Re: DMARC setting change

[peter--- via dovecot]

>>>>> "dovecot---" == dovecot--- via dovecot  writes:

>> We've changed the list dmarc mitigation to happen unconditionally
>> now.
dovecot---> What does "mitigation to happen unconditionally" mean?
dovecot---> What was changed?  Are you talking about changing the
dovecot---> policy action?


You'll notice a different 'From:' address in the emails from the list.
The original author will be in the 'Reply-To:' header. Also
Mailman3 strips the original DKIM signature and insert a new one.

This used to happen only for senders to the list with a dmarc polcy
that would prevent emails getting through; now it's for all senders.

Unless you're filtering based on From: you probably won't notice.

Peter C
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: DMARC setting change

[dovecot--- via dovecot]

We've changed the list dmarc mitigation to happen unconditionally now.



What does "mitigation to happen unconditionally" mean? What was changed?
Are you talking about changing the policy action?
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

DMARC setting change

[Aki Tuomi via dovecot]

We've changed the list dmarc mitigation to happen unconditionally now. This 
will likely have an impact on people's mails, so this is a headsup for everyone 
so they know.

Please let me know if this causes too much bother, but keep in mind that right 
now lot of emails are being bounced and rejected.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: DMARC Failures for Mailing List

[dovecot]

On 11/17/23 10:38, Nick Lockheart wrote:
 The DKIM check is also failing. I think the list software may be re-
 writing the
 message bodies.
I believe one of the reasons for the DKIM failure is this addition/
configuration by mailman in the footer of every message (the unsubscribe
stuff):

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

--x9p
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: DMARC Failures for Mailing List

[misc]

On 11/17/23 10:38, Nick Lockheart wrote:
 The DKIM check is also failing. I think the list software may be re-
 writing the
 message bodies.
I believe one of the reasons for the DKIM failure is this addition/
configuration by mailman in the footer of every message (the unsubscribe
stuff):

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

--x9p
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: DMARC Failures for Mailing List

[Kenneth Irving via dovecot]

On Fri, 17 Nov 2023, Nick Lockheart wrote:


Now that we've got our new mail server going and the DMARC reports are coming
in, I'm finding a lot of DMARC failures for messages that I'm sending to this
list.


[...]


2. Is there any way to mitigate DMARC issues for mailing lists? It seems like
the mailing list software should be sending out the emails as itself, not as
the user that submitted the message.


I believe Mailman can be (and should be) configured to do exactly this.

Best regards

Kenneth___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: DMARC Failures for Mailing List

[Aki Tuomi via dovecot]

> On 17/11/2023 12:38 EET Nick Lockheart  wrote:
> 
>  
> Now that we've got our new mail server going and the DMARC reports are
> coming in, I'm finding a lot of DMARC failures for messages that I'm
> sending to this list.
> 
> It seems that when I send a message to this list, the list software
> forwards it to other people on my behalf, but uses my email address in
> the header_from.
> 
> This results in an SPF failure, because SPF only allows our MX to send
> mail for our domain.
> 
> The DKIM check is also failing. I think the list software may be re-
> writing the message bodies.
> 
> Another user that I replied to on this list a day ago said my list mail
> went to spam on his gmail.
> 
> 1. Will our domain reputation be harmed by having a lot of copies of
> the same messages going to a bunch of different people on different
> ISPs and all of them failing DMARC?
> 
> It seems that some places are using databases that look for duplicate
> content sent to multiple recipients to identify bulk mail and spam.
> 
> 2. Is there any way to mitigate DMARC issues for mailing lists? It
> seems like the mailing list software should be sending out the emails
> as itself, not as the user that submitted the message.
> 
> 
> 
> 
> Now that we've got our new mail server going and the DMARC reports are coming
> in, I'm finding a lot of DMARC failures for messages that I'm sending to this
> list.
> 
> It seems that when I send a message to this list, the list software forwards 
> it
> to other people on my behalf, but uses my email address in the header_from.
> 
> This results in an SPF failure, because SPF only allows our MX to send mail 
> for
> our domain.
> 
> The DKIM check is also failing. I think the list software may be re-writing 
> the
> message bodies.
> 
> Another user that I replied to on this list a day ago said my list mail went 
> to
> spam on his gmail.
> 
> 1. Will our domain reputation be harmed by having a lot of copies of the same
> messages going to a bunch of different people on different ISPs and all of 
> them
> failing DMARC?
> 
> It seems that some places are using databases that look for duplicate content
> sent to multiple recipients to identify bulk mail and spam.
> 
> 2. Is there any way to mitigate DMARC issues for mailing lists? It seems like
> the mailing list software should be sending out the emails as itself, not as
> the user that submitted the message.
> 
> 
> 

There is an ARC signature, and you need to somehow whitelist the key used to 
sign it. Then hopefully it is less failing.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

DMARC Failures for Mailing List

[Nick Lockheart]

Now that we've got our new mail server going and the DMARC reports are coming
in, I'm finding a lot of DMARC failures for messages that I'm sending to this
list.

It seems that when I send a message to this list, the list software forwards it
to other people on my behalf, but uses my email address in the header_from.

This results in an SPF failure, because SPF only allows our MX to send mail for
our domain.

The DKIM check is also failing. I think the list software may be re-writing the
message bodies.

Another user that I replied to on this list a day ago said my list mail went to
spam on his gmail.

1. Will our domain reputation be harmed by having a lot of copies of the same
messages going to a bunch of different people on different ISPs and all of them
failing DMARC?

It seems that some places are using databases that look for duplicate content
sent to multiple recipients to identify bulk mail and spam.

2. Is there any way to mitigate DMARC issues for mailing lists? It seems like
the mailing list software should be sending out the emails as itself, not as
the user that submitted the message.




___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 05/05/2023 14:57 EEST efeizbu...@disroot.org wrote:
> 
>  
> On 2023-05-05 14:29, efeizbudak--- via dovecot wrote:
> > On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:
> >>> On 05/05/2023 05:49 EEST efeizbudak--- via dovecot 
> >>>  wrote:
> >>> 
> >>> 
> >> 
> >> 
> >>> > try
> >>> >
> >>> > doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox
> >>> > cryptokey generate -U -u dmarc
> >>> >
> >>> > maybe it works?
> >>> >
> >>> > Aki
> >>> This gives the same error as the above that starts with
> >>> 
> >>> doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) 
> >>> failed:
> >>> mail_crypt_require_encrypted_user_key set, cannot generate user 
> >>> keypair
> >>> without password or key
> >> 
> >> Ok, since this is getting too annoying I tested out that
> >> 
> >> doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey 
> >> generate -u dmarc -U
> >> 
> >> at least works for me with that setting.
> >> 
> >> I've made an issue of this, because it's not supposed to work like 
> >> this. Although it can end up as documentation task.
> >> 
> >> Aki
> > That worked! Thank you!!
> Sorry, I've missed one important part. After running this command and 
> creating the keys, the emails are now received fine on the account but 
> how can I actually read them? I've tried to log into the account using 
> something like
> 
> mutt -f imap://dm...@domain.com/Inbox
> 
> but the login fails I guess because the user has keys but no password to 
> login. How can I decrypt the mail on this account using the generated 
> keys? I've also tried
> 
> doveadm fetch -u dmarc "text" MAILBOX INBOX UNSEEN
> 
> which gives me an error about password not being available.

Well yes. There have been so many threads on this on the mailing list so I'll 
just summarize it here:

If you are going to use per-user-passwords, you need to hash them. In config, 
you need to export this in passdb. Otherwise it will never end up in plugin 
environment. Hash them to avoid certain characters making a mess and also to 
make it more secure.

You **must** either make your users to log in to to Dovecot before receiving 
email, **or** include cryptokey management in your provisioning workflow. 
Remember to hash the password when providing it over -o 
plugin/mail_crypt_private_password.

Dovecot has no facility to ask the password over IMAP when you try to read the 
mail.

Doing per-user-password encryption is difficult to get right.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-05 14:29, efeizbudak--- via dovecot wrote:

On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:
On 05/05/2023 05:49 EEST efeizbudak--- via dovecot 
 wrote:







> try
>
> doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox
> cryptokey generate -U -u dmarc
>
> maybe it works?
>
> Aki
This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) 
failed:
mail_crypt_require_encrypted_user_key set, cannot generate user 
keypair

without password or key


Ok, since this is getting too annoying I tested out that

doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey 
generate -u dmarc -U


at least works for me with that setting.

I've made an issue of this, because it's not supposed to work like 
this. Although it can end up as documentation task.


Aki

That worked! Thank you!!
Sorry, I've missed one important part. After running this command and 
creating the keys, the emails are now received fine on the account but 
how can I actually read them? I've tried to log into the account using 
something like


mutt -f imap://dm...@domain.com/Inbox

but the login fails I guess because the user has keys but no password to 
login. How can I decrypt the mail on this account using the generated 
keys? I've also tried


doveadm fetch -u dmarc "text" MAILBOX INBOX UNSEEN

which gives me an error about password not being available.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-05 09:09, Aki Tuomi via dovecot wrote:
On 05/05/2023 05:49 EEST efeizbudak--- via dovecot 
 wrote:







> try
>
> doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox
> cryptokey generate -U -u dmarc
>
> maybe it works?
>
> Aki
This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed:
mail_crypt_require_encrypted_user_key set, cannot generate user 
keypair

without password or key


Ok, since this is getting too annoying I tested out that

doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey 
generate -u dmarc -U


at least works for me with that setting.

I've made an issue of this, because it's not supposed to work like 
this. Although it can end up as documentation task.


Aki

That worked! Thank you!!
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 05/05/2023 05:49 EEST efeizbudak--- via dovecot  
> wrote:
> 
>  


> > try
> > 
> > doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox 
> > cryptokey generate -U -u dmarc
> > 
> > maybe it works?
> > 
> > Aki
> This gives the same error as the above that starts with
> 
> doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: 
> mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
> without password or key

Ok, since this is getting too annoying I tested out that

doveadm -o plugin/mail_crypt_private_password=foo mailbox cryptokey generate -u 
dmarc -U

at least works for me with that setting.

