Re: [dmarc-ietf] Mandatory Sender Authentication
Hector Santos <hsantos@isdg.net> Mon, 03 June 2019 20:04 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E9A12087D for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 13:04:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=Fd9JuUdP; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=b4kuIKTQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlMg9g1oN2SX for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 13:04:16 -0700 (PDT)
Received: from mail.winserver.com (pop3.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id D0BD412088D for <dmarc@ietf.org>; Mon, 3 Jun 2019 13:04:15 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4695; t=1559592251; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=YNHXzocfVEayZ1T81vbILjhPW08=; b=Fd9JuUdPv5B0r5/cKGnHpT91RFXEab1XXEtCMhNka6YPAMgoQIEC2fjPXzaCCL 5wqM2VmQNM9wgQGtRwvkW6ERRCqqvLthhSo2jYKhWnkIrJV6w3H+X+h6LRscu9tJ Y3DLA3V34mwluoNtHf8naJNL3CZrgS0JnghspO26DVypE=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Mon, 03 Jun 2019 16:04:11 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 384699137.94763.3200; Mon, 03 Jun 2019 16:04:11 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4695; t=1559592070; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=b2RkFzA NwbYA/mtllQQ9hO/p18ZRsOvdjU2aEGbPqRc=; b=b4kuIKTQLv/Yuu8cMpOBoj3 VWbJ0j2B37BZoTrnN0NhSTtgqQPjhQmsVOsdy+TDEG94ZfNgLTXNxCGiDfKQ0zS+ K0Fnbv0fhNadvxQF30gDbvPXAD/Zrw8rSZ2wQZotSGc0vovbX+4S/5wE6X44+1ym wFdL+YTBZouVbd/FJY8A=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Mon, 03 Jun 2019 16:01:10 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1956926113.9.290564; Mon, 03 Jun 2019 16:01:10 -0400
Message-ID: <5CF57D3A.1090406@isdg.net>
Date: Mon, 03 Jun 2019 16:04:10 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com>
In-Reply-To: <20190603142956.66B31120252@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fu8cHnokCY7ggDi7F6aAHQAfl2M>
Subject: Re: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 20:04:24 -0000
On 6/3/2019 10:29 AM, Douglas E. Foster wrote: > So Sender Authentication needs to become mandatory: > > * Senders MUST implement SPF or DKIM, and SHOULD implement both. > Although the MX list becomes a default SPF list for those who do > not publiish a policy. > * MTAs MUST ensure that DKIM signatures remain verifiable. If they > are unwilling or uinable to do so, they should reject the message > with a PermError. > * Forwarders MUST either forward with breaking DKIM signatures, > rewrite messages under their own identity, refuse the message, or > discard the message as spam. > * IETF MUST provide a way for intermediate systems (both spam > filters and list fowarders) to insert content under their own > signature, without breaking original signatures. This will have > implications for MUAs.. > > Sure it will be hard, but has this not been what you have been trying > to achieve for 15 years? SPF and DKIM provided the enabling > technology, but they were deployed as sender options. Hi Douglas, It's ideal, but not the SMTP realities. - In certain areas, some things are already "mandatory" depending on the business, for example, a Bank may be required by their auditor to use SPF Hard Fail -ALL policy in the same way a bank must be PCI compliant via the web which basically means SSL, session management and other security-related requirements. - You can't enforce anything beyond legacy RFC821/5321 transactions under Port 25 SMTP operations. You can only raise the email bar with NON-PORT 25 operations like when using the Message Submission protocol (RFC6409) which is port 587. For example, the Extended SMTP (ESMTP) AUTH protocol is not required under Port 25. It is optional to implement and optional to use by the client. Under Port 587, ESMTP AUTH is a requirement among other things the receiver can enforce which are not required under port 25 operations. - We can not have a mandate for DKIM POLICY because there is no official IETF standard here and even if there was, it would not be enforcible under Port 25. That's not the same as a domain having a restrictive policy, it fails and the receiver honors and rejects the mail. The Receiver can not enforce the sender to have a DKIM or any sort of policy above and beyond legacy SMTP port 25 operations. It can not reject a message on the basis the sender does not have SPF or DKIM or DMARC. - Keep in mind, SPF Hard Failures are generally good enough and can be mutually exclusive of a restrictive DKIM Policy. For example, I just did some emailing with a bank which uses SPF -ALL (Hard Fail) but has no DKIM signature nor DMARC policy. For exclusive high value domains, an SPF -ALL is often good enough. Even if it had a DKIM/DMARC p=reject policy, how will that change a -ALL failure? Why would a bank override a SPF -ALL failure with with DMARC (or ARC) and raise the fussiness of the transaction? I am sure there is possible a scenario where a SPF -ALL defined IP is doing something different with the PAYLOAD and could fail a DKIM signature. But the reason you may see a domain with SPF -ALL and not DKIM is because it is good enough. - Without port 25 operations, we would no longer be able to receive unsolicited messages from anyone, good or bad which is the blessing and the curse of standard SMTP port 25 operations. The general rule of thumb for SMTP has been that for unsolicited mail from "unknown" addresses, authenticated and/or authorization is not required when targeting a local recipient or locally hosted domain. But for relaying mail (receiving a message to be routed, relayed to a remote target), some level of authentication is required and in the history of SMTP, that has been: - Having some form of an "Allow IP Relay" database/table. Your network provider saves the connection IP in a table allowing for relay. But as the roaming user problem began where the client's IP can change, an early method called POP B4 SMTP was common. - POP b4 SMTP worked on the basis a MUA will generally pop first before sending email and this allowed a small temporary "Allow IP" window for the SMTP client to send mail. So the POP3 client connected to a host, the IP was saved while any new mail was picked up. If the MUA had mail to send out, the client IP would be known by the SMTP receiver and allow the client to relay mail. This was a god-send for tech support before ESMTP AUTH came along and becamewide spread: - ESMTP AUTH allows a way to login with ID and Password from anywhere. No IP required. Since ESMTP AUTH is an extension for PORT 25, it is not requirement. -- HLS
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely