IETF Logo Mail Archive

Re: [ietf-dkim] [dmarc-ietf] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts

Michael Storz <Michael.Storz@lrz.de> Tue, 22 November 2016 16:38 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F278129606 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Tue, 22 Nov 2016 08:38:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=lrz.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFqcPEu1YPA4 for <ietfarch-ietf-dkim-archive@ietfa.amsl.com>; Tue, 22 Nov 2016 08:38:54 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A06C5129509 for <ietf-dkim-archive@ietf.org>; Tue, 22 Nov 2016 08:38:54 -0800 (PST)
Received: from simon.songbird.com (simon.songbird.com [127.0.0.1]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uAMGd7Lf016931; Tue, 22 Nov 2016 08:39:08 -0800
Authentication-Results: simon.songbird.com; dkim=fail reason="verification failed; unprotected key" header.d=lrz.de header.i=@lrz.de header.b=gAak8aBF; dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from postout2.mail.lrz.de (postout2.mail.lrz.de [129.187.255.138]) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id uAMGd3LA016917 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf-dkim@mipassoc.org>; Tue, 22 Nov 2016 08:39:05 -0800
Received: from lxmhs52.srv.lrz.de (localhost [127.0.0.1]) by postout2.mail.lrz.de (Postfix) with ESMTP id 3tNWNr3y43zyRb for <ietf-dkim@mipassoc.org>; Tue, 22 Nov 2016 17:38:04 +0100 (CET)
Authentication-Results: postout.lrz.de (amavisd-new); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=lrz.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lrz.de; h= user-agent:message-id:references:in-reply-to:subject:subject :from:from:date:date:content-transfer-encoding:content-type :content-type:mime-version:received:received:received; s= postout; t=1479832684; bh=2h1PpjFY2xVeC4IRDhZN16nkydmCBBT2fdP5Xd UzkpA=; b=gAak8aBFAcqog6JdQopaLx1uhvo8F8SQWXjPu5b7FSokbO7lQ1TTKL X5ssua8KsehL0xMByXnMs8e4ugbCiyXRYNSz4lo4Zq6XwveB5oUPK75GSMgsn6P0 Lu+DI9yQNJBF7X8LqbZME5hgUH5D9hu+cM5VLDdnX+3GsQkBgLnuUHGel8jN0EPx WoKsZrk7ih5IijYjxPNCuTo9h8AUNEk8bG9kadTQn2ck5jb3wTtshqu8b7wR6Brv OsmJRSTLxEObB2bMGLtv0to8U555/BW7xBLa3NF+TsyexulcCMfxFr0xQ0Qxy+wr cDfHKEZdTTvY7saDYEIyKzb5Iaa3Akvw==
X-Virus-Scanned: by amavisd-new at lrz.de in lxmhs52.srv.lrz.de
Received: from postout2.mail.lrz.de ([127.0.0.1]) by lxmhs52.srv.lrz.de (lxmhs52.srv.lrz.de [127.0.0.1]) (amavisd-new, port 20024) with LMTP id nkQ9mEM-7vJL for <ietf-dkim@mipassoc.org>; Tue, 22 Nov 2016 17:38:04 +0100 (CET)
Received: from roundcube.lrz.de (roundcube.lrz.de [IPv6:2001:4ca0:0:103::81bb:ff93]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by postout2.mail.lrz.de (Postfix) with ESMTPSA id 3tNWNr0V23zyRQ for <ietf-dkim@mipassoc.org>; Tue, 22 Nov 2016 17:38:04 +0100 (CET)
Received: from 2001:4ca0:0:f000:e18f:9aec:57b:6ef9 by roundcube.lrz.de with HTTP (HTTP/1.1 POST); Tue, 22 Nov 2016 17:38:03 +0100
MIME-Version: 1.0
Date: Tue, 22 Nov 2016 17:38:03 +0100
From: Michael Storz <Michael.Storz@lrz.de>
To: ietf-dkim <ietf-dkim@mipassoc.org>
In-Reply-To: <CABa8R6ut_+PNm3xhSu7wQF4bEv_fN3EZESZZYWLaj=A7RECruQ@mail.gmail.com>
References: <alpine.OSX.2.11.1611142158000.21738@ary.local> <01Q7ASDZFS6C011WUX@mauve.mrochek.com> <CAL0qLwazAg2UJvGAr+nx8R_xEbc4xV0ttPEWFKUD69u6xXaMhA@mail.gmail.com> <CAL0qLwaMzy=qeW5XYZ_txPaiYE27Oof+C5V1uRANvv-_cayOcQ@mail.gmail.com> <CY1PR00MB0107389F8FE73F140849A19996BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <2736ea21-69e6-83b1-3b59-377c032290b5@dcrocker.net> <CY1PR00MB01072F4EB32969888104C45196BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <CAL0qLwbdNVwT-xiCmxyhSqKcp4-hCA1COHKh0wdYrYEekzZ=XA@mail.gmail.com> <3009defcc6dc9043823618dbc338460d@xmail.mwn.de> <CAL0qLwbvqABZGsm2Hp20y8wgvQTKvPn+EBKiS37eMrp+9NemjA@mail.gmail.com> <da2e49df90980fe460d1effd7734ef42@xmail.mwn.de> <CAL0qLwbA6Vjqpi5hGOtbpLV9FwgDO3VVA=Q5GgAU9F0qOsQCNQ@mail.gmail.com> <63a2bfc52a81eb569a0af5e1699390d9@xmail.mwn.de> <CAL0qLwZ42=GFDRm7H0qQ_7bczY8CPQaEuSUfgFEbO_Y5+5YvqA@mail.gmail.com> <CABa8R6ut_+PNm3xhSu7wQF4bEv_fN3EZESZZYWLaj=A7RECruQ@mail.gmail.com>
Message-ID: <fb677c92a147acad60539f9301196aaf@xmail.mwn.de>
X-Sender: Michael.Storz@lrz.de
User-Agent: Roundcube Webmail/1.2.0
Subject: Re: [ietf-dkim] [dmarc-ietf] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim/>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: ietf-dkim-bounces@mipassoc.org
Sender: ietf-dkim <ietf-dkim-bounces@mipassoc.org>

Am 2016-11-22 03:15, schrieb Brandon Long:
> Also realize that this isn't "Gmail shouldn't sign spam", it's
> everyone who normally has a good reputation needs to not sign spam,
> this is a way to steal reputation from any service allowing you to
> choose your own message, and can be used against any mail receiver.
> 
> That said, I think this proposal mostly duplicates spf with some small
> benefit, but one can combine the spf and dkim signals to try to combat
> this issue without introducing a new standard.  Forwarding will take
> the worst hit in false positives, but things like arc may help with
> that issue separately.
> 
> Brandon

The lesson I learned from discussing this draft is:

If you want to DKIM sign your messages you should either

- publish a SPF record (SPF gets mandatory) or
- include the discussed extension (in this case it looks like SPF is not 
needed anymore, SPF is optional)

and if a message leaves your ADMD you have to either

- DKIM sign it, if it originates from your ADMD or
- ARC sign it, if it is relayed through your ADMD (recipient has 
changed)

It is not enough to use ARC only in the case the message content has 
changed. It looks like only then a replay attack can be detected or 
mitigated.

Regards,
Michael
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email