I've made an issue of this, because it's not supposed to work like this. 
Although it can end up as documentation task.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-04 21:31, Aki Tuomi via dovecot wrote:

On 04/05/2023 21:28 EEST efeizbu...@disroot.org wrote:


On 2023-05-04 21:25, Aki Tuomi wrote:
>> On 04/05/2023 21:20 EEST efeizbu...@disroot.org wrote:
>>
>>
>> On 2023-05-04 21:16, Aki Tuomi wrote:
>> >> On 04/05/2023 21:09 EEST Aki Tuomi via dovecot 
>> >> wrote:
>> >>
>> >>
>> >> > On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
>> >> >
>> >> >
>> >> > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
>> >> > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
>> >> > >>  wrote:
>> >> > >>
>> >> > >>
>> >> > >> Hi all,
>> >> > >>
>> >> > >> So recently google has been trying to send email to dm...@domain.com
>> >> > >> on
>> >> > >> my server but I'm using encrypted storage and since the dmarc user 
has
>> >> > >> no password the email is being rejected with the error:
>> >> > >>
>> >> > >> May  4 16:51:50 domain dovecot:
>> >> > >> lda(dmarc)<3326>: Error: sieve:
>> >> > >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
>> >> > >> 'INBOX': generate_keypair(INBOX) failed:
>> >> > >> mail_crypt_require_encrypted_user_key set, cannot generate user
>> >> > >> keypair
>> >> > >> without password or key
>> >> > >>
>> >> > >> How can I fix this, or at least read what the mail says? Would it be
>> >> > >> safe to just give dmarc user a strong password?
>> >> > >
>> >> > > You can run
>> >> > >
>> >> > > doveadm mailbox cryptokey generate -U dmarc -N
>> >> > >
>> >> > > so the user will have a keypair generated. Then it should work.
>> >> > >
>> >> > > Aki
>> >> >
>> >> > I'm getting
>> >> >
>> >> > generate: invalid option -- 'N'
>> >> >
>> >> > should I just run it without -N ?
>> >> >
>> >> > Thank you!
>> >>
>> >> Please keep responses on the list.
>> >>
>> >> Try -n password? I have a faint recall of a buggy version like this.
>> >>
>> >> Aki
>> >
>> >> Sorry for replying twice, I'm getting
>> >> doveadm(root): Error: Couldn't drop privileges: User is missing UID
>> >> (see
>> > mail_uid setting)
>> >> when I try to run it without the -N op
>> >
>> > Sorry, my bad.
>> >
>> > doveadm mailbox cryptokey generate -U -u dmarc -n password
>> >
>> > Aki
>> This too gives me
>>
>> generate: invalid option -- 'n'
>
> So it seems. Have to investigate this.
>
> In the mean time, can you try just
>
> doveadm mailbox cryptokey generate -U -u dmarc
>
> If you want, you can do
>
> doveadm mailbox cryptokey password -u user -U -N
>
> which hopefully should work.
>
> Aki
First one gives,

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed:
mail_crypt_require_encrypted_user_key set, cannot generate user 
keypair

without password or key
doveadm(dmarc): Warning: mailbox cryptokey generate: Nothing was
matched. Use -U or specify mask?
doveadm(dmarc): Panic: file mail-user.c: line 229 (mail_user_deinit):
assertion failed: ((*user)->refcount == 1)
doveadm(dmarc): Error: Raw backtrace:
/usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) 
[0x7fe3f93e04e2]
-> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) 
[0x7fe3f93e05fe]

-> /usr/lib/dovecot/libdovecot.so.0(+0xfc49b) [0x7fe3f93ec49b] ->
/usr/lib/dovecot/libdovecot.so.0(+0xfc4d1) [0x7fe3f93ec4d1] ->
/usr/lib/dovecot/libdovecot.so.0(+0x53aee) [0x7fe3f9343aee] ->
/usr/lib/dovecot/libdovecot-storage.so.0(+0x407c9) [0x7fe3f94f47c9] ->
doveadm(+0x31bcd) [0x55c2ab3d7bcd] -> doveadm(+0x32632) 
[0x55c2ab3d8632]
-> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x22d) 
[0x55c2ab3d94ad]

-> doveadm(doveadm_cmd_run_ver2+0x4c8) [0x55c2ab3e9b88] ->
doveadm(doveadm_cmd_try_run_ver2+0x3a) [0x55c2ab3e9bda] ->
doveadm(main+0x1d0) [0x55c2ab3c8450] ->
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) 
[0x7fe3f8f9fd0a]

-> doveadm(_start+0x2a) [0x55c2ab3c892a]
Aborted

And the second one gives,

password: invalid option -- 'U'

Thank you for looking into it!


Sorry, this is bit annoying issue. Seems there was a slight oversight 
when this option was added.. anyways...


try

doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox 
cryptokey generate -U -u dmarc


maybe it works?

Aki

This gives the same error as the above that starts with

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: 
mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
without password or key

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 04/05/2023 21:28 EEST efeizbu...@disroot.org wrote:
> 
>  
> On 2023-05-04 21:25, Aki Tuomi wrote:
> >> On 04/05/2023 21:20 EEST efeizbu...@disroot.org wrote:
> >> 
> >> 
> >> On 2023-05-04 21:16, Aki Tuomi wrote:
> >> >> On 04/05/2023 21:09 EEST Aki Tuomi via dovecot 
> >> >> wrote:
> >> >>
> >> >>
> >> >> > On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
> >> >> >
> >> >> >
> >> >> > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
> >> >> > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
> >> >> > >>  wrote:
> >> >> > >>
> >> >> > >>
> >> >> > >> Hi all,
> >> >> > >>
> >> >> > >> So recently google has been trying to send email to 
> >> >> > >> dm...@domain.com
> >> >> > >> on
> >> >> > >> my server but I'm using encrypted storage and since the dmarc user 
> >> >> > >> has
> >> >> > >> no password the email is being rejected with the error:
> >> >> > >>
> >> >> > >> May  4 16:51:50 domain dovecot:
> >> >> > >> lda(dmarc)<3326>: Error: sieve:
> >> >> > >> msgid=<10341808348719730...@google.com>: failed to store into 
> >> >> > >> mailbox
> >> >> > >> 'INBOX': generate_keypair(INBOX) failed:
> >> >> > >> mail_crypt_require_encrypted_user_key set, cannot generate user
> >> >> > >> keypair
> >> >> > >> without password or key
> >> >> > >>
> >> >> > >> How can I fix this, or at least read what the mail says? Would it 
> >> >> > >> be
> >> >> > >> safe to just give dmarc user a strong password?
> >> >> > >
> >> >> > > You can run
> >> >> > >
> >> >> > > doveadm mailbox cryptokey generate -U dmarc -N
> >> >> > >
> >> >> > > so the user will have a keypair generated. Then it should work.
> >> >> > >
> >> >> > > Aki
> >> >> >
> >> >> > I'm getting
> >> >> >
> >> >> > generate: invalid option -- 'N'
> >> >> >
> >> >> > should I just run it without -N ?
> >> >> >
> >> >> > Thank you!
> >> >>
> >> >> Please keep responses on the list.
> >> >>
> >> >> Try -n password? I have a faint recall of a buggy version like this.
> >> >>
> >> >> Aki
> >> >
> >> >> Sorry for replying twice, I'm getting
> >> >> doveadm(root): Error: Couldn't drop privileges: User is missing UID
> >> >> (see
> >> > mail_uid setting)
> >> >> when I try to run it without the -N op
> >> >
> >> > Sorry, my bad.
> >> >
> >> > doveadm mailbox cryptokey generate -U -u dmarc -n password
> >> >
> >> > Aki
> >> This too gives me
> >> 
> >> generate: invalid option -- 'n'
> > 
> > So it seems. Have to investigate this.
> > 
> > In the mean time, can you try just
> > 
> > doveadm mailbox cryptokey generate -U -u dmarc
> > 
> > If you want, you can do
> > 
> > doveadm mailbox cryptokey password -u user -U -N
> > 
> > which hopefully should work.
> > 
> > Aki
> First one gives,
> 
> doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: 
> mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
> without password or key
> doveadm(dmarc): Warning: mailbox cryptokey generate: Nothing was 
> matched. Use -U or specify mask?
> doveadm(dmarc): Panic: file mail-user.c: line 229 (mail_user_deinit): 
> assertion failed: ((*user)->refcount == 1)
> doveadm(dmarc): Error: Raw backtrace: 
> /usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7fe3f93e04e2] 
> -> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7fe3f93e05fe] 
> -> /usr/lib/dovecot/libdovecot.so.0(+0xfc49b) [0x7fe3f93ec49b] -> 
> /usr/lib/dovecot/libdovecot.so.0(+0xfc4d1) [0x7fe3f93ec4d1] -> 
> /usr/lib/dovecot/libdovecot.so.0(+0x53aee) [0x7fe3f9343aee] -> 
> /usr/lib/dovecot/libdovecot-storage.so.0(+0x407c9) [0x7fe3f94f47c9] -> 
> doveadm(+0x31bcd) [0x55c2ab3d7bcd] -> doveadm(+0x32632) [0x55c2ab3d8632] 
> -> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x22d) [0x55c2ab3d94ad] 
> -> doveadm(doveadm_cmd_run_ver2+0x4c8) [0x55c2ab3e9b88] -> 
> doveadm(doveadm_cmd_try_run_ver2+0x3a) [0x55c2ab3e9bda] -> 
> doveadm(main+0x1d0) [0x55c2ab3c8450] -> 
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) [0x7fe3f8f9fd0a] 
> -> doveadm(_start+0x2a) [0x55c2ab3c892a]
> Aborted
> 
> And the second one gives,
> 
> password: invalid option -- 'U'
> 
> Thank you for looking into it!

Sorry, this is bit annoying issue. Seems there was a slight oversight when this 
option was added.. anyways...

try

doveadm -o plugin/mail_crypt_require_encrypted_user_key=no mailbox cryptokey 
generate -U -u dmarc

maybe it works?

