IETF Logo Mail Archive

Re: [dmarc-ietf] IETF Mailing Lists and DMARC

Hector Santos <hsantos@isdg.net> Wed, 02 November 2016 20:05 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA37912989F for <ietf@ietfa.amsl.com>; Wed, 2 Nov 2016 13:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.002
X-Spam-Level:
X-Spam-Status: No, score=-102.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=U6FXnjIV; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=gD4hCEoV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDyWxAihXhtY for <ietf@ietfa.amsl.com>; Wed, 2 Nov 2016 13:05:22 -0700 (PDT)
Received: from news.winserver.com (groups.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id C7F4F1298A6 for <ietf@ietf.org>; Wed, 2 Nov 2016 13:05:21 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4544; t=1478117116; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=JXoLz/0xu0NsWppzZKJiMXi3/hU=; b=U6FXnjIV7aYZA5iXVb6CeJUHaNlLVm+M0QqN8e8qTS6KOcuFPmx0QJPLx+xKnZ CpOP70jvLHx2K/4TZMEiK35SyTCpzfLo88IhwJ7au+hy/DPkQ1GrlxNGKRTaYWBR l1+bWmOq0iKCl/gxNYbplRo0Frx20GY+9OwRFl3APUXtA=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.5) for ietf@ietf.org; Wed, 02 Nov 2016 15:05:16 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 605626432.1.2900; Wed, 02 Nov 2016 15:05:14 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4544; t=1478117106; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=dZ8Y/ii 8f+pxOyQEvKXtGP000Xe6mUijDmH6wG80J6I=; b=gD4hCEoVMGRwKeii1KtmoSh SFmXA4wh6Ym4tdbQZNQ3iaTuIbOz7ZqgsoZWN+vu1xCPWaoLig6yGPqB+sHB7lyk 6Vep8bEd4G1QggCwn+W0J/3kmH2uwFknwwuMzhHZOclnjV3d9qHxLOvn2PvY5G/N XCYRQIBuTVurdVJW6VjI=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.5) for ietf@ietf.org; Wed, 02 Nov 2016 16:05:06 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 61185937.9.16276; Wed, 02 Nov 2016 16:05:05 -0400
Message-ID: <581A46FA.6040001@isdg.net>
Date: Wed, 02 Nov 2016 16:05:14 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Cullen Jennings <fluffy@iii.ca>, ietf@ietf.org, dmarc@ietf.org
Subject: Re: [dmarc-ietf] IETF Mailing Lists and DMARC
References: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca>
In-Reply-To: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/iPQld85aewe6gWW_Daefkv0iFyg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 20:05:25 -0000

Since its inception, this has been the "Achilles' heel" of DKIM 
without a Signature Policy Authorization framework.  i.e. authorizing 
3rd party mail processors, such as a list manager/server or could 
bring the integrity and/or resign the mail as a 3rd party.

The IETF abandoned the proposed standard ADSP RFC (and hence any 
add-on extension work like ATPS) and replaced it with an informative 
DMARC RFC described as a "Super ADSP" without resolving the 3rd party 
authorization problem.

ATPS was the original proposed standard to authorize the first party 
signature and combined with ADSP extension ATPS, it covered the Third 
Party Signature authorization.

ADSP/ATPS actually works very well. Its been in production for a 
number of years. I have "ietf.org" as a 3rd party signer assigned to 
my ATPS records in DNS.  Supportive receivers can then see that I 
authorize ietf.org to sign my IETF submissions as my receivers do when 
I get a copy.   My ADSP record for isdg.net is:

dkim=all; atps=y; 
asl=ietf.org,beta.winserver.com,santronics.com,isdg.net,winserver.com,megabytecof
fee.com,mapurdy.com.au,mipassoc.org,gmail.com,googlegroups.com;"

The asl list contains my small list of authorized list servers plus 
other 3rd party associates.  For the larger "registered" list, the 
"atps=" says to lookup the ATPS record the signer domain in the 
author's zone.  It works very well.  This wizards helps illustrates 
how records are created updated for the DMARC record:

     http://www.winserver.com/public/wcdmarc/default.wct

However, this solution requires a "Registration Of 3rd party Domains" 
solution, i.e. you have to learn/teach your personal network of email 
domains and registered them somehow for others to lookup query and 
many feel this won't scale.  It won't for some, it will for others.

Now there is the ARC effort that could help resolve the problem, iff 
everyone supports it. IMO, it appears complex (doc is very verbose). I 
believe it has RFC5222 overhead related code changes.  If you have an 
API ready for it, it should help.  While receivers still need to 
support it, not all receivers use the same API base code.

I was not happy when a big investment was lost when the IETF abandoned 
(incorrect in my opinion) the ADSP work in particular when DMARC 
effectively replaced ADSP, literally described as a "Super ADSP" and 
it didn't offer any 3rd party policy support whatsoever.  So I am not 
too eager to jump on more IETF DKIM, including ARC, related work. 
DMARC is not complete. Its not even a proposed standard. Lots of work 
still needs to be done but I'm sure that RFC status can change when 
desired by the key cogs.  All I would like to see is for DMARC to 
begin offering 3rd party policy models with known solutions that 
include simple DNS lookup like ADSP/ATPS offered.  It shouldn't be 
limited to just ARC.

That said, the only other current way to resolve this with DMARC is to 
relax your policy to "p=none"

By making it "p=reject" all DMARC compatible receivers are designed to 
reject it when its signed by 3rd party signers and/or the original 
mail integrity, hence 1st party signature, is broken.

-- 
HLS


On 11/2/2016 12:00 PM, Cullen Jennings wrote:
>
> So if someone send a email with a bad signature to an IETF list from a domain that has a reject policy, and the IETF server forwards it to my email email provider, my email provider rejects it. Now the IETF email server counts that as a bounce. Too many bounces in a row and the IETF server unsubscribes me from the list.
>
> This does not seem OK that anyone can trivially send some SPAM and get me unsubscribed.
>
> What's the right advice on how the IETF server should be run?
>
> Now to a more detailed problem - Jana sends lots of email to the quic list. I don't get any of them. It appears that my email server (run by rackspace) rejects them with an
>
> Diagnostic-Code: smtp; 550 5.7.1 Email rejected per DMARC policy for google.com (G15)
>
> If Jana sends the email directly to me, it works. This seems to point at the IETF server is doing something that breaks signature in Jana email.
>
> I realize this is not the "debug your email" list, but I have no idea where is the right place to ask about this so I sent it here. Sorry.
>
> Can anyone tell me how their DMARC system views the emails from Jana to the quic@ietf.org list ?
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>

v2.23.0 | Report a Bug | By Email