Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y and MLM
Hector Santos <hsantos@isdg.net> Wed, 24 October 2018 23:20 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEDD129BBF for <dmarc@ietfa.amsl.com>; Wed, 24 Oct 2018 16:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=F9cn04dj; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=R/xKHZZo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xfw7PunzE7KE for <dmarc@ietfa.amsl.com>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
Received: from ntbbs.winserver.com (ntbbs.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABE912F1A5 for <dmarc@ietf.org>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2410; t=1540423193; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=wCvnWUo4lNMs2PI2QRnf0zO4Ewo=; b=F9cn04djceltOD4G7eqOq9Crh4GLZkRStAN+ckHNioqbihjUDZPv9bsBLawoCe vJ8FWON+/QMb5u4Smbu6oCVIMEmziAgrM2zUK5R3+xO37sdEz9W58rOROuI4ykQT Dw3d0bOmwYYhrwHz/vMrbcunX6j+U/RT0RkSiI9bzHn1o=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Wed, 24 Oct 2018 19:19:53 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 226824686.155996.5496; Wed, 24 Oct 2018 19:19:52 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2410; t=1540423127; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=0HwgVC6 FUsLgSfM3LDkwMgmPbZNv2AIvesA6jbApuIs=; b=R/xKHZZowFfdFh9W8/w/oFn BTsKzQjvUnx1JTI+fvS8pw/fdIz0pk56mKzwZL4pCTlWZHWrfrw1k41mO+DqHVzu yYEt0RwrlIMYvNZm/48pLhHRExeXGm5x+SZf4O6nDAGut2Fvn34C0MIZkh9M8/Y5 FnGmCjstXM4ocXDlaE14=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Wed, 24 Oct 2018 19:18:47 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 4263139218.9.218972; Wed, 24 Oct 2018 19:18:46 -0400
Message-ID: <5BD0FE17.5090300@isdg.net>
Date: Wed, 24 Oct 2018 19:19:51 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Kurt Andersen <kurta@drkurt.com>
CC: ietf-dkim@ietf.org, "dmarc@ietf.org" <dmarc@ietf.org>
References: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org> <98aff90a-2198-854f-f1e6-85fd704cb7d1@tana.it> <20180817214834.Horde.DNYi60aPTo_sOKr7o3ilPra@webmail.aegee.org> <2c60b8bf-fec7-3a72-4bcc-3f2416e6f8b1@tana.it> <20180820193206.Horde.U24zQJh_TH-uC-4hxrcs2fw@webmail.aegee.org> <6e31890d3b63091a1d731fd70c2bfc217dc4f45b.camel@aegee.org> <5BC4A48C.3080302@isdg.net> <CABuGu1rq5pxfZKbJiHHufHwfBmB0a1Gwb0bjLNZwJkOGmdsHuw@mail.gmail.com>
In-Reply-To: <CABuGu1rq5pxfZKbJiHHufHwfBmB0a1Gwb0bjLNZwJkOGmdsHuw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fEk4SCQnMPsnUAlbFcAuQN11TEI>
Subject: Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y and MLM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 23:20:01 -0000
On 10/24/2018 5:18 PM, Kurt Andersen wrote: > On Mon, Oct 15, 2018 at 7:30 AM Hector Santos > > What it should do is: > > 1) It should use a 1st party signature using d=dmarc.ietf.org > to match the new author domain dmarc.ietf.org > > 2) It should has hash bind the X-Original-From header to the > signature. Since DKIM recommends not to bind "X-" headers, > a non "X-" header should be used, i.e. "Original-From:". This > means adding the header to the 'h=" field to avoid potential > mail resend exploits using different unprotected Original-from: > fields. > > 3) and finally, the dmarc.ietf.org domain should have its own > DMARC p=reject policy to effectively replace the one it > circumvented with the submission. > > I don't understand why it is necessarily a bad thing to fall back to > the org domain (ietf.org <http://ietf.org>) as this example shows. Because DKIM policy security was lost with the rewrite transaction. Since the list agent took responsibility by performing a rewrite on a protected domain, it is reasonable to assume it would can restore the protection using its own secured list agent domain. Without it, it leaves a security hole with the unprotected "X-Original-From" which it does not hash bind to the new signature. > I also don't understand how your suggestion would work to handle a > mixture of restrictive policies (some quarantine, some reject) with a > single _dmarc.dmarc.ietf.org <http://dmarc.dmarc.ietf.org> record > unless there is some trick DNS responder magic going on (and that > won't work well for cached responses anyway). If I follow your comment, the specific rewrite list agent domain can have its own strong p=reject or quarantine. I don't see that as a problem. It would not matter what the original author domain restrictive policy was. It doesn't have to match. The original domain was protected with a strong policy. The MLM rather than reject the submission, ignored the policy and rewrote the 5322.From. It does this only for p=reject policies. I have not check if it does it for p=quarantine. The rewrite should be done with a strong policy of its own to restore the original submission and author domain protection. The should also be a new first party signature (aligned). At a minimum, the distributed message should bind the the altered header so that replays can be avoided. -- HLS
- Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y … Kurt Andersen
- Re: [dmarc-ietf] [Ietf-dkim] DKIM-Signature: r=y … Hector Santos