IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Hector Santos <hsantos@isdg.net> Thu, 13 April 2023 12:19 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BEDC15C296 for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 05:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtOHG3OOP5vY for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 05:19:17 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 666DDC15C524 for <dmarc@ietf.org>; Thu, 13 Apr 2023 05:19:17 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=7031; t=1681388351; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=3oZo2a3YRqaNCE+k5UmHAuvGYjWijstkcxuZHTCVaYw=; b=ExpB rNot2fCzf3+APBGTcx/7rinEvgFmzvxoYZYPn4Vv9eZQ+8b7biZUh6QPl3D5jcpy 8HG1XJYtDS7qhLEIDvbk+PQ5WUAwUBIWaGwXllX8IusTNHGnl5eo2RIwNWKluyHB CaUmJQBbi0acJSxSA9juDT5ckNWNIAtUplitiyw=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Thu, 13 Apr 2023 08:19:11 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 1781148707.1.6204; Thu, 13 Apr 2023 08:19:10 -0400
Message-ID: <6437F343.20705@isdg.net>
Date: Thu, 13 Apr 2023 08:19:15 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <CAL0qLwZc2X7tyP+_8vvL3Yb7uJk6td3XGbsXUB68BNUEMhV4yQ@mail.gmail.com> <8d970e6b-8fa7-da85-5c47-d485abbc43be@crash.com> <CAL0qLwZJjBq0T8kODJifTT10ttJJE2Bof5kJZACRTwyauzwQ6A@mail.gmail.com>
In-Reply-To: <CAL0qLwZJjBq0T8kODJifTT10ttJJE2Bof5kJZACRTwyauzwQ6A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TyilNhPnDvGmeAA1C2DCzHcSlMA>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 12:19:23 -0000

On 4/12/2023 11:38 PM, Murray S. Kucherawy wrote:
> On Wed, Apr 12, 2023 at 12:45 PM Steven M Jones <smj@crash.com 
> <mailto:smj@crash.com>> wrote:
>
>     ISTR there were some vocal and visible mailing list operators
>     that were rejecting messages from domains that published
>     "p=reject" policies, maybe around 2014-15? I also thought they
>     did this by checking the sending domain's published policy in
>     DNS, to your point about implementation.
>
> This would be great [anec-]data to have.  Do you remember where you 
> might have seen it?

This was initially outlined in 2006 DSAP guidelines for list servers.  
It has been mentioned numerous times in the DKIM and DMARC WGs 
throughout the many years.  The following is a 2011 Wildcat! SMTP List 
Server wcBASIC language p-code script called at DATA and it applies to 
ADSP/DMARC restrictive domain list submissions.  All of my Wildcat! 
customers/operators managing a list have the same stock code.

//***********************************************************************
// (c) Copyright 1998-2012 Santronics Software, Inc. All Rights Reserved.
//***********************************************************************
//
// File Name : smtpfilter-listchecker.wcc
// Subsystem : wcListServer
// Date      : 10/11/2011
// Author    : SSI
// About     : checks wcListServer list to accept delivery
//
//    data\smtpfilterhookloader.ini
//    config\wcmail.names
//
// Run this filter before smtpfitler-whitelist because you may have
// some auto-whitelisted users with restricted DMARC domains.  If
// WCLS is not ready for DMARC checking, a major distribution problem
// will occur with DMARC checking downlink receivers.
//
// Revision History:
//
// 2.0, 454.6, 11/09/18 11:28 pm
// 2.1, 454.6, 11/12/18 10:52 am
// 3.0, 454.12, 04/11/21 01:10 pm
//
// - Added ADSP/DMARC check.
//
//   ADSP/DMARC checks are not done on control messages.
//
// - Adding new support accepting extended list control messages:
//
//     tmailist.name + "-subscribe";
//     tmailist.name + "-unsubscribe"
//     tmailist.name + "-bounces"
//
// 2.2, 454.10, 05/03/20 11:18 am
//
// - fix DMARC bug of using just the local part and not the
//   the domain to see of its a valid list.  The fix is
//   compare the ListDomain with the address.domain
//
//***********************************************************************

#include <smtpfilterhlp.wch>
#include <maillist.wch>
#include <msgutil.wch>
#include <wcdkimlib.wch>

//----------------------------------------------------------
// GLOBALS
//----------------------------------------------------------

const FILTER_VERSION = "3.0"
Const CONTROL_NAMES  = "wc:\cfg\wcmail.names"