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-04 21:25, Aki Tuomi wrote:

On 04/05/2023 21:20 EEST efeizbu...@disroot.org wrote:


On 2023-05-04 21:16, Aki Tuomi wrote:
>> On 04/05/2023 21:09 EEST Aki Tuomi via dovecot 
>> wrote:
>>
>>
>> > On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
>> >
>> >
>> > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
>> > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
>> > >>  wrote:
>> > >>
>> > >>
>> > >> Hi all,
>> > >>
>> > >> So recently google has been trying to send email to dm...@domain.com
>> > >> on
>> > >> my server but I'm using encrypted storage and since the dmarc user has
>> > >> no password the email is being rejected with the error:
>> > >>
>> > >> May  4 16:51:50 domain dovecot:
>> > >> lda(dmarc)<3326>: Error: sieve:
>> > >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
>> > >> 'INBOX': generate_keypair(INBOX) failed:
>> > >> mail_crypt_require_encrypted_user_key set, cannot generate user
>> > >> keypair
>> > >> without password or key
>> > >>
>> > >> How can I fix this, or at least read what the mail says? Would it be
>> > >> safe to just give dmarc user a strong password?
>> > >
>> > > You can run
>> > >
>> > > doveadm mailbox cryptokey generate -U dmarc -N
>> > >
>> > > so the user will have a keypair generated. Then it should work.
>> > >
>> > > Aki
>> >
>> > I'm getting
>> >
>> > generate: invalid option -- 'N'
>> >
>> > should I just run it without -N ?
>> >
>> > Thank you!
>>
>> Please keep responses on the list.
>>
>> Try -n password? I have a faint recall of a buggy version like this.
>>
>> Aki
>
>> Sorry for replying twice, I'm getting
>> doveadm(root): Error: Couldn't drop privileges: User is missing UID
>> (see
> mail_uid setting)
>> when I try to run it without the -N op
>
> Sorry, my bad.
>
> doveadm mailbox cryptokey generate -U -u dmarc -n password
>
> Aki
This too gives me

generate: invalid option -- 'n'


So it seems. Have to investigate this.

In the mean time, can you try just

doveadm mailbox cryptokey generate -U -u dmarc

If you want, you can do

doveadm mailbox cryptokey password -u user -U -N

which hopefully should work.

Aki

First one gives,

doveadm(dmarc): Error: mail_crypt_user_generate_keypair(dmarc) failed: 
mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
without password or key
doveadm(dmarc): Warning: mailbox cryptokey generate: Nothing was 
matched. Use -U or specify mask?
doveadm(dmarc): Panic: file mail-user.c: line 229 (mail_user_deinit): 
assertion failed: ((*user)->refcount == 1)
doveadm(dmarc): Error: Raw backtrace: 
/usr/lib/dovecot/libdovecot.so.0(backtrace_append+0x42) [0x7fe3f93e04e2] 
-> /usr/lib/dovecot/libdovecot.so.0(backtrace_get+0x1e) [0x7fe3f93e05fe] 
-> /usr/lib/dovecot/libdovecot.so.0(+0xfc49b) [0x7fe3f93ec49b] -> 
/usr/lib/dovecot/libdovecot.so.0(+0xfc4d1) [0x7fe3f93ec4d1] -> 
/usr/lib/dovecot/libdovecot.so.0(+0x53aee) [0x7fe3f9343aee] -> 
/usr/lib/dovecot/libdovecot-storage.so.0(+0x407c9) [0x7fe3f94f47c9] -> 
doveadm(+0x31bcd) [0x55c2ab3d7bcd] -> doveadm(+0x32632) [0x55c2ab3d8632] 
-> doveadm(doveadm_cmd_ver2_to_mail_cmd_wrapper+0x22d) [0x55c2ab3d94ad] 
-> doveadm(doveadm_cmd_run_ver2+0x4c8) [0x55c2ab3e9b88] -> 
doveadm(doveadm_cmd_try_run_ver2+0x3a) [0x55c2ab3e9bda] -> 
doveadm(main+0x1d0) [0x55c2ab3c8450] -> 
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) [0x7fe3f8f9fd0a] 
-> doveadm(_start+0x2a) [0x55c2ab3c892a]

Aborted

And the second one gives,

password: invalid option -- 'U'

Thank you for looking into it!
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 04/05/2023 21:20 EEST efeizbu...@disroot.org wrote:
> 
>  
> On 2023-05-04 21:16, Aki Tuomi wrote:
> >> On 04/05/2023 21:09 EEST Aki Tuomi via dovecot  
> >> wrote:
> >> 
> >> 
> >> > On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
> >> >
> >> >
> >> > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
> >> > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
> >> > >>  wrote:
> >> > >>
> >> > >>
> >> > >> Hi all,
> >> > >>
> >> > >> So recently google has been trying to send email to dm...@domain.com
> >> > >> on
> >> > >> my server but I'm using encrypted storage and since the dmarc user has
> >> > >> no password the email is being rejected with the error:
> >> > >>
> >> > >> May  4 16:51:50 domain dovecot:
> >> > >> lda(dmarc)<3326>: Error: sieve:
> >> > >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
> >> > >> 'INBOX': generate_keypair(INBOX) failed:
> >> > >> mail_crypt_require_encrypted_user_key set, cannot generate user
> >> > >> keypair
> >> > >> without password or key
> >> > >>
> >> > >> How can I fix this, or at least read what the mail says? Would it be
> >> > >> safe to just give dmarc user a strong password?
> >> > >
> >> > > You can run
> >> > >
> >> > > doveadm mailbox cryptokey generate -U dmarc -N
> >> > >
> >> > > so the user will have a keypair generated. Then it should work.
> >> > >
> >> > > Aki
> >> >
> >> > I'm getting
> >> >
> >> > generate: invalid option -- 'N'
> >> >
> >> > should I just run it without -N ?
> >> >
> >> > Thank you!
> >> 
> >> Please keep responses on the list.
> >> 
> >> Try -n password? I have a faint recall of a buggy version like this.
> >> 
> >> Aki
> > 
> >> Sorry for replying twice, I'm getting
> >> doveadm(root): Error: Couldn't drop privileges: User is missing UID 
> >> (see
> > mail_uid setting)
> >> when I try to run it without the -N op
> > 
> > Sorry, my bad.
> > 
> > doveadm mailbox cryptokey generate -U -u dmarc -n password
> > 
> > Aki
> This too gives me
> 
> generate: invalid option -- 'n'

So it seems. Have to investigate this.

In the mean time, can you try just

doveadm mailbox cryptokey generate -U -u dmarc

If you want, you can do 

doveadm mailbox cryptokey password -u user -U -N

which hopefully should work.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-04 21:16, Aki Tuomi wrote:
On 04/05/2023 21:09 EEST Aki Tuomi via dovecot  
wrote:



> On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
>
>
> On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
> >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
> >>  wrote:
> >>
> >>
> >> Hi all,
> >>
> >> So recently google has been trying to send email to dm...@domain.com
> >> on
> >> my server but I'm using encrypted storage and since the dmarc user has
> >> no password the email is being rejected with the error:
> >>
> >> May  4 16:51:50 domain dovecot:
> >> lda(dmarc)<3326>: Error: sieve:
> >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
> >> 'INBOX': generate_keypair(INBOX) failed:
> >> mail_crypt_require_encrypted_user_key set, cannot generate user
> >> keypair
> >> without password or key
> >>
> >> How can I fix this, or at least read what the mail says? Would it be
> >> safe to just give dmarc user a strong password?
> >
> > You can run
> >
> > doveadm mailbox cryptokey generate -U dmarc -N
> >
> > so the user will have a keypair generated. Then it should work.
> >
> > Aki
>
> I'm getting
>
> generate: invalid option -- 'N'
>
> should I just run it without -N ?
>
> Thank you!

Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki



Sorry for replying twice, I'm getting
doveadm(root): Error: Couldn't drop privileges: User is missing UID 
(see

mail_uid setting)

when I try to run it without the -N op


Sorry, my bad.

doveadm mailbox cryptokey generate -U -u dmarc -n password

Aki

This too gives me

generate: invalid option -- 'n'
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

On 2023-05-04 21:09, Aki Tuomi wrote:

On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:


On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
>> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot
>>  wrote:
>>
>>
>> Hi all,
>>
>> So recently google has been trying to send email to dm...@domain.com
>> on
>> my server but I'm using encrypted storage and since the dmarc user has
>> no password the email is being rejected with the error:
>>
>> May  4 16:51:50 domain dovecot:
>> lda(dmarc)<3326>: Error: sieve:
>> msgid=<10341808348719730...@google.com>: failed to store into mailbox
>> 'INBOX': generate_keypair(INBOX) failed:
>> mail_crypt_require_encrypted_user_key set, cannot generate user
>> keypair
>> without password or key
>>
>> How can I fix this, or at least read what the mail says? Would it be
>> safe to just give dmarc user a strong password?
>
> You can run
>
> doveadm mailbox cryptokey generate -U dmarc -N
>
> so the user will have a keypair generated. Then it should work.
>
> Aki

I'm getting

generate: invalid option -- 'N'

should I just run it without -N ?

Thank you!


Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki

Unfortunately doesn't work. I've also tried

doveadm mailbox cryptokey password -N -U dmarc

doveadm mailbox cryptokey generate -N -U dmarc

doveadm mailbox cryptokey generate -U dmarc -n password
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 04/05/2023 21:09 EEST Aki Tuomi via dovecot  wrote:
> 
>  
> > On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
> > 
> >  
> > On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
> > >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot 
> > >>  wrote:
> > >> 
> > >> 
> > >> Hi all,
> > >> 
> > >> So recently google has been trying to send email to dm...@domain.com 
> > >> on
> > >> my server but I'm using encrypted storage and since the dmarc user has
> > >> no password the email is being rejected with the error:
> > >> 
> > >> May  4 16:51:50 domain dovecot:
> > >> lda(dmarc)<3326>: Error: sieve:
> > >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
> > >> 'INBOX': generate_keypair(INBOX) failed:
> > >> mail_crypt_require_encrypted_user_key set, cannot generate user 
> > >> keypair
> > >> without password or key
> > >> 
> > >> How can I fix this, or at least read what the mail says? Would it be
> > >> safe to just give dmarc user a strong password?
> > > 
> > > You can run
> > > 
> > > doveadm mailbox cryptokey generate -U dmarc -N
> > > 
> > > so the user will have a keypair generated. Then it should work.
> > > 
> > > Aki
> > 
> > I'm getting
> > 
> > generate: invalid option -- 'N'
> > 
> > should I just run it without -N ?
> > 
> > Thank you!
> 
> Please keep responses on the list.
> 
> Try -n password? I have a faint recall of a buggy version like this.
> 
> Aki

> Sorry for replying twice, I'm getting
> doveadm(root): Error: Couldn't drop privileges: User is missing UID (see 
mail_uid setting)
> when I try to run it without the -N op

Sorry, my bad. 

doveadm mailbox cryptokey generate -U -u dmarc -n password

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 04/05/2023 21:08 EEST efeizbu...@disroot.org wrote:
> 
>  
> On 2023-05-04 20:53, Aki Tuomi via dovecot wrote:
> >> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot 
> >>  wrote:
> >> 
> >> 
> >> Hi all,
> >> 
> >> So recently google has been trying to send email to dm...@domain.com 
> >> on
> >> my server but I'm using encrypted storage and since the dmarc user has
> >> no password the email is being rejected with the error:
> >> 
> >> May  4 16:51:50 domain dovecot:
> >> lda(dmarc)<3326>: Error: sieve:
> >> msgid=<10341808348719730...@google.com>: failed to store into mailbox
> >> 'INBOX': generate_keypair(INBOX) failed:
> >> mail_crypt_require_encrypted_user_key set, cannot generate user 
> >> keypair
> >> without password or key
> >> 
> >> How can I fix this, or at least read what the mail says? Would it be
> >> safe to just give dmarc user a strong password?
> > 
> > You can run
> > 
> > doveadm mailbox cryptokey generate -U dmarc -N
> > 
> > so the user will have a keypair generated. Then it should work.
> > 
> > Aki
> 
> I'm getting
> 
> generate: invalid option -- 'N'
> 
> should I just run it without -N ?
> 
> Thank you!

Please keep responses on the list.

Try -n password? I have a faint recall of a buggy version like this.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dmarc user can't receive email because of encrypted storage

[Aki Tuomi via dovecot]

> On 04/05/2023 20:11 EEST efeizbudak--- via dovecot  
> wrote:
> 
>  
> Hi all,
> 
> So recently google has been trying to send email to dm...@domain.com on 
> my server but I'm using encrypted storage and since the dmarc user has 
> no password the email is being rejected with the error:
> 
> May  4 16:51:50 domain dovecot: 
> lda(dmarc)<3326>: Error: sieve: 
> msgid=<10341808348719730...@google.com>: failed to store into mailbox 
> 'INBOX': generate_keypair(INBOX) failed: 
> mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
> without password or key
> 
> How can I fix this, or at least read what the mail says? Would it be 
> safe to just give dmarc user a strong password?

You can run

doveadm mailbox cryptokey generate -U dmarc -N

so the user will have a keypair generated. Then it should work.

Aki
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

dmarc user can't receive email because of encrypted storage

[efeizbudak--- via dovecot]

Hi all,

So recently google has been trying to send email to dm...@domain.com on 
my server but I'm using encrypted storage and since the dmarc user has 
no password the email is being rejected with the error:


May  4 16:51:50 domain dovecot: 
lda(dmarc)<3326>: Error: sieve: 
msgid=<10341808348719730...@google.com>: failed to store into mailbox 
'INBOX': generate_keypair(INBOX) failed: 
mail_crypt_require_encrypted_user_key set, cannot generate user keypair 
without password or key


How can I fix this, or at least read what the mail says? Would it be 
safe to just give dmarc user a strong password?

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Trojitá, a fast Qt IMAP e-mail client
http://www.trojita.flaska.net/

I also use

http://opendkim.org/ 
http://www.trusteddomain.org/opendmarc/


as milters on Postfix

Active development, I'm sure they could all use some help, or forks for 
alternatives, I don't know, I'm not involved in development per se, just a 
user, and I have to get off the property of any of these places with my 
code before anything happens. All that Finnish osalliyhdistys and by the 
time a Swede gets online all hell breaks loose./


On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote:

On 2022-10-11 14:05, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-10-11 13:42: ...


Indeed, it's because you set the following headers in dkim signing headers:-

from : subject :
date : to : message-id

Although not sure why you've added some space, as per standards 
I think only colon separated list its the compliant format like 
the following:-


from:subject:date:to:message-id

Anyhow this is my final update, the previous headers set which 
I included wasnt perfect as cc header was causing a trouble, 
given it can fail at some point e.g. when replying more than one 
time to the same recipient through a mailing list, and mind me 
OX and iRedMail, I had to check your signing headers set, 
hopefully you are ok for me to present it here as the optimal 
one to avoid DKIM failures:-


OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
:mime-version:content-transfer-encoding:content-type:from

iRedMail seems to be the best headers set given it includes 
X-Mailer header, which enhances signature validity, when client 
uses specific mail client app, although it can be faked yet one 
must know which client app the sender would use and if was able 
to have information to this length I guess signature validity 
would be an easy task to break it further.


Also, I was advised by a friend to duplicate the signing 
headers in order to disallow spoofing signature further, while I 
couldnt see how nor populate a proof of concept, I removed it 
but if someone understand it, I would appreciate their 
elaboration, surely with thanks :)


Good luck.

Zakaria.

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[hi]

On 2022-10-11 14:05, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-10-11 13:42:

On 2022-09-13 13:10, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-09-13 14:03:



from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references

Thanks to my friend who didnt need a credit, and helped me out in
reaching this solution.


i have no frinds, but it might be related 
https://gitlab.com/fumail/fuglu/-/issues/262


with my conservative list of signed headers it pass


Indeed, it's because you set the following headers in dkim signing 
headers:-


from : subject :
date : to : message-id

Although not sure why you've added some space, as per standards I think 
only colon separated list its the compliant format like the following:-


from:subject:date:to:message-id

Anyhow this is my final update, the previous headers set which I 
included wasnt perfect as cc header was causing a trouble, given it can 
fail at some point e.g. when replying more than one time to the same 
recipient through a mailing list, and mind me OX and iRedMail, I had to 
check your signing headers set, hopefully you are ok for me to present 
it here as the optimal one to avoid DKIM failures:-


OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
:mime-version:content-transfer-encoding:content-type:from

iRedMail seems to be the best headers set given it includes X-Mailer 
header, which enhances signature validity, when client uses specific 
mail client app, although it can be faked yet one must know which client 
app the sender would use and if was able to have information to this 
length I guess signature validity would be an easy task to break it 
further.


Also, I was advised by a friend to duplicate the signing headers in 
order to disallow spoofing signature further, while I couldnt see how 
nor populate a proof of concept, I removed it but if someone understand 
it, I would appreciate their elaboration, surely with thanks :)


Good luck.

Zakaria.

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Dave McGuire]

On 10/11/22 07:42, hi@zakaria.website wrote:

Another update yet with a solution.

I found the causing issue with DKIM and DMARC failure when a signed 
email pass through mailing list such as dovecot as I expected, it has 
nothing to do with the mailing list but it's to do with DKIM signing 
headers set. It's due to one of or several headers in the DKIM signing 
set, getting added or modified after signing at dovecot end.


Anyhow, here is the DKIM signing headers set in this mailing list, that 
it should work and it will prevent the batch of DMARC emails and bad 
signature from happening again.


from:from:reply-to:date:date:message-id:message-id:to:to:cc:
  mime-version:mime-version:content-type:content-type:
  in-reply-to:in-reply-to:references:references
  Please forgive me for jumping in, but I just noticed this.  I (like 
many others) have issues with mailing lists and the flurry of DMARC 
emails after posting.  I'm using OpenDKIM.  There's a lot of material 
out there about proper configuration of DKIM, but nothing really 
definitive, with lots of "it depends on your requirements" type of 
noncommittal crap.  Email use cases don't differ THAT much.


  So does what you said above mean that you've come up with a working 
configuration to address the issue of mailing lists causing DKIM to barf 
due to header modifications?  If so, can you tell me more about 
specifically what you're doing, like which headers you're signing and 
how?  I've been at my wits' end with this for some time; DKIM (and SPF 
etc etc) seem to be really quite awful overall.


Thanks,
-Dave

--
Dave McGuire, AK4HZ
New Kensington, PA

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

hi@zakaria.website skrev den 2022-10-11 13:42:

On 2022-09-13 13:10, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-09-13 14:03:



from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references

Thanks to my friend who didnt need a credit, and helped me out in
reaching this solution.


i have no frinds, but it might be related 
https://gitlab.com/fumail/fuglu/-/issues/262


with my conservative list of signed headers it pass

dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[hi]

On 2022-09-13 13:10, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-09-13 14:03:


least to must pass Signature Verification. Have anyone managed to
configure EXIM to verify more than one DKIM Signature header?


postfix smtpd_milter_maps with a list of ips that is known maillists 
ips is best for software that are brokken, use DISABLE as results pr ip 
that is maillist ips, that will disabled opendmarc and other milters 
when client ip is a maillist, postfix be happy until trusted domain 
have updated and stable milters


use rspamd if possible, with is imho the only stable milters with solve 
it all, i hate to write that but it might be right for time being, 
while spamassassin v4 is on the way


Another update yet with a solution.

I found the causing issue with DKIM and DMARC failure when a signed 
email pass through mailing list such as dovecot as I expected, it has 
nothing to do with the mailing list but it's to do with DKIM signing 
headers set. It's due to one of or several headers in the DKIM signing 
set, getting added or modified after signing at dovecot end.


