Re: [Ietf-dkim] [dmarc-ietf] DKIM-Signature: r=y and MLM

Hector Santos <hsantos@isdg.net> Wed, 24 October 2018 23:20 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 889081294D7 for <ietf-dkim@ietfa.amsl.com>; Wed, 24 Oct 2018 16:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=C7/vyf/h; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=J4Vlm3Sa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCNmRzAcCiIz for <ietf-dkim@ietfa.amsl.com>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
Received: from ntbbs.winserver.com (listserv.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2C170130DE9 for <ietf-dkim@ietf.org>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2410; t=1540423193; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=wCvnWUo4lNMs2PI2QRnf0zO4Ewo=; b=C7/vyf/hd7em6jHli8dKWq4xfJ7Q2ECBN15CiAC5YaoWkbnNDUaO4fXMUUFKt4 efkcTPDWwjvLcqyjhd/PhLLpNP0g2tqogvzVvfTtceE26DfyklwJyJq2Ok5Xko2r FZrfnp0ml2sYyg61I3XAqNIOts7WNwVoS+ChRGRgzE29E=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for ietf-dkim@ietf.org; Wed, 24 Oct 2018 19:19:53 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 226824577.155996.2252; Wed, 24 Oct 2018 19:19:52 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2410; t=1540423127; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=0HwgVC6 FUsLgSfM3LDkwMgmPbZNv2AIvesA6jbApuIs=; b=J4Vlm3Sak4gIDvNX+w0LH9j bNBFBrZfahA/7kXbRRyBe4X3KIWCNhWZTEl1O8kyGLc0kp2EZaDmDcgKVnqWZXU6 LoLRGyidFfE6cKmcSDg9M5ZgvOEXI1rZhFE9WSb6O22Pb4xgEYAWJmjLbppMO7bL Ui8bULxmmLsS74n7uAH4=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for ietf-dkim@ietf.org; Wed, 24 Oct 2018 19:18:47 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 4263139218.9.218972; Wed, 24 Oct 2018 19:18:46 -0400
Message-ID: <5BD0FE17.5090300@isdg.net>
Date: Wed, 24 Oct 2018 19:19:51 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Kurt Andersen <kurta@drkurt.com>
CC: ietf-dkim@ietf.org, "dmarc@ietf.org" <dmarc@ietf.org>
References: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org> <98aff90a-2198-854f-f1e6-85fd704cb7d1@tana.it> <20180817214834.Horde.DNYi60aPTo_sOKr7o3ilPra@webmail.aegee.org> <2c60b8bf-fec7-3a72-4bcc-3f2416e6f8b1@tana.it> <20180820193206.Horde.U24zQJh_TH-uC-4hxrcs2fw@webmail.aegee.org> <6e31890d3b63091a1d731fd70c2bfc217dc4f45b.camel@aegee.org> <5BC4A48C.3080302@isdg.net> <CABuGu1rq5pxfZKbJiHHufHwfBmB0a1Gwb0bjLNZwJkOGmdsHuw@mail.gmail.com>
In-Reply-To: <CABuGu1rq5pxfZKbJiHHufHwfBmB0a1Gwb0bjLNZwJkOGmdsHuw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/VnFGLLge7GKVJPjm2RbEWauR2wc>
Subject: Re: [Ietf-dkim] [dmarc-ietf] DKIM-Signature: r=y and MLM
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 23:20:01 -0000

On 10/24/2018 5:18 PM, Kurt Andersen wrote:

> On Mon, Oct 15, 2018 at 7:30 AM Hector Santos
>
>     What it should do is:
>
>         1) It should use a 1st party signature using d=dmarc.ietf.org
>            to  match the new author domain dmarc.ietf.org
>
>         2) It should has hash bind the X-Original-From header to the
>            signature.  Since DKIM recommends not to bind "X-" headers,
>            a non "X-" header should be used, i.e. "Original-From:".  This
>            means adding the header to the 'h=" field to avoid potential
>            mail resend exploits using different unprotected Original-from:
>            fields.
>
>         3) and finally, the dmarc.ietf.org domain should have its own
>            DMARC p=reject policy to effectively replace the one it
>            circumvented with the submission.
>
> I don't understand why it is necessarily a bad thing to fall back to
> the org domain (ietf.org <http://ietf.org>) as this example shows.

Because DKIM policy security was lost with the rewrite transaction.

Since the list agent took responsibility by performing a rewrite on a 
protected domain, it is reasonable to assume it would can restore the 
protection using its own secured list agent domain.  Without it, it 
leaves a security hole with the unprotected "X-Original-From" which it 
does not hash bind to the new signature.

> I also don't understand how your suggestion would work to handle a
> mixture of restrictive policies (some quarantine, some reject) with a
> single _dmarc.dmarc.ietf.org <http://dmarc.dmarc.ietf.org> record
> unless there is some trick DNS responder magic going on (and that
> won't work well for cached responses anyway).

If I follow your comment, the specific rewrite list agent domain can 
have its own strong p=reject or quarantine.  I don't see that as a 
problem.  It would not matter what the original author domain 
restrictive policy was. It doesn't have to match.

The original domain was protected with a strong  policy. The MLM 
rather than reject the submission, ignored the policy and rewrote the 
5322.From. It does this only for p=reject policies. I have not check 
if it does it for p=quarantine.   The rewrite should be done with a 
strong policy of its own to restore the original submission and author 
domain protection. The should also be a new first party signature 
(aligned).  At a minimum, the distributed message should bind the the 
altered header so that replays can be avoided.

-- 
HLS