Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
On Mon 20/Feb/2023 09:13:30 +0100 Benny Pedersen wrote: Alessandro Vesely via mailop skrev den 2023-02-20 08:47: The point of ARC is to report authentication results. A post having only spf=pass becomes unauthenticated after the first hop. inccorect, nexthop can use spf aswell, or not Both RFC 7208 Section 2.5 and RFC 7001 Appendix D recommend that authentication be carried out at border MTAs. But then, I didn't delve into how Mailman 3 implements ARC. I just referred the considerations that prof. Stephen J. Turnbull explained to me. Right. Ditto for DMARC rejects/ quarantine, which I don't think many ML receivers honor. DMARC is greedy, if DKIM is breaked, to avoid DKIM problems if needed to post to ml could be to configure dkim to be in test mode, ensureing mails are not rejected based just on dkim fails, mailman can do this policy to not accept non testing mode in dkim, its design fails that dkim should be used as a reject factor :( In theory, failed DKIM signatures should be just ignored. Ditto for testing mode signatures, whether failed or not. In practice, receivers treat authentication as just a factor to compute the overall worthiness of a message. back to DMARC, it should imho use ARC results to know if original sender did have dkim pass and spf pass, and make results based on it, then its no matter if mailman breaks dkim or not, since it would not matter for dmarc testing downstream, we can all raise the flag when developpers of mailman know this :=) The risk of accepting ARC results is that anyone can produce a fake ARC chain,saying that a message was received from whomever they like with good SPF and DKIM authentication. DMARC doesn't say that a verified ARC chain is a valid authentication. Some receivers trust it. To check, create a subdomain with p=reject, compose a message, DKIM sign it, modify it so as to break the signature, ARC seal it and send it from an IP not authorized by the subdomain. If it passes, the target domain accepts your ARC seals. Otherwise, you need to munge From:. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
Alessandro Vesely via mailop skrev den 2023-02-20 08:47: The point of ARC is to report authentication results. A post having only spf=pass becomes unauthenticated after the first hop. inccorect, nexthop can use spf aswell, or not Right. Ditto for DMARC rejects/ quarantine, which I don't think many ML receivers honor. DMARC is greedy, if DKIM is breaked, to avoid DKIM problems if needed to post to ml could be to configure dkim to be in test mode, ensureing mails are not rejected based just on dkim fails, mailman can do this policy to not accept non testing mode in dkim, its design fails that dkim should be used as a reject factor :( back to DMARC, it should imho use ARC results to know if original sender did have dkim pass and spf pass, and make results based on it, then its no matter if mailman breaks dkim or not, since it would not matter for dmarc testing downstream, we can all raise the flag when developpers of mailman know this :=) i use dmarc policy none to protect maillist receivers to not reject maillists senders, more or less this is what bad software try to solve, hmmp ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
On Sat 18/Feb/2023 21:38:55 +0100 Benny Pedersen wrote: Alessandro Vesely via mailop skrev den 2023-02-18 13:49: Mailman cannot verify SPF. envelope sender changes on nexthop, no ? so why is it important ? The point of ARC is to report authentication results. A post having only spf=pass becomes unauthenticated after the first hop. if you meant not to accept spf fail posters, this is still in mta stage to be enforced if wanted not to accept it Right. Ditto for DMARC rejects/ quarantine, which I don't think many ML receivers honor. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
Alessandro Vesely via mailop skrev den 2023-02-18 13:49: Mailman cannot verify SPF. envelope sender changes on nexthop, no ? so why is it important ? if you meant not to accept spf fail posters, this is still in mta stage to be enforced if wanted not to accept it ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