Anyhow, here is the DKIM signing headers set in this mailing list, that 
it should work and it will prevent the batch of DMARC emails and bad 
signature from happening again.


from:from:reply-to:date:date:message-id:message-id:to:to:cc:
 mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references

Thanks to my friend who didnt need a credit, and helped me out in 
reaching this solution.


Zakaria.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

hi@zakaria.website skrev den 2022-09-13 14:03:


least to must pass Signature Verification. Have anyone managed to
configure EXIM to verify more than one DKIM Signature header?


postfix smtpd_milter_maps with a list of ips that is known maillists ips 
is best for software that are brokken, use DISABLE as results pr ip that 
is maillist ips, that will disabled opendmarc and other milters when 
client ip is a maillist, postfix be happy until trusted domain have 
updated and stable milters


use rspamd if possible, with is imho the only stable milters with solve 
it all, i hate to write that but it might be right for time being, while 
spamassassin v4 is on the way

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[@lbutlr]

On 2022 Feb 16, at 10:22, Chris Bennett  
wrote:
> On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote:
>> Thats a TLD ban. Meaning *.ru is banned.
>> 
>> same applies for my domain for example, I ban *.xyz, *.date and a few others.

> I don't understand at all why banning tld is reasonable.

For the same reason that banning roadrunner was reasonable, the vast majority 
of mail from these new TLDs is nothing but spam, and I mean at levels far 
higher than the 97% of general email spam percentage.

When I blacklisted .top I has getting hundreds of thousands of spam emails a 
day on a quite small mail server, so much mail that it was overwhelming my 
server.

I have seen very few new olds that are not major spam magnets, and when I do, I 
unblock them.

But my default position is that ever TLD is locked except for the ones I 
specifically allow.

> I'm not rich.

The vast majority of olds are quite cheap.

> I can't afford to buy domain names that cost $200 a year to purchase.
> .com .net .info , etc. have run out of the names I wish to use.

If you are paying $200/yr for a domain name you are doing something very wrong. 
I am saying about $12/year. Maybe as high as $15/yr? I'd have to check, it is 
such a low number I don't really know.

> I have never ever sent a single spam email, but you would block my emails?

Yep.

> Bluntly said, but without malice, that attitude favors the rich
> over the poor.

No, it's not an economic issue at all. You are confusing your DESIRE for a 
cheap domain 'you want' with having to get a domain in a skeezy TLD.

> I refuse to trust the BIG guys.

That is your choice. My choice is to not accept mail from .xyz or .rocks or 
.top or many hundreds of others.

Email, having been designed a long time ago, has no mechanism for stopping bad 
behavior, so it is up to each admin to do what they can to stop unwanted mail. 
The vast majority of email that is sent is dangerous, malicious, illegal, or 
unwanted. Not like 505, but in the high 90s.

The mail that a system accepts is based on a variety of trust characteristcis 
that are pretty much unique to every server.

My mail server checks the IP address for every connection against several RBLs, 
checked the connection for certain behaviors before it even allows the 
connection to start talking to the mail server. Once communication occurs, it 
checks a lot more things before accepting the message. Nearly every connection 
attempt is refused and nearly every message that is attempted to be sent is 
rejected. Even so, of the mail that is accepted, 80% is spam and ends up in the 
user's junk mail box.

> My dad uses yahoo and
> gets emails yanked away while he is reading it.

This has nothing to do with TLDs.

> There are many other methods to block spam.
> IMHO, blocking by tld is a bit harsh.

That is your opinion and that is fine. But your opinion has zero effect on 
admins who block TLDs. You have no idea how big an issue spam really is and how 
much time mail mins spend trying to control it to simply a deluge.

This also is probably not the best group for this discussion.

-- 
I loved you when our love was blessed I love you now there's nothing
left But sorrow and a sense of overtime

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Chris Bennett]

On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote:
> Thats a TLD ban. Meaning *.ru is banned.
> 
> same applies for my domain for example, I ban *.xyz, *.date and a few others.
> 

I don't understand at all why banning tld is reasonable.
I'm not rich. I buy .rocks and .xyz
.rocks really works well with the domain name.
.xyz is short, memorable and easy to type.

I can't afford to buy domain names that cost $200 a year to purchase.
.com .net .info , etc. have run out of the names I wish to use.

I have never ever sent a single spam email, but you would block my
emails? Bluntly said, but without malice, that attitude favors the rich
over the poor. I refuse to trust the BIG guys. My dad uses yahoo and
gets emails yanked away while he is reading it.

Also, I can't find a server company that has IP blocks that are clean
enough. I truly wish I could.

There are many other methods to block spam.
IMHO, blocking by tld is a bit harsh.

But you have the right to do whatever method you wish.
I will only point out my thoughts. SPAM sucks! :-)

-- 
Chris Bennett

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Marc]

> 
> Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level
> domain.
> 
> * https://abc.xyz/
> 

Google is probably to most fined company of all mentioned on this list, 
breaking countless laws over decades. That is the company you have as 
reference? 

Re: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[lists]

  If this isn't too far off topic, is it useful to register with https://www.dnswl.org/?p=209The only servers that reject my email do so because I use DigitalOcean. Spectrum for example. Oddly enough Linode which has a fair number of hackers doesn't get the same treatment. The only odd TLDs that have become popular are "aero" and "info."  I will probably add some on your list though lately all my spam comes is Google related. I met one person who used a  "life" TLD. He was starting a consulting business for fire resistant home designs (hence life) and thought he would be clever with the TLD. I stopped a woman from using "design." From: sebast...@sebbe.euSent: February 12, 2022 5:25 AMTo: dovecot@dovecot.orgSubject: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC  Yep. Its a lot of TLDs that is banned at me, but I haven’t had any problems with .ru so .ru isn’t yet banned. Here is my TLD banlist:   deny    message = 5.7.1 Banned TLD where sending IP is not listed on DNSWL ( https://www.dnswl.org/selfservice/?action=""> )    condition = ${if eq {$acl_m4}{dnswl_whitelisted}{no}{yes}}    sender_domains = ^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|faith|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$ This crap that ICANN started with “custom” TLDs is of more harm than useful. So much spam TLDs in the registry. Från:  dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org>För justina colmena ~bizSkickat: den 12 februari 2022 14:06Till:  dovecot@dovecot.orgÄmne: Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious and honest for what it is, unless that's part of Biden's sanctions, the others you mention look like vice domains, but looking at GitHub:* https://github.com/dovecotThere's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not heard of recent hostility between Finland and Russia, notwithstanding the Ukraine situation. Your mail client is all configured in Swedish, but Sweden & Finland are not officially part of NATO, AFAIK, and Sweden has its own currency whereas Finland did give up the markka in exchange for the Euro some 20-odd years ago I don't recall.On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen <sebast...@sebbe.eu> wrote:Thats a TLD ban. Meaning *.ru is banned.same applies for my domain for example, I ban *.xyz, *.date and a few others.-Ursprungligt meddelande-Från: dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org> För Lev SerebryakovSkickat: den 12 februari 2022 12:08Till: dovecot@dovecot.orgÄmne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARCOn 11.02.2022 16:31, Marc wrote:  (sorry for posting to list this, but I don't have any ways to contact Marc off-list now)    Problem is, I need to unpack each of them to be sure, that these  are false positives and I'm afraid, that it could lower reputation of  my mail server IP address with major providers (like Google Mail).How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages.  Marc, my domain already has problems sending mail to you, for example:<m...@f1-outsourcing.eu>: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 550We have blocked this toplevel because of spam. Use another toplevel until the maintainer has resolved these issues (in reply to MAIL FROM command)--// Black Lion AKA Lev Serebryakov-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level domain.

* https://abc.xyz/

I suppose Sergey Brin is Russian as well, so what have you there?

Perhaps you have inadvertently confused ".xyz" with the ".xxx" TLD. The popular 
grade school acronym for "eXamine Your Zipper" is obviously not commercially 
desirable for the same purposes, although I cannot vouch for particular 
instances.


On February 12, 2022 5:51:12 AM AKST, Marc  wrote:
>
>
>> 
>>   (sorry for posting to list this, but I don't have any ways to contact
>> Marc off-list now)
>> 
>> >>
>> >>Problem is, I need to unpack each of them to be sure, that these are
>> >> false positives and I'm afraid, that it could lower reputation of my
>> mail
>> >> server IP address with major providers (like Google Mail).
>> >>
>> >
>> > How can you get a lower reputation? Afaik dmarc is just signing your
>> outgoing messages.
>>   Marc, my domain already has problems sending mail to you, for example:
>> 
>> : host spam1.roosit.eu[212.26.193.45] said: 553
>> 5.3.0
>>  550We have blocked this toplevel because of spam. Use another
>> toplevel
>>  until the maintainer has resolved these issues (in reply to MAIL FROM
>>  command)
>> 
>> --
>
>.ru is not blocked. The connect is originating from a .xyz host.
>
>
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-12 12:58, Sebastian Nielsen wrote:

Thats a TLD ban. Meaning *.ru is banned.


ru tld is not this time

same applies for my domain for example, I ban *.xyz, *.date and a few 
others.


why ban tld ?

: host spam1.roosit.eu[212.26.193.45] said: 553 
5.3.0


lets see

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Marc]

> 
>   (sorry for posting to list this, but I don't have any ways to contact
> Marc off-list now)
> 
> >>
> >>Problem is, I need to unpack each of them to be sure, that these are
> >> false positives and I'm afraid, that it could lower reputation of my
> mail
> >> server IP address with major providers (like Google Mail).
> >>
> >
> > How can you get a lower reputation? Afaik dmarc is just signing your
> outgoing messages.
>   Marc, my domain already has problems sending mail to you, for example:
> 
> : host spam1.roosit.eu[212.26.193.45] said: 553
> 5.3.0
>  550We have blocked this toplevel because of spam. Use another
> toplevel
>  until the maintainer has resolved these issues (in reply to MAIL FROM
>  command)
> 
> --

.ru is not blocked. The connect is originating from a .xyz host.

Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Sebastian Nielsen]

Yep. Its a lot of TLDs that is banned at me, but I haven’t had any problems 
with .ru so .ru isn’t yet banned.