//----------------------------------------------------------
// MAIN PROGRAM
//----------------------------------------------------------


   sfInitializeHook(paramstr(1))

   dim args  as string  = lcase(paramstr(1))
   dim msgfn as string  = GetParamStr(args,"psf")  // prespool
   dim from  as string  = GetParamStr(args,"from") // sender
   dim rcpt  as string  = GetParamStr(args,"rcpt") // recipient

   // strip angle brackets from addresses

   rcpt = lcase(sfStripBrackets(rcpt))
   from = lcase(sfStripBrackets(from))

   // Parse the rcpt address to get its parts.
   // We want the user id part (left hand side) of address.
   // This would be the "list name".

   dim eaTo    as TEmailAddress
   dim eaFrom  as TEmailAddress
   ParseEmailAddress(rcpt,eaTo)
   ParseEmailAddress(from,eaFrom)

   dim lname as string = eaTo.usrid

   // Get the WCLS control name and compare with the list name,
   // or search for a existing mailing list by list name.
   // If found, then accept this email, record it in log
   // and also in the session trace (meta log).

   dim cname as string = lcase(ReadListControlName())

   dim ml as TMailList

   //-----------------------------------------------------
   // 2.1
   // - Added control name and list control names check
   dim IsControlName as boolean
   if (cname = lname) then IsControlName = true
   if not IsControlName and right(lname,10) = "-subscribe"   then 
IsControlName = true
   if not IsControlName and right(lname,12) = "-unsubscribe" then 
IsControlName = true
   if not IsControlName and right(lname, 8) = "-bounces"     then 
IsControlName = true
   //-----------------------------------------------------

   // 2.2 05/03/20 04:58 pm
   // -- pass the domain to compare with listdomain
   dim ListDomainOK as Boolean = 
MailListRead(lname+".LIST",ml,eaTo.Domain)
   //
   if (IsControlName or ListDomainOk) then
      dim s as string = "Sender: "+from
      if from = "" then
          s = "Bounce message"
          from = "<>"
      end if
      //---------------------------------------------------
      // 2.1, added ADSP/DMARC check
      //---------------------------------------------------
      if (not IsControlName) and ml.CheckADSP then
         dim dmarc  as string
         dim adsp  as string
         dim policy as string
         if GetDMARC(eaFrom.Domain, "", dmarc) then
            policy = lcase(GetHeaderTag(dmarc,"p="))
            dim fv as integer
            if policy = "reject" or policy = "quarantine" then
               //
               // This domain can not post to the list, if the MLS is not
               // prepared to do a restrictive DMARC domain check.
               //
               sfAppendMetaLog(msgfn,"Rejected by 
smtpfilter-listchecker: "+From)
               sfAppendMetaLog(msgfn,"Restricted DMARC policy for 
domain: "+eaFrom.Domain):
               sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)
               sflog(lchReject,"Restricted DMARC policy for domain: 
"+eaFrom.Domain)
               sflog(lchReject,"File: "+msgfn+".policy-dmarc")
               CopyFile(msgfn,msgfn+".dmarc")
               sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
               // create response
               fv = open msgfn+".response" for output
               if fv > 0 then
                 print #fv,"554 Restricted DMARC policy for domain: 
"+eaFrom.Domain+". Can not post to list: "+lname
                 close #fv
               end if
               END
            end if
         end if
         if GetADSP(eaFrom.Domain, adsp) then
            policy = lcase(GetHeaderTag(adsp,"dkim="))
            if policy = "discardable" then
               //
               // This domain can not post to the list, if the MLS is not
               // prepared to do a restrictive ADSP domain check.
               //
               sfAppendMetaLog(msgfn,"Rejected by 
smtpfilter-listchecker: "+From)
               sfAppendMetaLog(msgfn,"Restricted ADSP policy for 
domain: "+eaFrom.Domain):
               sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)
               sflog(lchReject,"Restricted ADSP policy for domain: 
"+eaFrom.Domain)
               sflog(lchReject,"File: "+msgfn+".policy-adsp")
               CopyFile(msgfn,msgfn+".dmarc")
               sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
               // create response
               fv = open msgfn+".response" for output
               if fv > 0 then
                 print #fv,"554 Restricted ADSP policy for domain: 
"+eaFrom.Domain+". Can not post to list: "+lname
                 close #fv
               end if
               END
            end if
         end if
      end if

      //-----------------------------
      s = s + " accepted for WCLS address: " + rcpt
      sflog(lchInfo,s)
      sfAppendMetaLog(msgfn,"Accepted by smtpfilter-listchecker: "+From)
      sfSetGlobalResult(SF_ACCEPT,SF_ENDRULES)
   end if

   END


-- 
Hector Santos,
https://santronics.com
https://winserver.com

v2.23.0 | Report a Bug | By Email