IETF Logo Mail Archive

Re: [dmarc-ietf] Mandatory Sender Authentication

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Thu, 06 June 2019 17:09 UTC

Return-Path: <btv1==060678adde5==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E87120225 for <dmarc@ietfa.amsl.com>; Thu, 6 Jun 2019 10:09:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6I_JUIerNUoP for <dmarc@ietfa.amsl.com>; Thu, 6 Jun 2019 10:09:12 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10FA3120194 for <dmarc@ietf.org>; Thu, 6 Jun 2019 10:09:11 -0700 (PDT)
X-ASG-Debug-ID: 1559840950-11fa3116c834e170001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id 5G9a7TpHesEsbbRE (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Thu, 06 Jun 2019 13:09:10 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=jtYc/oqC8okdMHzbR7qzqPLB8xO67eUtvOBFWQAiKk8=; b=bMosBrhArXeMBxOdhZQ/Xf6I0YJyZgH6nNOqOGugP1nBF3p4dpVT/fVUW7qr/qUxk AEIoO/epphxI+SHpQRV9n/AJe8kQG2gjOFPtMzLjltnqbED9wQprvMQkFjKE7Biow 5/hOYufdd2VJXfJnQ+MBw0Ea2G8KF6UBAw+dtLSyU=
Received: by webmail.bayviewphysicians.com via HTTP; Thu, 6 Jun 2019 13:09:02 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org, dcrocker@bbiw.net
Date: Thu, 06 Jun 2019 13:09:02 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Mandatory Sender Authentication
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <941abdbf28684283b972f69f25876220@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="c2c04e162353462d9627c5b4fca71275"
X-Originating-IP: [192.168.1.239]
In-Reply-To: <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net>
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net>
X-Exim-Id: 941abdbf28684283b972f69f25876220
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559840950
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 14382
X-Barracuda-BRTS-Status: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ScHzlFZ5XZVLf6as6f3zIg3Tn5U>
Subject: Re: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 17:47:48 -0000

>> 1. By 'sender', which actor in the sequence do you mean? The term is
highly ambiguous.
  
 By Sender Authentication, I mean message "From Address" authentication.   
This involves two rules:
  	The sending IP address is known to be authorized to send for the SMTP 
Sender-Address because of MX or SPF, and  	the SMTP Sender-Address is known 
to be authorized to send for the message from Address because of either  	 
		domain alignment or  		a verifiable DKIM signature for the domain of the 
message From-Address.   	

 The message From-Address is what the user sees, so it seems important to 
know that the user is not being deceived by an impersonator.

>> 2. Your certitude presumes an empirical foundation, given how often 
good
theory does not make good practice. People have been working in this
space for a very long time and one might have expected the industry to
have latched on such a simple requirement were it that clear it was
/the/ essential requirement. Please document the basis for your certitude.
  
 What I actually intend is that "a recipient has a viable option to 
implement mandatory sender authentication."
 This i equivalent to enforcing basic DMARC rules whether the sender has a 
DMARC policy or not.   This requires:
  	An email filter that understands SPF, DKIM, and DMARC. 	An email filter 
that provides local policy options to detect, evaluate, and override false 
positives. 	A sufficiently low level of false positives that the recipient 
organization is willing to commit the administrative resources to 
investigating and correcting false positives. 
 These conditions are sorely lacking, as explained in the next section.

>> 3. What made you think that 'sender' authentication is not already
happening at a sufficient level? What is the basis for believing it
 isn't already being used by filtering agents well enough?
  
 I have been doing a market survey, and it suggests that many vendors do 
not understand the problem or do not believe it needs to be solved.  I 
began with these minimal screening requirements:
  
 Source filtering:
    Able to block based on both IP address and Reverse DNS. 
  
 A surprising number of vendors only supported one of these filters.
  
 Sender authentication:
    Able to enforce sender DMARC policies.   (No requirement to support 
feedback processing)
    Able to override an incorrect SPF policy using a multi-factor rule 
(source server + sender domain).
  
 A surprising number of devices that supported DMARC filtering could not do 
ReverseDNS filtering.
  
 More recently, I realized that the only effective way to correct an SPF 
policy is to use SPF syntax.   I have not yet seen any product that does 
so, but I have more products to review.
  
 For the first pass, I had no filtering criteria related to content 
filtering.
  
 Results
 ----------
 These vendors could not meet all four criteria:
  	Barracuda (appliance, hybrid, and cloud products) 	Sophos (3 appliance 
products, 2 cloud products) 	Edgewave 	Forcepoint 	Fortinet 	Trend Micro 
	Dell SonicWall 	Symantec 	SpamExperts / SonicWall Mail 
 Some of these were evaluated based on reviews of the administrative 
manuals, others based on a sales process.
  
 On the higher-end solutions:
  
 I discounted Cisco Talos and Proofpoint because their secure email 
solutions do domain spoofing.
  
 BAE Solutions was dropped because their sales process required me to sign 
a non-disclosure agreement.   Based on what we did discuss, it did not 
appear that they could meet the four requirements.
  
 Kaspersky was ignored because of mistrust of the Russian government.
  
 The following products appeared to meet the minimum requirements, but for 
most of them I do not have access to the administrator manual until I 
commit to a product trial.
  	Cloudswift 	Mimecast 	Fortinet 	FireEye 
 I am in early discussions with AT&T / MessageLabs, but have no asssessment 
yet.
  
  
 >> 4. Consider the limitations to 'sender' authentication.

I am spending a lot of time thinking about the limitations of sender 
authentication.   For a spammer domain, SPF / DKIM / DMARC are easy.   For 
impersonation, Friendly Name and embedded logo images can be pretty 
effective without violating SPF / DKIM / DMARC.
  
 This means that Sender Authentication may produce more false positives 
than true positives.   Given the labor cost of addressing the mistakes, it 
is an open question whether the effort is worthwhile.   For the moment, I 
am hoping so.  I manage two very different mail streams, and the one that 
has higher spam levels appears to benefit from enforcing SPF and DMARC.  
Neither environment has products with adequate tools for implementing SPF 
exceptions, so I do not know how long I can leave the features enabled.   
Since you are involved in the Sender Authentication standards process, I 
assume you agree that Sender Authentication has potential to add value.
 
 To minimize false positives, I would like to see:
  	Pressure on list forwarders to either not break signatures, or follow 
the IETF example of replacing the original from with the list domain and 
signing the new message with the list domain.
	  	Advice to senders to reduce signature complexity.   In the general mail 
stream, the purpose of the DKIM signature is to authenticate the sender, 
and the protected data serves the purpose of a unique key for the signature 
process, to prevent replay attacks.   Uniqueness should be achievable using 
three headers:  To, From, and Date.   Subject and Message-ID should not be 
used as they are two fields that are likely to be altered in transit.    
(Using DKIM signatures for content validation is only viable if the sender 
is known with confidence and an exception management process is in place.  
These conditions may exist for specific sender-receiver pairs, but they 
will not exist as a default condition.) 
 But I have already been told that IETF is not interested in Recipient 
product problems, and is not concerned with security, which has left me 
very disappointed.
  
  
 Doug Foster

v2.23.0 | Report a Bug | By Email