 

Here is my TLD banlist:

 

  deny

message = 5.7.1 Banned TLD where sending IP is not listed on DNSWL ( 
https://www.dnswl.org/selfservice/?action=register )

condition = ${if eq {$acl_m4}{dnswl_whitelisted}{no}{yes}}

sender_domains = 
^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|faith|fit|fun|gdn|global

|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security

|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$

 

This crap that ICANN started with “custom” TLDs is of more harm than useful. So 
much spam TLDs in the registry.

 

Från: dovecot-boun...@dovecot.org  För justina 
colmena ~biz
Skickat: den 12 februari 2022 14:06
Till: dovecot@dovecot.org
Ämne: Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

 

The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious 
and honest for what it is, unless that's part of Biden's sanctions, the others 
you mention look like vice domains, but looking at GitHub:

* https://github.com/dovecot

There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not 
heard of recent hostility between Finland and Russia, notwithstanding the 
Ukraine situation. Your mail client is all configured in Swedish, but Sweden & 
Finland are not officially part of NATO, AFAIK, and Sweden has its own currency 
whereas Finland did give up the markka in exchange for the Euro some 20-odd 
years ago I don't recall.



On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen mailto:sebast...@sebbe.eu> > wrote:

Thats a TLD ban. Meaning *.ru is banned.

same applies for my domain for example, I ban *.xyz, *.date and a few others.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org <mailto:dovecot-boun...@dovecot.org>  
mailto:dovecot-boun...@dovecot.org> > För Lev 
Serebryakov
Skickat: den 12 februari 2022 12:08
Till: dovecot@dovecot.org <mailto:dovecot@dovecot.org> 
Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

On 11.02.2022 16:31, Marc wrote:

  (sorry for posting to list this, but I don't have any ways to contact Marc 
off-list now)


Problem is, I need to unpack each of them to be sure, that these 
 are false positives and I'm afraid, that it could lower reputation of 
 my mail server IP address with major providers (like Google Mail).


How can you get a lower reputation? Afaik dmarc is just signing your outgoing 
messages.

  Marc, my domain already has problems sending mail to you, for example:

mailto:m...@f1-outsourcing.eu> >: host 
spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
 550We have blocked this toplevel because of spam. Use another toplevel
 until the maintainer has resolved these issues (in reply to MAIL FROM
 command)

--
// Black Lion AKA Lev Serebryakov

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious 
and honest for what it is, unless that's part of Biden's sanctions, the others 
you mention look like vice domains, but looking at GitHub:

* https://github.com/dovecot

There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not 
heard of recent hostility between Finland and Russia, notwithstanding the 
Ukraine situation. Your mail client is all configured in Swedish, but Sweden & 
Finland are not officially part of NATO, AFAIK, and Sweden has its own currency 
whereas Finland did give up the markka in exchange for the Euro some 20-odd 
years ago I don't recall.


On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen  
wrote:
>Thats a TLD ban. Meaning *.ru is banned.
>
>same applies for my domain for example, I ban *.xyz, *.date and a few others.
>
>-Ursprungligt meddelande-
>Från: dovecot-boun...@dovecot.org  För Lev 
>Serebryakov
>Skickat: den 12 februari 2022 12:08
>Till: dovecot@dovecot.org
>Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
>
>On 11.02.2022 16:31, Marc wrote:
>
>  (sorry for posting to list this, but I don't have any ways to contact Marc 
> off-list now)
>
>>>
>>>Problem is, I need to unpack each of them to be sure, that these 
>>> are false positives and I'm afraid, that it could lower reputation of 
>>> my mail server IP address with major providers (like Google Mail).
>>>
>> 
>> How can you get a lower reputation? Afaik dmarc is just signing your 
>> outgoing messages.
>  Marc, my domain already has problems sending mail to you, for example:
>
>: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
> 550We have blocked this toplevel because of spam. Use another toplevel
> until the maintainer has resolved these issues (in reply to MAIL FROM
> command)
>
>--
>// Black Lion AKA Lev Serebryakov
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Sebastian Nielsen]

Thats a TLD ban. Meaning *.ru is banned.

same applies for my domain for example, I ban *.xyz, *.date and a few others.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Lev 
Serebryakov
Skickat: den 12 februari 2022 12:08
Till: dovecot@dovecot.org
Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

On 11.02.2022 16:31, Marc wrote:

  (sorry for posting to list this, but I don't have any ways to contact Marc 
off-list now)

>>
>>Problem is, I need to unpack each of them to be sure, that these 
>> are false positives and I'm afraid, that it could lower reputation of 
>> my mail server IP address with major providers (like Google Mail).
>>
> 
> How can you get a lower reputation? Afaik dmarc is just signing your outgoing 
> messages.
  Marc, my domain already has problems sending mail to you, for example:

: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
 550We have blocked this toplevel because of spam. Use another toplevel
 until the maintainer has resolved these issues (in reply to MAIL FROM
 command)

--
// Black Lion AKA Lev Serebryakov

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Lev Serebryakov]

On 11.02.2022 16:31, Marc wrote:

 (sorry for posting to list this, but I don't have any ways to contact Marc 
off-list now)



   Problem is, I need to unpack each of them to be sure, that these are
false positives and I'm afraid, that it could lower reputation of my mail
server IP address with major providers (like Google Mail).



How can you get a lower reputation? Afaik dmarc is just signing your outgoing 
messages.

 Marc, my domain already has problems sending mail to you, for example:

: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
550We have blocked this toplevel because of spam. Use another toplevel
until the maintainer has resolved these issues (in reply to MAIL FROM
command)

--
// Black Lion AKA Lev Serebryakov

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Lev Serebryakov]

On 11.02.2022 16:31, Marc wrote:


   Problem is, I need to unpack each of them to be sure, that these are
false positives and I'm afraid, that it could lower reputation of my mail
server IP address with major providers (like Google Mail).



How can you get a lower reputation? Afaik dmarc is just signing your outgoing 
messages.

 DKIM is signing of headers. DMARC is policy (like "This domain must sign all messages with 
DKIM, no exceptions, and has strict SFP") and reporting mechanism for other hosts ("We 
get mail from you and this message violates declared policy of your domain").

 As I get these reports, it means that messages from "my domain" (really, 
forwarded by mailing list software) violate policies set by my domain. It means, my 
domain is compromised somehow.


--
// Black Lion AKA Lev Serebryakov

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-11 16:27, Marc wrote:

wait for spamassassin 4, gmail does not let users change there missing
problems with no dnssec domains, how can google be serius there ?


google is only to be taken serious with acquiring new clients, if they
would take email serious they would eg spend money on filtering their
out going spam and use -all in their spf.


ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=none; 
dmarc=none;
 spf=pass (talvi.dovecot.org: domain of m...@f1-outsourcing.eu 
designates

 212.26.193.44 as permitted sender) smtp.mailfrom=m...@f1-outsourcing.eu

+1

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-11 14:31, Marc wrote:


How can you get a lower reputation? Afaik dmarc is just signing your
outgoing messages.


there is no repution in dmarc, it either pass or fail, if all fails, it 
proves nothing, if all pass it proves just a litte that is not forged 
content


maillist should always be trusted, in the AR header, but not from 
untrusted AR header domains, dmarc check must not be used from untrusted 
AR signers, so make maillists ARC domains trusted, noice will then be 
lover on reports


i say still opendkim/openarc/openspf/opendmarc is still unstable, and no 
one should relly trust it in current state

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Marc]

> wait for spamassassin 4, gmail does not let users change there missing
> problems with no dnssec domains, how can google be serius there ?

google is only to be taken serious with acquiring new clients, if they would 
take email serious they would eg spend money on filtering their out going spam 
and use -all in their spf.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-11 12:29, Lev Serebryakov wrote:

On 09.02.2022 16:33, Aki Tuomi wrote:

 I'm participating in ~20 mailing lists and only this one gives a
storm of DMARC reports on each my posting.


+1


 Problem is, I need to unpack each of them to be sure, that these are
false positives and I'm afraid, that it could lower reputation of my
mail server IP address with major providers (like Google Mail).


your problem is that ARC seal, ARC sign, is not used or even trusted at 
the dmarc reporting host


this will make noice and false reporting :/

until this is solved turn off reporting in dmarc policy



We did that replacement for a while, but people complained. We have 
ARC signing there, unfortunately it only works if you trust it.


i can make that strong, people should learn on ARC, and use rspamd or 
wait for spamassassin 4, gmail does not let users change there missing 
problems with no dnssec domains, how can google be serius there ?

RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Marc]

> 
>   Problem is, I need to unpack each of them to be sure, that these are
> false positives and I'm afraid, that it could lower reputation of my mail
> server IP address with major providers (like Google Mail).
> 

How can you get a lower reputation? Afaik dmarc is just signing your outgoing 
messages.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Lev Serebryakov]

On 09.02.2022 16:33, Aki Tuomi wrote:

 I'm participating in ~20 mailing lists and only this one gives a storm of 
DMARC reports on each my posting.

 Problem is, I need to unpack each of them to be sure, that these are false 
positives and I'm afraid, that it could lower reputation of my mail server IP 
address with major providers (like Google Mail).


We did that replacement for a while, but people complained. We have ARC signing 
there, unfortunately it only works if you trust it.

Aki


On 04/02/2022 23:10 Sebastian Nielsen  wrote:

  
I get it too. These appear because they don't replace either MAIL FROM: or Mime From: with the list address. This causes validations to fail since the mailing list is trying to spoof mail in your name, and of course, anti-spoofing security is going to react. DKIM can be troublesome since mailing lists sometimes change or reencode content so DKIM signature fails.


-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Lev 
Serebryakov
Skickat: den 4 februari 2022 21:58
Till: dovecot@dovecot.org
Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC


   My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies 
configured. It works fine till I write to this mailing list.

   After that I've got several DMARC reports about "spam" from my domain. All 
these reports are about my mailing list post.

   I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK 
ones, and others).

   Looks like mailing list software for this mailing list is misconfigured.

   I'm sure, I'll get new after this message.

