Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-02-01 Thread Juri Haberland via dmarc-discuss 
SheridanJ West via dmarc-discuss wrote:
> I only have the mismatch problem with opendmarc-reports and thats using
> most of the command line options.
>
> Normal email (port 587) is matched with spf,dkim and dmarc.Please do
> not consider our email servers as mentally retarded in regard to that.
> Hence my posting on a dmarc list.
>
> report emails per the dmarc spec is the last thing left that i struggled
> with.

So your problem seems to be locally generated emails?
Without giving concrete examples of domain names, logfile excerpts and
possibly showing a generated report without any obfuscation it is not possible
to help you as I don't have a crystal ball :)

  Juri


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-02-01 Thread SheridanJ West via dmarc-discuss 
I only have the mismatch problem with opendmarc-reports and thats using
most of the command line options.

Normal email (port 587) is matched with spf,dkim and dmarc.Please do
not consider our email servers as mentally retarded in regard to that.
Hence my posting on a dmarc list.

report emails per the dmarc spec is the last thing left that i struggled
with.

As to ATPS1 that is something i am unwilling to test out unless atps01
packs up sooner rather than later this week.



On Wed, Feb 1, 2017 at 8:45 AM, Juri Haberland via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

> SheridanJ West via dmarc-discuss wrote:
> > i appear to need atps records for google this is with atps dns text
> records
> > and probably others
> >
> > opendmarc-reports: sent report for gmail.com to
> mailauth-repo...@google.com
> > (2.0.0 Ok: queued as x1)
> >
> > without atps [results i got from last week]
> >
> > postfix/smtp[5820]:
> >  x0: to=,
> > relay=aspmx.l.google.com[74.125.71.26]:25, delay=1.1,
> >  delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced
> > (host aspmx.l.google.com[74.125.71.26] said: 550-5.7.1
> > Unauthenticated email from example.eu  is not accepted
> > due to 550-5.7.1 domain's DMARC policy.
> > Please contact the administrator of 550-5.7.1 example.eu
> > domain if this was a legitimate mail.
>
> Ok, so without ATPS Google won't take your mail. I suggest to check your
> SPF
> settings - if ATPS (or DKIM) fails, it should at least authenticate via
> SPF.
>
> > I used (appears to work) dns records
> >  _adsp._domainkey.example.eu. "dkim=all atps=y; asl=example.com
> ;"
> > ._atps.example.eu. "v=atps01; d=example.com;"
> > not work (or tried yet) the content made by openmarc-atpszone
> > v=ATPS1; d=example.net
>
> I don't know anything about ATPS, but I fail to see how OpenDMARC is the
> culprit for your problems. You seem to have at least two problems:
> - missing or wrong SPF RR for your sending host
> - some ATPS/DKIM problem (looking at RFC6541 yields that v=ATPS1 is right
> and
> v=atps01 is wrong)
>
>   Juri
>
>
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-02-01 Thread Juri Haberland via dmarc-discuss 
SheridanJ West via dmarc-discuss wrote:
> i appear to need atps records for google this is with atps dns text records
> and probably others
>
> opendmarc-reports: sent report for gmail.com to mailauth-repo...@google.com
> (2.0.0 Ok: queued as x1)
>
> without atps [results i got from last week]
>
> postfix/smtp[5820]:
>  x0: to=,
> relay=aspmx.l.google.com[74.125.71.26]:25, delay=1.1,
>  delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced
> (host aspmx.l.google.com[74.125.71.26] said: 550-5.7.1
> Unauthenticated email from example.eu  is not accepted
> due to 550-5.7.1 domain's DMARC policy.
> Please contact the administrator of 550-5.7.1 example.eu
> domain if this was a legitimate mail.

Ok, so without ATPS Google won't take your mail. I suggest to check your SPF
settings - if ATPS (or DKIM) fails, it should at least authenticate via SPF.

> I used (appears to work) dns records
>  _adsp._domainkey.example.eu. "dkim=all atps=y; asl=example.com;"
> ._atps.example.eu. "v=atps01; d=example.com;"
> not work (or tried yet) the content made by openmarc-atpszone
> v=ATPS1; d=example.net

I don't know anything about ATPS, but I fail to see how OpenDMARC is the
culprit for your problems. You seem to have at least two problems:
- missing or wrong SPF RR for your sending host
- some ATPS/DKIM problem (looking at RFC6541 yields that v=ATPS1 is right and
v=atps01 is wrong)

  Juri


___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Roland Turner via dmarc-discuss 
I'd suggest that reliance upon ADSP is unwise as - having being reclassified as 
historic - it could stop working at any time without warning. A better option 
might be to sign your reports with the DKIM signature of the reporting domain 
(i.e. sign with example.eu instead of example.com in your obscured example).


- Roland


From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of SheridanJ 
West via dmarc-discuss <dmarc-discuss@dmarc.org>
Sent: Wednesday, 1 February 2017 00:53
Cc: dmarc-discuss@dmarc.org
Subject: Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples


i appear to need atps records for google this is with atps dns text records and 
probably others

opendmarc-reports: sent report for gmail.com<http://gmail.com> to 
mailauth-repo...@google.com<mailto:mailauth-repo...@google.com> (2.0.0 Ok: 
queued as x1)
Gmail<http://gmail.com/>
gmail.com
Gmail is email that's intuitive, efficient, and useful. 15 GB of storage, less 
spam, and mobile access.



postfix/smtp[28130]: x2: 
to=<mailauth-repo...@google.com<mailto:mailauth-repo...@google.com>>,
relay=aspmx.l.google.com<http://aspmx.l.google.com>[66.102.1.26]:25, delay=0.87,
delays=0.13/0.01/0.25/0.48, dsn=2.0.0,
status=sent (250 2.0.0 OK xx xx - gsmtp)

without atps [results i got from last week]

postfix/smtp[5820]:
 x0: to=<mailauth-repo...@google.com<mailto:mailauth-repo...@google.com>>,
relay=aspmx.l.google.com<http://aspmx.l.google.com>[74.125.71.26]:25, delay=1.1,
 delays=0.13/0.01/0.49/0.43, dsn=5.7.1, status=bounced
(host aspmx.l.google.com<http://aspmx.l.google.com>[74.125.71.26] said: 
550-5.7.1
Unauthenticated email from example.eu<http://example.eu>  is not accepted
due to 550-5.7.1 domain's DMARC policy.
Please contact the administrator of 550-5.7.1 example.eu<http://example.eu>
domain if this was a legitimate mail.

