IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Alessandro Vesely <vesely@tana.it> Wed, 20 March 2024 12:20 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D359C1516E0 for <dmarc@ietfa.amsl.com>; Wed, 20 Mar 2024 05:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UUsTh8e3nF7R for <dmarc@ietfa.amsl.com>; Wed, 20 Mar 2024 05:20:26 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C577CC15108F for <dmarc@ietf.org>; Wed, 20 Mar 2024 05:20:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1710937217; bh=+3JSzOAmb/4K3mQyQiLObStjsYV7GEqdmP3rcrJ8E4k=; h=Date:Subject:To:References:From:In-Reply-To; b=CWSQ6pMKlrmEv1FGRQRlkAyMtoKSgt+GH+9dieblE+0hPlA4iR7+uIwcBNxO+94Pl 8gdpgtPce8/sIHwTX41MWAyYjk/J8ZHszcfwfgQ3KpaL/tN4GS3diE6SGqLqtX2wpB xNkR/zPhTLUms9R2dIMyM9Xns/I5YhjmulJCHC38Nj7FOXUyBGw1Pmcm/H7cm
Original-Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC05A.0000000065FAD480.00000457; Wed, 20 Mar 2024 13:20:16 +0100
Message-ID: <c6051522-ed11-44ac-b805-ef8ceb6a050c@tana.it>
Date: Wed, 20 Mar 2024 13:20:16 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <2068150.yCtiIVWOOC@zini-1880> <97F2B58E-587D-4AC1-AC1B-F4A14EAFDC03@kitterman.com> <1ba8ef82-5c9a-412a-9586-4d84cf5ab416@tana.it> <2259410.iZASKD2KPV@localhost>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <2259410.iZASKD2KPV@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fmzDuAtogTwE2pgxKT-OML_LT0w>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 12:20:32 -0000

On Tue 19/Mar/2024 12:33:07 +0100 Scott Kitterman wrote:
> On Tuesday, March 19, 2024 5:23:52 AM EDT Alessandro Vesely wrote:
>> On Mon 18/Mar/2024 21:37:02 +0100 Scott Kitterman wrote:
>> > On March 18, 2024 6:40:54 PM UTC, Alessandro Vesely <vesely@tana.it> wrote:
>>>>On Mon 18/Mar/2024 09:14:26 +0100 Dotzero wrote:
>>>>> On Mon, Mar 18, 2024 at 2:38 AM John R Levine <johnl@taugh.com> wrote:
>>>>>> On Sun, 17 Mar 2024, Dotzero wrote:
>>>>>>>> Whenever mail is sent, there is a risk that an overly permissive source
>>>>>>>> may send mail which will receive a DMARC pass result that was not, in
>>>>>>>> fact, authorized by the Domain Owner. These false positives may lead
>>>>>>>> to issues when systems interpret DMARC pass results to indicate
>>>>>>>> a message is in some way authentic. They also allow such unauthorized
>>>>>>>> senders to evade the Domain Owner's requested message handling for
>>>>>>>> authentication failures.
>>>>>>> 
>>>>>>> I have a problem with this 2nd paragraph and believe it is factually 
>>>>>>> incorrect. The Domain Owner has in fact authorized the message(s) as 
>>>>>>> a result of an overly permissive approach. I would suggest that in 
>>>>>>> fact any resulting DMARC pass is technically NOT a false positive 
>>>>>>> because it is authorized by the overly permissive approach.
>>>>>>
>>>>>> Seems to me we it depends on what you think "authorized" means.  My 
>>>>>> sense is I told you it's OK to send the message, yours seme to be that 
>>>>>> any host on an IP in the SPF record or anyone who steals your DKIM key 
>>>>>> is authorized by definition.
>>>>>>
>>>>>> Is there some other wording that can make the difference clear?
>>>>>
>>>>> Here's a quick stab at some modified wording for the second paragraph:
>>>>>
>>>>> Whenever mail is sent, there is a risk that an overly permissive source
>>>>> may send mail which will receive a DMARC pass result that was not, in
>>>>> fact, intended by the Domain Owner. These results may lead
>>>>> to issues when systems interpret DMARC pass results to indicate
>>>>> a message is in some way authentic. They also allow such unauthorized
>>>>> senders to evade the Domain Owner's intended message handling for
>>>>> authentication failures.
>>>>
>>>>That's better.  At least it's formally correct.  Still, it is rather 
>>>>obscure for an average reader.
>>>>
>>>>The attempt to make this issue general, in the sense that it is valid for 
>>>>SPF and DKIM alike, makes no sense.  Stealing a DKIM key is not 
>>>>comparable to an overly permissive SPF record.
>>>>
>>>>The text should be terser and clearer, possibly with an example.
>>>>
>>> No one said anything about stealing a DKIM key.
>>
>> "anyone who steals your DKIM key is authorized by definition"
>> https://mailarchive.ietf.org/arch/msg/dmarc/h_ytb51KHHkQTyCMfGMs9NPXmQo
>
> OK.  That's not what I described.  Here's a more detailed exposition.
>
> Let's take a case where a provider sends mail on behalf of multiple customers, 
> for whatever reason.  Customer A uses example.biz and customer B uses 
> example.com.
>
> When the provider receives an email for transmission on behalf of a customer 
> it has to determine if it should send it or not, so it has controls in place.
>
> First, it determines if the mail was submitted by a customer and in our 
> example it is, but it is Customer A sending the message, but the 5322.From in 
> the message is in example.com.  At this point a well managed provider would 
> exercise another control and determine that while Customer A is a customer and 
> example.com is a domain for which they send mail, Customer A is not authorized 
> to use example.com and decline to send the mail.
>
> In the cases people have described seeing, the provider does not have such a 
> control and sends the mail.  Since Customer B has listed the provider's MTAs 
> in their SPF record, if the provider sends the mail, it passes SPF (and 
> DMARC), which is bad.
>
> Let's take that a step further:
>
> Customer B, realizing that this provider is not so well ordered uses the "?" 
> qualifier in example.com's SPF record, so the mail doesn't pass SPF (and DMARC) 
> any more.  This is great, except:
>
> Let's look at the case where this provider also does DKIM signing for their 
> customer's mail and have arranged to have secret keys for signing mail for 
> both example.biz and example.com and both Customer A and Customer B have 
> published DKIM key records in DNS for their domains.


Is this a common pattern?


> So, again, Customer A is sending mail through the provider with 5322.From of 
> example.com.  We've already established that the provider does not have a 
> control in place to prevent this.  The provider has an appropriate secret key 
> available to sign the mail (no one stole anything).  If the provider signs the 
> mail and sends it, it has a valid signature and passes DKIM (and DMARC), which 
> is bad.


How does the provider sign?

* apply multiple signatures, one for each key it has,
* match the From: domain, or
* match the SMTP AUTH domain?

Does the provider generate their own keys and have clients put a CNAME?


> This is all about internal controls that appear to be missing on an 
> unfortunately common basis.  The SPF part of the above is pretty simple and is 
> a problem today for domains that haven't bothered with DKIM because it's "too 
> hard".  Once they do bother with DKIM, then I don't see any reason to believe 
> that you won't see the DKIM part of this as well.  It's a foreseeable result 
> of using providers without appropriate internal controls.


Again, if we want to cover DKIM, we should be clearer about the mechanism used, 
consider the risk, perhaps citing Section 8.3 of DKIM.  Folding both subject 
under a common frame forces the text to be overly general, and thus less 
comprehensible.


Best
Ale
--

v2.23.0 | Report a Bug | By Email