--
// Black Lion AKA Lev Serebryakov



--
// Black Lion AKA Lev Serebryakov

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Stuart Henderson]

On 2022-02-10, dove...@ptld.com  wrote:
> It is possible for a mailing list to pass DMARC verification, but
> there doesn't seem to be a lot of motivation to put in the extra effort
> to make it work.

It is possible, but it breaks how many people expect mailing lists to work.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[dovecot]

> when dkim pass there is no breakage, but dkim fail can lead to in some setups 
> to make reject, even for maillists
> that is a design fail on dkim


I disagree. DKIM is doing its job. It is a design fail on the part of most 
mailing list and/or lack of user's DKIM signatures.

Look at it logically, DKIM is reporting that the email has been manipulated and 
isn't being delivered by the authorized server. Isn't that what you want out of 
DKIM? Detecting forged, phishing and spam email?

If you want to get emails that have been captured by a man in the middle, 
manipulated, then sent to you from a hackers server then why bother setting up 
DKIM at all? To us humans, we don't conceptually view a mailing list as doing 
that, but on the technical level that is what is happening when DMARC breaks.

It is possible for a mailing list to pass DMARC verification, but there doesn't 
seem to be a lot of motivation to put in the extra effort to make it work.



Regarding ARC;
I don't get it, i don't see it as useful. The only thing ARC does is tell you 
that the server sending you email promises the email is legit. How does that 
prevent
spam/phishing when the attack server can ARC something saying trust me its 
legit? And the big 3 using ARC, so what, what does it even mean? Gmail is 
telling you yep they got that email from someone else and are relaying it to 
you. What does that solve? Spammers send through gmail accounts and use private 
domains relayed through gmail servers for delivery. Great, ARC confirms it 
really was someone who sent that spam through gmail and gmail really did 
deliver it. How is that useful in fighting spam?

If im way off on that, feel free to set me straight.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-09 17:25, Julien Salort wrote:

Le 09/02/2022 à 16:55, Benny Pedersen a écrit :

hope maillist users turn there dkim signers into sign only, not verify 
aswell, verify must only happen in dmarc


I am a little bit confused.

- why not verify dkim ? It seems fine for your message. I get:


when dkim pass there is no breakage, but dkim fail can lead to in some 
setups to make reject, even for maillists :/


that is a design fail on dkim

hence why i say sign only in dkim


Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=94.237.105.223; helo=talvi.dovecot.org;
envelope-from=dovecot-boun...@dovecot.org; receiver=
Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none)
header.from=junc.eu
Authentication-Results: vps2.salort.eu;
dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu
header.a=rsa-sha256 header.s=default header.b=CC9G/2tV;
dkim-atps=neutral


perfectly good no problem


- Is it useful to install something besides OpenDMARC (OpenARC ?), or
some dedicated OpenDMARC configurations, for the ARC-Seal to be useful
?


we are all waiting for spamassassin 4, and maybe ietf stable rfc on 
openspf, opendkim, openarc, opendmarc, currently none of it is 
production stable



I suppose SPF works because the Envelope is correctly set to
dovecot.org address, so I don't understand the problem the OP was
mentionning.


postfix maillist have no spf helo pass, no spf pass, i think its to 
force pass only on dkim in dmarc :=)


i dont control dovecot.org spf, so if it recieved in arc test pass i am 
happy, note arc miss spf helo fail/pass


its not production stable

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Julien Salort]

Le 09/02/2022 à 16:55, Benny Pedersen a écrit :

hope maillist users turn there dkim signers into sign only, not verify 
aswell, verify must only happen in dmarc 


I am a little bit confused.

- why not verify dkim ? It seems fine for your message. I get:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=94.237.105.223; 
helo=talvi.dovecot.org; envelope-from=dovecot-boun...@dovecot.org; 
receiver=
Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) 
header.from=junc.eu
Authentication-Results: vps2.salort.eu;
dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu 
header.a=rsa-sha256 header.s=default header.b=CC9G/2tV;
dkim-atps=neutral

- Is it useful to install something besides OpenDMARC (OpenARC ?), or some 
dedicated OpenDMARC configurations, for the ARC-Seal to be useful ?

I suppose SPF works because the Envelope is correctly set to dovecot.org 
address, so I don't understand the problem the OP was mentionning.

Cheers,

Julien

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

Google, Yahoo and Microsoft, the big providers all use ARC, and have used it 
for years. But Wikipedia doesn't have much nice to say about it.

--> allows a receiving service to validate an email when the email's SPF and 
DKIM records are rendered invalid by an intermediate server's processing. ARC 
is defined in RFC 8617, published in July 2019, as "Experimental".

It sounds like a Microsoft/Google/corporate standard, not IETF. I do seem to 
have trouble communicating with insurance companies' email systems in 
particular when I'm not using ARC on my email system, but outside the insurance 
industry -- and I'm making an educated guess that they are the main sticklers 
-- it doesn't seem to be a problem if SPF, DKIM, and DMARC are all working.


On February 9, 2022 6:16:19 AM AKST, Benny Pedersen  wrote:
>On 2022-02-09 14:33, Aki Tuomi wrote:
>> We did that replacement for a while, but people complained. We have
>> ARC signing there, unfortunately it only works if you trust it.
>
>ARC-Authentication-Results: i=1; talvi.dovecot.org;
>  dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq;
>  dmarc=pass (policy=reject) header.from=open-xchange.com;
>  spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com 
>designates
>  87.191.57.183 as permitted sender) 
>smtp.mailfrom=aki.tu...@open-xchange.com
>
>X-Spam-Status: No, score=-6.4 required=5.0 
>tests=AWL,DKIM_INVALID,DKIM_SIGNED,
>   HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL,
>   MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
>   RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
>   T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
>
>seems it breaks :/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-09 16:16, Benny Pedersen wrote:

On 2022-02-09 14:33, Aki Tuomi wrote:

We did that replacement for a while, but people complained. We have
ARC signing there, unfortunately it only works if you trust it.


ARC-Authentication-Results: i=1; talvi.dovecot.org;
 dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq;
 dmarc=pass (policy=reject) header.from=open-xchange.com;
 spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com 
designates
 87.191.57.183 as permitted sender) 
smtp.mailfrom=aki.tu...@open-xchange.com


X-Spam-Status: No, score=-6.4 required=5.0 
tests=AWL,DKIM_INVALID,DKIM_SIGNED,

HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no

seems it breaks :/


my own in return

X-Spam-Status: No, score=-6.2 required=5.0 
tests=AWL,DKIM_SIGNED,DKIM_VALID,

DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LOCAL_HASHWL_ALL,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no

so it seems fuglu works

hope maillist users turn there dkim signers into sign only, not verify 
aswell, verify must only happen in dmarc

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Benny Pedersen]

On 2022-02-09 14:33, Aki Tuomi wrote:

We did that replacement for a while, but people complained. We have
ARC signing there, unfortunately it only works if you trust it.


ARC-Authentication-Results: i=1; talvi.dovecot.org;
 dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq;
 dmarc=pass (policy=reject) header.from=open-xchange.com;
 spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com 
designates
 87.191.57.183 as permitted sender) 
smtp.mailfrom=aki.tu...@open-xchange.com


X-Spam-Status: No, score=-6.4 required=5.0 
tests=AWL,DKIM_INVALID,DKIM_SIGNED,

HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W,
RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no

seems it breaks :/

Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[justina colmena ~biz]

On February 4, 2022 11:56:53 AM AKST, Lev Serebryakov  
wrote:
>  After that I've got several DMARC reports about "spam" from my domain. All 
> these reports are about my mailing list post.
>
Interesting. That's exactly how DMARC is supposed to work with reporting 
enabled. So you've got that set up correctly at any rate!

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Aki Tuomi]

We did that replacement for a while, but people complained. We have ARC signing 
there, unfortunately it only works if you trust it.

Aki

> On 04/02/2022 23:10 Sebastian Nielsen  wrote:
> 
>  
> I get it too. These appear because they don't replace either MAIL FROM: or 
> Mime From: with the list address. This causes validations to fail since the 
> mailing list is trying to spoof mail in your name, and of course, 
> anti-spoofing security is going to react. DKIM can be troublesome since 
> mailing lists sometimes change or reencode content so DKIM signature fails.
> 
> -Ursprungligt meddelande-
> Från: dovecot-boun...@dovecot.org  För Lev 
> Serebryakov
> Skickat: den 4 februari 2022 21:58
> Till: dovecot@dovecot.org
> Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> 
> 
>   My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies 
> configured. It works fine till I write to this mailing list.
> 
>   After that I've got several DMARC reports about "spam" from my domain. All 
> these reports are about my mailing list post.
> 
>   I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK 
> ones, and others).
> 
>   Looks like mailing list software for this mailing list is misconfigured.
> 
>   I'm sure, I'll get new after this message.
> 
> -- 
> // Black Lion AKA Lev Serebryakov

Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Sebastian Nielsen]

I get it too. These appear because they don't replace either MAIL FROM: or Mime 
From: with the list address. This causes validations to fail since the mailing 
list is trying to spoof mail in your name, and of course, anti-spoofing 
security is going to react. DKIM can be troublesome since mailing lists 
sometimes change or reencode content so DKIM signature fails.

-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org  För Lev 
Serebryakov
Skickat: den 4 februari 2022 21:58
Till: dovecot@dovecot.org
Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC


  My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies 
configured. It works fine till I write to this mailing list.

  After that I've got several DMARC reports about "spam" from my domain. All 
these reports are about my mailing list post.

  I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK 
ones, and others).

  Looks like mailing list software for this mailing list is misconfigured.

  I'm sure, I'll get new after this message.

-- 
// Black Lion AKA Lev Serebryakov

dovecot mailing list (this mailing list), DKIM, SPF and DMARC

[Lev Serebryakov]

 My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies 
configured. It works fine till I write to this mailing list.

 After that I've got several DMARC reports about "spam" from my domain. All 
these reports are about my mailing list post.

 I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK 
ones, and others).

 Looks like mailing list software for this mailing list is misconfigured.

 I'm sure, I'll get new after this message.

