That you've considered ARC implementation is great news! Interesting
points about DDoS and huge chains. I hadn't even thought of ASSP itself
doing ARC signing, but that probably makes sense too. Thank you.
On Thu, Apr 5, 2018 at 2:03 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> ARC-Authentication-Results is already in the development pipeline.
>
> ARC-Authentication-Results is still experimental (IETF Draft). It is used
> by google and AOL (and some less others) in beta state.
> The concept looks nice and will (IMHO) work. But there are two problems
> with the ARC chains:
>
> 1. the MIME-header may become very long - possibly too long for some MTx
> 2. because there is no limit for the number of ARC instances in an ARC
> chain, ARC is subject to be abused by attackers to initiate a DDoS
>
> The implementation of the ARC-signature check and the ASSP-ARC-signing
> seems not to be very complex, because ARC is supported in production mode
> by Mail::DKIM version 0.50
> But, the still existing assp checks for DKIM, SPF and DMARC are not
> designed to have a valid result before they are called.
>
>
> Up to the end of this year, the ARC-Authentication-Results feature should
> be implemented in assp (check and signing) - if the global rulers keep
> working on this.
>
> Thomas
>
>
>
>
> Von: "K Post" <nntp.p...@gmail.com>
> An: "ASSP development mailing list" <assp-test@lists.sourceforge.
> net>
> Datum: 05.04.2018 03:29
> Betreff: Re: [Assp-test] fixes in assp 2.6.2 *Fortress* build 18094
> ------------------------------
>
>
>
> Looks like this will be another great release. Thank you.
>
> Notes / thoughts:
>
> 1) I'm really happy to see the addition of trustedAuthForwarders too.
> With so many users getting mailing list email, this will be a big help for
> those lists that support this.
>
> Do you think you could do something similary for ARC? (
> http://arc-spec.org/)
>
>
> Example of Google's version of X-Original-Authentication-Results, using
> ARC instead. This is from a message that was sent from ourcharity.org to
> a gmail account that was then forwarded back to us.
> ARC-Authentication-Results: i=1; mx.google.com;
> dkim=pass header.i=@OurCharity.org header.s=assp-01
> header.b=u0J16ajA;
> spf=pass (google.com: domain of m...@ourcharity.org designates
> a.b.c.d as permitted sender) smtp.mailfrom=m...@ourcharity.org;
> dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=OurCharity.org
> There's an ARC-Seal and ARC-Message-Signature which looks a lot like
> DKIM. Google also has a plain Authentication-Results: line (without the
> ARC prefix), but they do NOT DKIM sign the forwarded message (though they
> do have their non-standard X-Google-DKIM-Signature line)
>
> So far I've only seen this with Google, but they're a major enough player
> that I think this justifies some consideration. I bet others will follow:
>
> From the ARC website:
> If you are a mailbox provider or intermediary (mailing list operator,
> message forwarder), you should be planning your ARC implementation now
> (first half of 2018). Google has added ARC verification and sealing to
> their email services (Gmail, G Suite, and Google Groups). Several other
> companies will incorporate ARC into their products and services in the
> first half 2018.
>
> 2) Nitpicky, at your convenience you might consider changing "privat" to
> "private" (with the e on the end for correct English spelling).
>
>
> Thanks for several major advancements in DKIM related functionality in the
> last couple of weeks. Every little bit makes it harder for spammers and
> fraudsters.
>
>
>
>
> On Wed, Apr 4, 2018 at 4:55 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Hi all,
>
> fixed in assp 2.6.2 *Fortress* build 18094:
>
> - the scheduled blockreport design was still broken, if no blocked mail
> was found
>
> - if a very short time range (eg. less than 5 minutes) was defined for a
> statistic graph, an "modulus by 0" exception caused a mainthread crash
>
>
> added:
>
> 'trustedAuthForwarders','X-Original-Authentication-Results Trusted
> Forwarder*'
> If an email contains a valid DKIM signature and the signature protects
> the "X-Original-Authentication-Results" header line in its h= tag
> (RFC7601) and the host in this header line matches
> this regular expression, DMARC will fully trust the provided original
> authentication results for SPF and DKIM.
> For example: mx\d*\.domain\.com or ^2\.2\.2\.2$'
>
>
> changed:
>
> - images\svg.js (images.zip) is updated to version 1.04 - the click on a
> statistical graph now shows also the date (not only the time)
>
> - for whitelist modifications and reports using the email-interface, the
> 'WhitelistPrivacyLevel' states (global,domain,privat) are show in addition
> to prevent confusion
>
> - if hash data are shown in the GUI-Edit dialog, a sort (up/down ward)
> option is available
>
>
> Thomas
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