On Fri 17/Feb/2023 17:07:33 +0100 Patrick Ben Koetter wrote: Greetings, I'm about to setup a new mailing list server. It will use Mailman 3, which is able to add ARC signatures to incoming messages. The lists will also rewrite the From:-header and to match the lists name and domain. I'm unsure if outbound messages should also be DKIM signed or does it suffice to add ARC signatures? The reason ARC was proposed is to avoid rewriting the From: header. If you're willing to experiment on this, you can create two sibling lists[*], one of which rewrites From: while the other does not. Subscribers choose which list the prefer, based on their MTA capability of redeeming a broken DKIM after ARC reports it was good on arrival. You're better off testing MTA capabilities before allowing subscriptions on the non-munging list. Only the non-munging list requires ARC. Anyway, beware of Mailman's ARC implementation. It was coded as a proof of concept, but is not to be used in production. Indeed, you need an ARC-signer which trusts the Authentication-Results obtained by the bastion host and, after list transformations, turns them into ARC-Authentication-Results. Mailman cannot verify SPF. ARC is experimental. If you don't want to experiment, there's no reason to use it. DKIM is enough. Best Ale -- [*] The suggested method to manage two sibling lists is to put them as sub-lists under an umbrella list. The latter has the former two as its only subscribers, and won't accept more. Both sibling lists accept subscribers under the site and list policy. The umbrella list accepts posts. The sibling lists don't, and advertise the umbrella list as the destination for posts. (It would be simpler if mailman had a subscriber option about From: munging, but they won't develop it if nobody tries it, a chicken and egg problem.) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
* Patrick Ben Koetter via mailop: > I'm about to setup a new mailing list server. It will use Mailman 3, > which is able to add ARC signatures to incoming messages. The lists > will also rewrite the From:-header and to match the lists name and > domain. I'm unsure if outbound messages should also be DKIM signed or > does it suffice to add ARC signatures? DKIM signature tests appear to be more common than ARC support on the receiving end of things. If Mailman 3 is rewriting the message headers correctly, which I don't doubt, I see no reason not to add both ARC and DKIM signatures, especially when the ML continues to prepend "[mailop]" to message subject lines and thereby invalidates existing DKIM signatures. -Ralph ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
Tobias Herkula via mailop skrev den 2023-02-17 17:56: Only adding ARC without your own DKIM will make it harder for a lot of people, that are not yet ready to process ARC signatures. in ARC terms it always ORIGINATE on nexthub, but this rule is not for nexthub with DKIM sadly so many maillist still breaks DKIM :/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
Patrick Ben Koetter via mailop skrev den 2023-02-17 17:07: Greetings, I'm about to setup a new mailing list server. It will use Mailman 3, which is able to add ARC signatures to incoming messages. The lists will also rewrite the From:-header and to match the lists name and domain. I'm unsure if outbound messages should also be DKIM signed or does it suffice to add ARC signatures? why not add ARC to amavisd new first ? like DKIM already is, i ask since this can help not rejecting maillists, where the maillists breaks dkim before ARC sign :/ mailman should only ARC-seal and ARC-sign before breaking DKIM, but avoid breakin DKIM please workaround for breaking DKIM is simply silly note i talk about spamassassin now ? :) outbound should not be dkim signed in mailman, dont do this ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM)
You don't need ARC if you are munging the 5322.From, but if you are munging the 5322.From add a strict aligned DKIM signature, this makes it easy to filter and trust your lists traffic. If you run multiple lists on the same domain, please do strict alignment between 5322.From AddrSpec and the 6376.Identifier (DKIM "i"). Only adding ARC without your own DKIM will make it harder for a lot of people, that are not yet ready to process ARC signatures. / Tobias -Ursprüngliche Nachricht- Von: mailop Im Auftrag von Patrick Ben Koetter via mailop Gesendet: Freitag, 17. Februar 2023 17:08 An: mailop Betreff: [mailop] Should mailing list messages be DKIM signed? (ARC / DKIM) Greetings, I'm about to setup a new mailing list server. It will use Mailman 3, which is able to add ARC signatures to incoming messages. The lists will also rewrite the From:-header and to match the lists name and domain. I'm unsure if outbound messages should also be DKIM signed or does it suffice to add ARC signatures? Regards, p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
