARC=pass:
>>
>> Authentication-Results: dkim.winserver.com;
>>    dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
>>    adsp=none author.d=tana.it signer.d=ietf.org;
>>    dmarc=pass policy=none author.d=tana.it signer.d=ietf.org (ATPS signer);
>>
>>
>> For a short list of signers, I updated my DMARC evaluator to also support ASL
>> "Authorized Signer List" to avoid the extra ATPS record.
>> So doing this will work across my evaluator for smaller scale mail senders
>>
>>       v=DMARC1; p=none; atps=y; asl=ietf.org; rua=mailto:dmarcaggr@tana.it;
>> ruf=mailto:dmarcfail@tana.it;
>>
>>
>> This will skip atps=y because asl=ietf.org was satisfied. It was show
>> how it was authorized:
>>
>>    dmarc=pass policy=none author.d=tana.it signer.d=ietf.org (ASL signer);
>>
>>
>> Any ATPS or ASL idea will give us the author-defined trust of ietf.org
>> as a 3rd party signer.
>>
>> That said,  keeping with the suggestion DMARCBis should add MLS/MLM
>> semantics, I believe when the Receiver is receiving mail for a
>> MLS/MLM,  it should have the following updated modern consideration
>> for a MLS/MLM:
>>
>> 1) It should honor policy first, by check for restrictive domains
>>
>> 2) It should honor the domain restrictive policy to avoid creating new
>> security problems and avoid delivery problems.  This means to
>> implement subscription and submission controls.  DMARCbis should pass
>> the buck back to the restrictive domain who must deal with user's
>> needs or not.
>>
>> 3) It should check if the submission's author domain authorizes the
>> MLM signing domain by finding a ATPS record, if so....
>>
>> 3.1) it can continue as the 3rd party signer and also keep the From as
>> is, unchanged, or
>>
>> 3.2) it can also consider to rewrite.  If rewrite is performed, the
>> signing domain should have a security that does not allow any Display
>> Attack Replays with the now altered 5322.From identity.
>>
>>
>> --
>> Hector Santos,
>> https://urldefense.com/v3/__https://santronics.com__;!!CQl3mcHX2A!DfPhD9
>> QIFk5QZaU-
>> JPkz748sZCQtLXqL1FIxGonW_xDwc9pXdioEnY546GZUnzjzSNW1BdDF27VjLabqZa
>> B5XtMgrSWZ3guWaPw$
>> https://urldefense.com/v3/__https://winserver.com__;!!CQl3mcHX2A!DfPhD9Q
>> IFk5QZaU-
>> JPkz748sZCQtLXqL1FIxGonW_xDwc9pXdioEnY546GZUnzjzSNW1BdDF27VjLabqZa
>> B5XtMgrSWZOlLgxbE$
>>
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc__;!
>> !CQl3mcHX2A!DfPhD9QIFk5QZaU-
>> JPkz748sZCQtLXqL1FIxGonW_xDwc9pXdioEnY546GZUnzjzSNW1BdDF27VjLabqZa
>> B5XtMgrSWZiFT7qwo$
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>


-- 
Hector Santos,
https://santronics.com
https://winserver.com