Re: [dmarc-ietf] Mandatory Sender Authentication
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Thu, 06 June 2019 17:09 UTC
Return-Path: <btv1==060678adde5==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E87120225 for <dmarc@ietfa.amsl.com>; Thu, 6 Jun 2019 10:09:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6I_JUIerNUoP for <dmarc@ietfa.amsl.com>; Thu, 6 Jun 2019 10:09:12 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10FA3120194 for <dmarc@ietf.org>; Thu, 6 Jun 2019 10:09:11 -0700 (PDT)
X-ASG-Debug-ID: 1559840950-11fa3116c834e170001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id 5G9a7TpHesEsbbRE (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Thu, 06 Jun 2019 13:09:10 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=jtYc/oqC8okdMHzbR7qzqPLB8xO67eUtvOBFWQAiKk8=; b=bMosBrhArXeMBxOdhZQ/Xf6I0YJyZgH6nNOqOGugP1nBF3p4dpVT/fVUW7qr/qUxk AEIoO/epphxI+SHpQRV9n/AJe8kQG2gjOFPtMzLjltnqbED9wQprvMQkFjKE7Biow 5/hOYufdd2VJXfJnQ+MBw0Ea2G8KF6UBAw+dtLSyU=
Received: by webmail.bayviewphysicians.com via HTTP; Thu, 6 Jun 2019 13:09:02 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org, dcrocker@bbiw.net
Date: Thu, 06 Jun 2019 13:09:02 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Mandatory Sender Authentication
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <941abdbf28684283b972f69f25876220@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="c2c04e162353462d9627c5b4fca71275"
X-Originating-IP: [192.168.1.239]
In-Reply-To: <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net>
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net>
X-Exim-Id: 941abdbf28684283b972f69f25876220
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559840950
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 14382
X-Barracuda-BRTS-Status: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ScHzlFZ5XZVLf6as6f3zIg3Tn5U>
Subject: Re: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 17:47:48 -0000
>> 1. By 'sender', which actor in the sequence do you mean? The term is highly ambiguous. By Sender Authentication, I mean message "From Address" authentication. This involves two rules: The sending IP address is known to be authorized to send for the SMTP Sender-Address because of MX or SPF, and the SMTP Sender-Address is known to be authorized to send for the message from Address because of either domain alignment or a verifiable DKIM signature for the domain of the message From-Address. The message From-Address is what the user sees, so it seems important to know that the user is not being deceived by an impersonator. >> 2. Your certitude presumes an empirical foundation, given how often good theory does not make good practice. People have been working in this space for a very long time and one might have expected the industry to have latched on such a simple requirement were it that clear it was /the/ essential requirement. Please document the basis for your certitude. What I actually intend is that "a recipient has a viable option to implement mandatory sender authentication." This i equivalent to enforcing basic DMARC rules whether the sender has a DMARC policy or not. This requires: An email filter that understands SPF, DKIM, and DMARC. An email filter that provides local policy options to detect, evaluate, and override false positives. A sufficiently low level of false positives that the recipient organization is willing to commit the administrative resources to investigating and correcting false positives. These conditions are sorely lacking, as explained in the next section. >> 3. What made you think that 'sender' authentication is not already happening at a sufficient level? What is the basis for believing it isn't already being used by filtering agents well enough? I have been doing a market survey, and it suggests that many vendors do not understand the problem or do not believe it needs to be solved. I began with these minimal screening requirements: Source filtering: Able to block based on both IP address and Reverse DNS. A surprising number of vendors only supported one of these filters. Sender authentication: Able to enforce sender DMARC policies. (No requirement to support feedback processing) Able to override an incorrect SPF policy using a multi-factor rule (source server + sender domain). A surprising number of devices that supported DMARC filtering could not do ReverseDNS filtering. More recently, I realized that the only effective way to correct an SPF policy is to use SPF syntax. I have not yet seen any product that does so, but I have more products to review. For the first pass, I had no filtering criteria related to content filtering. Results ---------- These vendors could not meet all four criteria: Barracuda (appliance, hybrid, and cloud products) Sophos (3 appliance products, 2 cloud products) Edgewave Forcepoint Fortinet Trend Micro Dell SonicWall Symantec SpamExperts / SonicWall Mail Some of these were evaluated based on reviews of the administrative manuals, others based on a sales process. On the higher-end solutions: I discounted Cisco Talos and Proofpoint because their secure email solutions do domain spoofing. BAE Solutions was dropped because their sales process required me to sign a non-disclosure agreement. Based on what we did discuss, it did not appear that they could meet the four requirements. Kaspersky was ignored because of mistrust of the Russian government. The following products appeared to meet the minimum requirements, but for most of them I do not have access to the administrator manual until I commit to a product trial. Cloudswift Mimecast Fortinet FireEye I am in early discussions with AT&T / MessageLabs, but have no asssessment yet. >> 4. Consider the limitations to 'sender' authentication. I am spending a lot of time thinking about the limitations of sender authentication. For a spammer domain, SPF / DKIM / DMARC are easy. For impersonation, Friendly Name and embedded logo images can be pretty effective without violating SPF / DKIM / DMARC. This means that Sender Authentication may produce more false positives than true positives. Given the labor cost of addressing the mistakes, it is an open question whether the effort is worthwhile. For the moment, I am hoping so. I manage two very different mail streams, and the one that has higher spam levels appears to benefit from enforcing SPF and DMARC. Neither environment has products with adequate tools for implementing SPF exceptions, so I do not know how long I can leave the features enabled. Since you are involved in the Sender Authentication standards process, I assume you agree that Sender Authentication has potential to add value. To minimize false positives, I would like to see: Pressure on list forwarders to either not break signatures, or follow the IETF example of replacing the original from with the list domain and signing the new message with the list domain. Advice to senders to reduce signature complexity. In the general mail stream, the purpose of the DKIM signature is to authenticate the sender, and the protected data serves the purpose of a unique key for the signature process, to prevent replay attacks. Uniqueness should be achievable using three headers: To, From, and Date. Subject and Message-ID should not be used as they are two fields that are likely to be altered in transit. (Using DKIM signatures for content validation is only viable if the sender is known with confidence and an exception management process is in place. These conditions may exist for specific sender-receiver pairs, but they will not exist as a default condition.) But I have already been told that IETF is not interested in Recipient product problems, and is not concerned with security, which has left me very disappointed. Doug Foster
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely