Re: [Ietf-dkim] [dmarc-ietf] DKIM-Signature: r=y and MLM

Hector Santos <> Wed, 24 October 2018 23:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 889081294D7 for <>; Wed, 24 Oct 2018 16:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=C7/vyf/h; dkim=pass (1024-bit key) header.b=J4Vlm3Sa
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pCNmRzAcCiIz for <>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2C170130DE9 for <>; Wed, 24 Oct 2018 16:19:58 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2410; t=1540423193;; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=wCvnWUo4lNMs2PI2QRnf0zO4Ewo=; b=C7/vyf/hd7em6jHli8dKWq4xfJ7Q2ECBN15CiAC5YaoWkbnNDUaO4fXMUUFKt4 efkcTPDWwjvLcqyjhd/PhLLpNP0g2tqogvzVvfTtceE26DfyklwJyJq2Ok5Xko2r FZrfnp0ml2sYyg61I3XAqNIOts7WNwVoS+ChRGRgzE29E=
Received: by (Wildcat! SMTP Router v7.0.454.6) for; Wed, 24 Oct 2018 19:19:53 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=none; dmarc=pass policy=reject (atps signer);
Received: from ([]) by (Wildcat! SMTP v7.0.454.6) with ESMTP id 226824577.155996.2252; Wed, 24 Oct 2018 19:19:52 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2410; t=1540423127; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=0HwgVC6 FUsLgSfM3LDkwMgmPbZNv2AIvesA6jbApuIs=; b=J4Vlm3Sak4gIDvNX+w0LH9j bNBFBrZfahA/7kXbRRyBe4X3KIWCNhWZTEl1O8kyGLc0kp2EZaDmDcgKVnqWZXU6 LoLRGyidFfE6cKmcSDg9M5ZgvOEXI1rZhFE9WSb6O22Pb4xgEYAWJmjLbppMO7bL Ui8bULxmmLsS74n7uAH4=
Received: by (Wildcat! SMTP Router v7.0.454.6) for; Wed, 24 Oct 2018 19:18:47 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.6) with ESMTP id 4263139218.9.218972; Wed, 24 Oct 2018 19:18:46 -0400
Message-ID: <>
Date: Wed, 24 Oct 2018 19:19:51 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Kurt Andersen <>
CC:, "" <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Ietf-dkim] [dmarc-ietf] DKIM-Signature: r=y and MLM
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Oct 2018 23:20:01 -0000

On 10/24/2018 5:18 PM, Kurt Andersen wrote:

> On Mon, Oct 15, 2018 at 7:30 AM Hector Santos
>     What it should do is:
>         1) It should use a 1st party signature using
>            to  match the new author domain
>         2) It should has hash bind the X-Original-From header to the
>            signature.  Since DKIM recommends not to bind "X-" headers,
>            a non "X-" header should be used, i.e. "Original-From:".  This
>            means adding the header to the 'h=" field to avoid potential
>            mail resend exploits using different unprotected Original-from:
>            fields.
>         3) and finally, the domain should have its own
>            DMARC p=reject policy to effectively replace the one it
>            circumvented with the submission.
> I don't understand why it is necessarily a bad thing to fall back to
> the org domain ( <>) as this example shows.

Because DKIM policy security was lost with the rewrite transaction.

Since the list agent took responsibility by performing a rewrite on a 
protected domain, it is reasonable to assume it would can restore the 
protection using its own secured list agent domain.  Without it, it 
leaves a security hole with the unprotected "X-Original-From" which it 
does not hash bind to the new signature.

> I also don't understand how your suggestion would work to handle a
> mixture of restrictive policies (some quarantine, some reject) with a
> single <> record
> unless there is some trick DNS responder magic going on (and that
> won't work well for cached responses anyway).

If I follow your comment, the specific rewrite list agent domain can 
have its own strong p=reject or quarantine.  I don't see that as a 
problem.  It would not matter what the original author domain 
restrictive policy was. It doesn't have to match.

The original domain was protected with a strong  policy. The MLM 
rather than reject the submission, ignored the policy and rewrote the 
5322.From. It does this only for p=reject policies. I have not check 
if it does it for p=quarantine.   The rewrite should be done with a 
strong policy of its own to restore the original submission and author 
domain protection. The should also be a new first party signature 
(aligned).  At a minimum, the distributed message should bind the the 
altered header so that replays can be avoided.