I used (appears to work) dns records

 _adsp._domainkey.example.eu<http://domainkey.example.eu>.  "dkim=all 
atps=y; asl=example.com<http://example.com>;"
http://example.com>>._atps.example.eu<http://atps.example.eu>. 
"v=atps01; d=example.com<http://example.com>;"

not work (or tried yet) the content made by openmarc-atpszone

v=ATPS1; d=example.net<http://example.net>

The windows version appears to be the winner for syntax of atps.

although i can get sha1 domain name hashes from both with.

opendkim-atpszone -h sha1 -u example.com<http://example.com> -A 
example.net<http://example.net>


So most of opendkim-atpszone is best ignored it appears


On Tue, Jan 31, 2017 at 2:17 PM, Juri Haberland via dmarc-discuss 
<dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote:
SheridanJ West via dmarc-discuss wrote:
> I encountered a opendmarc bug that required adsp records as well to send
> dmarc reports and i had a fun time trying to reproduce the output for i do
> not know how long the url i mention will last.

> Is nearly the same but I am confused - is the web parser right and the
> opendkim-atpszone command wrong? with v=ATPS1

> I ask as this affects only dmarc reports (no i do not run 
> example.com<http://example.com>) our
> normal email is sent ok

Even though this is not an OpenDMARC specific mailing list but a generic DMARC
discussion list, can you be a bit more specific in which way OpenDMARC reports
are affected by the differing output of the webtool vs. opendkim-atpszone?

  Juri

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Benny Pedersen via dmarc-discuss 

A. Schulze via dmarc-discuss skrev den 2017-01-30 22:30:

Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss:

I encountered a opendmarc bug that required adsp records

don't waste your time with ADSP, forget it.
it's deprecated and in fact dead


and spamassaasin does not care of that, where is the dmarc support for 
equant of adsp ?


on top of that dnssec is not very well tested, so most domains that have 
else working dkim key, is not careing of make dnssec working, sadly


i begin to hate dkim/dmarc/arc fucked brain dead solutions that is near 
killing mail systems that just like to have dkim pass and nothing more 
problems, sadly lowest commodity wins :(


i think its okay to say that here when i self do it right, no ?

time for me to take another beer :=)
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread Juri Haberland via dmarc-discuss 
SheridanJ West via dmarc-discuss wrote:
> I encountered a opendmarc bug that required adsp records as well to send
> dmarc reports and i had a fun time trying to reproduce the output for i do
> not know how long the url i mention will last.

> Is nearly the same but I am confused - is the web parser right and the
> opendkim-atpszone command wrong? with v=ATPS1

> I ask as this affects only dmarc reports (no i do not run example.com) our
> normal email is sent ok

Even though this is not an OpenDMARC specific mailing list but a generic DMARC
discussion list, can you be a bit more specific in which way OpenDMARC reports
are affected by the differing output of the webtool vs. opendkim-atpszone?

  Juri

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-31 Thread SheridanJ West via dmarc-discuss 
I would rather not rebuild our mail server(s) and the bits hanging off it
just to keep opendmarc-report functionality since they do everything else
ok.

Thanks.


On Mon, Jan 30, 2017 at 9:30 PM, A. Schulze via dmarc-discuss <
dmarc-discuss@dmarc.org> wrote:

>
>
> Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss:
> > I encountered a opendmarc bug that required adsp records
> don't waste your time with ADSP, forget it.
> it's deprecated and in fact dead
>
> Andreas
> ___
> dmarc-discuss mailing list
> dmarc-discuss@dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-30 Thread A. Schulze via dmarc-discuss 


Am 30.01.2017 um 21:40 schrieb SheridanJ West via dmarc-discuss:
> I encountered a opendmarc bug that required adsp records
don't waste your time with ADSP, forget it.
it's deprecated and in fact dead

Andreas
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] opendkim-atpszone reproducibility and examples

2017-01-30 Thread SheridanJ West via dmarc-discuss 
I encountered a opendmarc bug that required adsp records as well to send
dmarc reports and i had a fun time trying to reproduce the output for i do
not know how long the url i mention will last.

a webparser at www.winserver.com/public/wcadsp/default.wct

which produces example.com main domain and example.net in asl

_adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;"
YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d=
example.net;"

Which i think is what i need

but

opendkim-atpszone -h sha1 -u example.com -A example.net -vvv
opendkim-atpszone: database opened
server xxx
zone example.com
update add YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d=
example.net"
send
answer
opendkim-atpszone: 1 record written


Is nearly the same but I am confused - is the web parser right and the
opendkim-atpszone command wrong? with v=ATPS1

YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01;

YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1;


I ask as this affects only dmarc reports (no i do not run example.com) our
normal email is sent ok

It is close but who is right ?.

I ask as this is not terribly clear.  - as long as i have a sha1 hash of
whatever YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ translates and can work around
opendkim-atpszone i think i am good.
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)