Re: [Ietf-dkim] DKIM-Signature: r=y and MLM

Дилян Палаузов <dilyan.palauzov@aegee.org> Wed, 24 October 2018 20:53 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E48B8128D68 for <ietf-dkim@ietfa.amsl.com>; Wed, 24 Oct 2018 13:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCxTMsF9ea2o for <ietf-dkim@ietfa.amsl.com>; Wed, 24 Oct 2018 13:53:07 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09D3C128B14 for <ietf-dkim@ietf.org>; Wed, 24 Oct 2018 13:53:06 -0700 (PDT)
Authentication-Results: mail.aegee.org/w9OKr36A029413; auth=pass (LOGIN) smtp.auth=didopalauzov@AEGEE.ORG
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1540414384; i=dkim+MSA-tls@aegee.org; r=y; bh=j5bqECAlyFn0I/Iavd+LKzDxy4irMv4/29M3k9jkuxQ=; h=Subject:From:To:Date:In-Reply-To:References; b=o1+aP6GCfpy4ct2jaiOKXda8KB1dxGkIgULWFpIYtzyLuXdvJv0pjZUdscmOyT8oX VSLmiLdjldWxS0uU2Mo1mooQEqbs1UhBpjpNN3r5z843r2AmcfJgEiXbQEy9xliNDL FMUj6l2i7Oo9bkfCPLapoUK6N2LHxyMd4utYkvcNBk2B/612cV5U++atS+ZWIbltZC AJEVFoscPQhRJajd6NuPujUb2cVsbdNcAO7/qtoo3k23if4khMK6jtC0s+AmGv82FI YpVedMIjIirnqIOSqMiVeuU3wHZHLP5lajdvYN2Mpr2sQ0bUTY+sieJwLu/Xkutpr+ tI7eSEw6syZ/9MrAj2L5SiJddDEscsoG9P/yTxITe2XvC+cgFgy2jQ1hsbB86t70XQ jEqvzx1v3lyhQ9x9mWoqybJ1kA/DqJWXiSiKVUhWzGBa2E3k2BDWRBp7/2lJt1mi7j F+RpD0J7tFsvEGj8/vBG0+rRrEfjTTl5+LVmnfjRbeAz5TIZPLMLCtSwCvMbwh8+ke OXZAGm/gubVUsxz+OhdaQFQdQpdI1nNQPkPvU8JBoL0VOTgFr6XEdT34GcNPehhZmH FpEH1FEDy8+TWam7m5Z9gfRplnjvEVQs5XXU1YNiom9RfG2hfLijnHURNdFPTO2LQn 15JIemQ3b1FTQMOCkk69/Itc=
Authentication-Results: mail.aegee.org/w9OKr36A029413; dkim=none
Received: from Tylan (ipbcc2def0.dynamic.kabel-deutschland.de [188.194.222.240]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id w9OKr36A029413 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 24 Oct 2018 20:53:04 GMT
Message-ID: <f5e6298e395aa89a20e57d077e0232f0136ad7a1.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: Hector Santos <hsantos@isdg.net>, ietf-dkim@ietf.org
Date: Wed, 24 Oct 2018 20:53:03 +0000
In-Reply-To: <5BC4A48C.3080302@isdg.net>
References: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org> <98aff90a-2198-854f-f1e6-85fd704cb7d1@tana.it> <20180817214834.Horde.DNYi60aPTo_sOKr7o3ilPra@webmail.aegee.org> <2c60b8bf-fec7-3a72-4bcc-3f2416e6f8b1@tana.it> <20180820193206.Horde.U24zQJh_TH-uC-4hxrcs2fw@webmail.aegee.org> <6e31890d3b63091a1d731fd70c2bfc217dc4f45b.camel@aegee.org> <5BC4A48C.3080302@isdg.net>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.31.2
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.100.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/sL_oYweervoFMiNt3lXaMF-Hx94>
Subject: Re: [Ietf-dkim] DKIM-Signature: r=y and MLM
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 20:53:09 -0000

PS:

> For example, the ietf.org mailing list has begun to rewrite and it 
> replaces the 5322.From with a dmarc.ietf.org domain, adds a new 
> X-Original-From header and resigns the message using an ietf.org 
> signer domain:
> 
>    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; 
> s=ietf1;
>       t=1537415189; bh=TJWGUVdPL8OTY+HJnUzpBRd52OaKfWjFqS68Cby0s/M=;
>       h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
>       List-Archive:List-Post:List-Help:List-Subscribe:From;
>       b=.....
>     X-Original-From: Hector Santos <hsantos@isdg.net>;
>     From: Hector Santos <hsantos=40isdg.net@dmarc.ietf.org>;
> 
> What it should do is:
> 
>    1) It should use a 1st party signature using d=dmarc.ietf.org to
>       match the new author domain dmarc.ietf.org.
> 
>    2) It should has hash bind the X-Original-From header to the
>       signature.  Since DKIM recommends not to bind "X-" headers,
>       a non "X-" header should be used, i.e. "Original-From:".  This
>       means adding the header to the 'h=" field to avoid potential
>       mail resend exploits using different unprotected Original-from:
>       fields.
> 
>    3) and finally, the dmarc.ietf.org domain should have its own
>       DMARC p=reject policy to effectively replace the one it
>       circumvented with the submission.
> 

Please describe the handling, of the above message by the MLM, if the
original message contained in addition
  DKIM-Signature: v=1; d=isdg.net; r=y; …

... or something different than r=y, that permits finding faulty DKIM
implementations.


Apart from this, on the last email I sent “To: Hector Santos <
hsantos@isdg.net>;, ietf-dkim@ietf.org” , I got:

Date: Wed, 24 Oct 2018 20:32:15 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON@aegee.org>;
Message-Id: <201810242032.w9OKWFSc027376@mail.aegee.org>;
Content-Type: multipart/report; report-type=delivery-status;
        boundary="w9OKWFSc027376.1540413135/mail.aegee.org"
Content-Transfer-Encoding: 8bit
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--w9OKWFSc027376.1540413135/mail.aegee.org

The original message was received at Wed, 24 Oct 2018 20:32:10 GMT
from ipbcc2def0.dynamic.kabel-deutschland.de [188.194.222.240]

   ----- The following addresses had permanent fatal errors -----
<hsantos@isdg.net>;
    (reason: 554 REJECTED BY SYSTEM POLICY FILTER)

   ----- Transcript of session follows -----
... while talking to mail.isdg.net.:
<<< 554 REJECTED BY SYSTEM POLICY FILTER
554 5.0.0 Service unavailable

--w9OKWFSc027376.1540413135/mail.aegee.org
Content-Type: message/delivery-status

Reporting-MTA: dns; mail.aegee.org
Received-From-MTA: DNS; ipbcc2def0.dynamic.kabel-deutschland.de
Arrival-Date: Wed, 24 Oct 2018 20:32:10 GMT

Final-Recipient: RFC822; hsantos@isdg.net
Action: failed
Status: 5.5.0
Diagnostic-Code: SMTP; 554 REJECTED BY SYSTEM POLICY FILTER
Last-Attempt-Date: Wed, 24 Oct 2018 20:32:15 GMT