Re: [dmarc-ietf] Rethinking DMARC for PSDs
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 08 April 2019 12:46 UTC
Return-Path: <btv1==0019ccb4d59==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6091202E6 for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 05:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lueEdhYY3glF for <dmarc@ietfa.amsl.com>; Mon, 8 Apr 2019 05:46:32 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29FD120086 for <dmarc@ietf.org>; Mon, 8 Apr 2019 05:46:32 -0700 (PDT)
X-ASG-Debug-ID: 1554727585-0990573e6341b90001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id poDVxD2qMRQpgiSz (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Mon, 08 Apr 2019 08:46:25 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h= content-type:mime-version:message-id:reply-to:date:subject:to:from; bh=ACEEM8ni3U62HGaA6GRgi40frJGWQKUsH5Mnu1y46uI=; b=fzbIGUlal7K6+aoBuLEQZvpBQljNC1H9kuyZ2+Q3NCl05CN2Mu71c+X/0qSzUb1t2 eCvUtog++lfTOVhxgkaH8OmE4vk0LDbjNf8+oDUuexPUk0mQpLunnTr7QawZUTp3b lSmDhlWEJfa/Mi/OM13Bi15ZdVnirh8rsZjSktIGg=
Received: by webmail.bayviewphysicians.com via HTTP; Mon, 8 Apr 2019 08:46:15 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org, Jeremy Harris <jgh@wizmail.org>
Date: Mon, 08 Apr 2019 08:46:15 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Rethinking DMARC for PSDs
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <caf60746797d46078aca66d28e65406f@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="980a5be64a08435a871caae28c83e9ef"
X-Originating-IP: [192.168.73.35]
In-Reply-To: <1d3e6511-b109-8540-af0f-e08d30649d45@wizmail.org>
References: <20190408005045.5EC462011B2BFE@ary.qy> <034c10b67aaf41a7809430c3c3b64c84@bayviewphysicians.com> <1d3e6511-b109-8540-af0f-e08d30649d45@wizmail.org>
X-Exim-Id: caf60746797d46078aca66d28e65406f
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1554727585
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 15259
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XzrdcdN2I5J_w7rSE35oLFWoZf0>
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 12:46:35 -0000
Your question confirms my core argument: We do not have consensus around email filter requirements because IETF has focused on sender behavior rather than recipient behavior. To the specifics: By "secure email relay", I am referring to Zixmail-type functioinality. It is complex code, generally involving a cloud server (although I would prefer keeping it on an appliance under my control). It is the least bad option for demonstrating regulatory compliance when transmitting sensitive information to an ad-hoc recipient. Most organizations need it. Further discussion on this point probably belongs in the MEDUP discussion. Use Cases I receive hositle mail from "server7.badexample.com". I want to block the IP address because I know it is a bad source. But I also want to blacklist the other servers at this organization, so I want hostname filtering to block *.badexample.com. I actually want to block anything from this organization, so I really want to block this entity anytime it appears in a HELO/EHLO name, a reply-to name, a list header name, a URL field, or a message-id field. But for simplicity in a low-end product that meets my budget, I will settle for IP and ReverseDNS filtering. DMARC has three components: detecting and enforcing sender DMARC policy, collecting feedback information and transmitting it to the sender, and interpreting feedback received for the sender domain. In a low-end product, I am only expecting policy enforcement, not the other two components. From a coding standpoint, it seems only slightly more complex than SPF enforcement or DKIM signature checking. From a regulatory standpoint, it is mandatory. If PayPal and Gmail have gone to the trouble to request DMARC enforcement, and I am devastated by malware because I did not check DMARC information,, then I am guilty of reckless negligence. So yes, DMARC enforcement is essential. Multi-factor whitelisting is needed because whitelisting (give this message high trust because the sender is trustworthy) is only safe if the sender is authenticated (the message really came from the trusted sender). Sender authenticator requires multiple attributes. Example: CompanyA.com uses HostingSevice.com. I want to ensure that messages from CompanyA.com are not blocked based on spam scoring heuristics. Siingle-factor whitelisting says that I can whitelist the sender (and expose myself to atacks from anyone spoofing their domain) or I can whitelist the source server (and expose myself to attacks from any other client domain at HostingService.com). When ReverseDNS is not an option, i have no feasible way to whitelist HostingService.com, because I have no way to know all of their servers and keep the list maintained over time. A related problem is that I should be able to do granular whitelisting, for example to ignore only spam scoring while retaining other tests. Many of the examined products provide all-or-nothing whitelist mechanisms. SPF corrections are a related issue, and multi-factor whitelisting would be a tolerable but inferior tool for handling the problem. What is really needed is a local override mechanism that can be expressed in SPF terms. SPF omissions can include (a) primary domain omitted a server from its list, (b) included domain omitted a server from its list, or (c) an entire domain is omitted from the list. Email filters should provide constructs to handle all three; None of the corrections require whitelisting. I do not necessarily want to guarantee delivery, I just want the SPF sender authentication function to be peerformed on accurate source data. On EXIM in particular: My secondary spam filter is based on EXIM, with a vendor-supplied wrapper and user interface. Because it is secondary, I am protected from some of the products weaknesses. Other system administrators routinely complain that when the message From-Address is there own domain, the message is not blocked. The product does not fitler on message From -Address, and my research into Exim capabilities indicated that the Exim filtering process could not even extract the message From-Address to reference in filtering. The product based on Exim cannot do ReverseDNS filtering. It looked like I might be able to simulate the capability with Exim filter syntax, but I gave up because I could not decipher how the vendor implemented its wrapper. The logging is a summary of all of the chatter between sending and receiving systems. The logs entries need to be assembled to present a single data record about what happened to this message. The vendor's GUI provides a crude approximation of this process,, but the GUI information cannot be exported. I finally wrote a bunch of complex code to turn the log detail into a message data record. The product based on Exim has only two SPF options: Off or Block. When it is off, it does not check or log SPF results. When it is on, it blocks the message so there is no data on which to evaluate false positives. If a false positive is detected despite the difficulties, the product only supports single-factor whitelisting, although it does provide granularity by feature. Since email filtering is a heuristic process,, the message review features are as important as the message filtering features. It should be possible to enable any filtering rule in two modes: without enforcement (learn mode) so that effectiveness and false positives can be evaluated and corrected prospectively, before the policy is enforced. with enforcement (policy mode) with sufficient data collected so that false positives can be detected and corrected retrospectively, after the policy is enforced. Consequently, I stand by the assertion that my feature list is the bare minimum for anything that claims to be a spam filter. It is not a complete list. For example RBL checking is also mandatory, but I have not seen that as an omitted feature, so it was omitted. Nothing in this list requires proprietary databases that only the richest vendors can offer. Doug Foster ---------------------------------------- From: "Jeremy Harris" <jgh@wizmail.org> Sent: Monday, April 8, 2019 7:21 AM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs On 08/04/2019 12:02, Douglas E. Foster wrote: > I had only these rudimentary requirements: > [...] A secure-email method for outbound messages with sensitive > content Rudimentary? How secure; what's your threat model? Those two things often don't go together. (I should declare an interest: Exim developer.) -- Jeremy _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Jeremy Harris
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John R Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Ken O'Driscoll
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Dotzero
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Kurt Andersen (b)
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Murray S. Kucherawy
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Tim Wicinski
- [dmarc-ietf] More rethinking on DMARC for PSDs Alessandro Vesely