--
// Black Lion AKA Lev Serebryakov

Re: Why do so many dovecot list mails fail dmarc?

[Jochen Bern]

On 14.08.21 20:37, @lbutlr wrote:
> On 2021 Aug 13, at 11:11, dove...@ptld.com wrote:
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
>>  s=protonmail; t=1628873196;
>>  bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
>>  h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
> 
> [...] I do not know why Reply-to and From are both listed twice.

(That's Reply-To: (the address(es) to which to send replies) and
*In-*Reply-To: (the Message-ID of the mail that *this* e-mail replies
to), FWIW.)

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH



smime.p7s
Description: S/MIME Cryptographic Signature

Sv: Why do so many dovecot list mails fail dmarc?

[Sebastian]

>>Reply-to and From are both listed twice

This is called "oversigning" and means that a null variant of Reply-To: and 
From: are signed too,
preventing adding additional headers of Reply-To: And From:.

This is particular important for headers that are permitted to be in a email 
multiple times, as an
attacker could add headers into a signed mail without failing signature, if the 
headers are not
"oversigned".

With oversigning (twice header listing):

Signed:
Reply-To: m...@somebody.com

In email:
Reply-To: m...@somebody.com
Reply-To: attac...@suspicious.com

Would fail signature.

Without oversigning (header only listed once):

Signed:
Reply-To: m...@somebody.com

In email:
Reply-To: m...@somebody.com
Reply-To: attac...@suspicious.com

Would pass signature.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Why do so many dovecot list mails fail dmarc?

[@lbutlr]

On 2021 Aug 13, at 11:11, dove...@ptld.com wrote:
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
>  s=protonmail; t=1628873196;
>  bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
>  h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;

This seems overly restrictive for a mailing list, I think, and I do not know 
why Reply-to and From are both listed twice. However, it is not where the 
failure is.

Authentication-Results: smtp.ptld.com;
 dkim=fail reason="signature verification failed" (1024-bit key; secure) 
header.d=protonmail.ch
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
 s=protonmail; t=1628873196;
 bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
 h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
 b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y
 hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk
 BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM=

That signature is from smtp.ptld.com and it is that signature that is failing, 
I believe.


-- 
Hi, I'm Gary Cooper, but not the Gary Cooper that's dead.

Why do so many dovecot list mails fail dmarc?

[dovecot]

Im trying to get my head around this problem that too many valid emails 
from the mailing list fail dmarc. Why when other mailing list don't seem 
to have the same problem? I see today it says "signature verification 
failed", but why? Is there a problem with protonmail's dkim key? Is the 
dovecot list altering the message body? Is something wrong on my 
server's end?



The example today was an email from @protonmail.ch, and the headers 
were:


  Return-Path: 
  Delivered-To: dove...@ptld.com
  Received: from smtp.ptld.com
  by host.ptld.com with LMTP
  id +SjBLQqiFmFSbgIAjbxwTg
  (envelope-from )
  for ; Fri, 13 Aug 2021 12:47:06 -0400
  Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159])
  by smtp.ptld.com (Postfix) with ESMTPS id 4GmTx61z3fz4l3g2
  for ; Fri, 13 Aug 2021 12:47:06 -0400 (EDT)
  Authentication-Results: smtp.ptld.com; dmarc=fail (p=quarantine 
dis=none) header.from=protonmail.ch
  Authentication-Results: smtp.ptld.com; spf=pass 
smtp.mailfrom=dovecot.org

  Authentication-Results: smtp.ptld.com;
  dkim=fail reason="signature verification failed" (1024-bit key; 
secure) header.d=protonmail.ch header.i=@protonmail.ch 
header.a=rsa-sha256 header.s=protonmail header.b=ivRoCAz3

  Received: from talvi.dovecot.org (localhost.localdomain [127.0.0.1])
  by talvi.dovecot.org (Postfix) with ESMTP id 3862D32297F;
  Fri, 13 Aug 2021 19:46:41 +0300 (EEST)
  X-Original-To: dovecot@dovecot.org
  Delivered-To: dovecot@dovecot.org
  Received: from mail-41113.protonmail.ch (mail-41113.protonmail.ch
  [185.70.41.113])
  by talvi.dovecot.org (Postfix) with ESMTPS id 07C532E9ADB
  for ; Fri, 13 Aug 2021 19:46:37 +0300 (EEST)
  Date: Fri, 13 Aug 2021 16:46:34 +
  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
  s=protonmail; t=1628873196;
  bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
  h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
  
b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y

  hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk
  BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM=
  To: Aki Tuomi 
  From: Laura Smith 
  Subject: Re: Undefined symbols (macOS Big Sur Intel) during compiling, 
update
  Message-ID: 

  In-Reply-To: 
<180775367.20741.1628870488...@appsuite-dev-gw1.open-xchange.com>
  References: 

  


  <180775367.20741.1628870488...@appsuite-dev-gw1.open-xchange.com>
  MIME-Version: 1.0
  Content-Type: text/plain; charset=utf-8
  Content-Transfer-Encoding: quoted-printable
  X-Spam-Status: No, score=-1.2 required=10.0 
tests=ALL_TRUSTED,DKIM_SIGNED,
  DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM 
shortcircuit=no

  autolearn=disabled version=3.4.4
  X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
  mailout.protonmail.ch
  ARC-Seal: i=1; s=arc; d=dovecot.org; t=1628873197; a=rsa-sha256; 
cv=none;
  
b=nuVCke6mta+nYIMyYvb2qRkTUyHSfKXEpp2vTds/ioq0kV4fyIL9oEON09yOoYcrQwci6D
  
/EBrkZQI6nBjz592m7oslCjeNTcprIJr5QqLY6mJwW7mu+tp4rSEppIyD+r+9dbICExfFO
  
p3j43c/m0J2acYc5pzZyJM7gLx/RBj2GURAUrP0JaX+y7moB/XQNPIJir2rE/jjNwojKCX
  
keLRjlzOn7N4dLZxnKHgevDu6tH6gb0OzLPJO7W2IloMxdLZ/ab0PPZOj/M+BaYqnfa1Hs

  T4EvKhSwDjLyhjUQh7QTkmYm/FryVnIxEawEM+huOW9djJe7pIijuNFTqOR4Xg==
  ARC-Authentication-Results: i=1; talvi.dovecot.org;
  dkim=pass header.d=protonmail.ch header.s=protonmail 
header.b=ivRoCAz3;
  spf=pass (talvi.dovecot.org: domain of 
n5d9xq3ti233xiyif...@protonmail.ch

  designates 185.70.41.113 as permitted sender)
  smtp.mailfrom=n5d9xq3ti233xiyif...@protonmail.ch
  ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=dovecot.org;
  s=arc; t=1628873197; 
h=from:from:reply-to:reply-to:subject:subject:date:date:

  message-id:message-id:to:to:cc:cc:mime-version:mime-version:
  content-type:content-type:
  content-transfer-encoding:content-transfer-encoding:
  in-reply-to:in-reply-to:references:references:dkim-signature;
  bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
  
b=EYR3Jyq5jrpho8glpLHD60ehlmLaGqrfdZepsfTTJtkjb0AkScBiUB0JX5hGbeyQCdeFvF
  
zr0g/tfST7KEANMdZ0GK+rmwwSZC7LuKzszXWP+Pi5kBxsDPPU4BUivUkP3abCnGIixXfq
  
LrEe+/bDrbMkM01wO8sJ0mZccYwURDMTJc7gFjcdSye+3FfKPZAvT9OG2aD2yQhtIVwpbv
  
+Hg7P5v5Et/muT1E8NHZRBGOPhv4OZ/A2TcOLpafXejddNj2pRtVo8NlFzzT2PBn+KV49M

  nhI4ZDGk43l66nud7wMGDNdUcqYQl6CBQww+kC4ewfNbTy5D27wQwFzpVWGfFQ==
  Cc: "dovecot@dovecot.org" , Beosdoc 


  X-BeenThere: dovecot@dovecot.org
  X-Mailman-Version: 2.1.15
  Precedence: list
  List-Id: Dovecot Mailing List 
  List-Unsubscribe: <https://dovecot.org/mailman/options/dovecot>,
  <mailto:dovecot-requ...@dovecot.org?subject=unsubscribe>
  List-Archive: <https://dovecot.org/pipermail/dovecot/>
  List-Post: <mailto:dovecot@dovecot.org>
  List-Help: <mailto:dovecot-req

Re: DMARC problems with some emails from the list

[Juri Haberland]

On 09.03.21 17:00, Benny Pedersen wrote:

> ARC test can be skipped if ORIGINATING dkim signed DKIM signature gives 
> PASS
> 
> your mail here gives DKIM PASS in perl Mail::DKIM
> 
> but
> 
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
> d=dovecot.org;
>   s=arc; t=1615272934;
>   h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>   to:to:cc:mime-version:mime-version:content-type:content-type:
>   content-transfer-encoding:content-transfer-encoding:
>   in-reply-to:in-reply-to:references:references:dkim-signature;
> 
> is with double headers sign in ARC :(
> 
> is owners listen here ?

Again, there is and should be no problem with double header signing. And
even if there would be a problem with it, the ARC-Message-Signature will be
ignored by 99% of mail handling applications...

I really don't get your point and it seems to me you didn't understand the
OP's problem.


Cheers,
  Juri

Re: DMARC problems with some emails from the list

[Benny Pedersen]

On 2021-03-09 07:55, Ángel L. Mateo wrote:


I don't know the exact details of the antispam configuration. But I
have asked and the administrator told me that we are not doing ARC
tests. He told me that the emails are marked as spam because of dkim
failures.


ARC test can be skipped if ORIGINATING dkim signed DKIM signature gives 
PASS


your mail here gives DKIM PASS in perl Mail::DKIM

but

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; 
d=dovecot.org;

 s=arc; t=1615272934;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references:dkim-signature;

is with double headers sign in ARC :(

is owners listen here ?

Re: DMARC problems with some emails from the list

[Benny Pedersen]

On 2021-03-08 13:21, Juri Haberland wrote:

On 08.03.21 11:38, Benny Pedersen wrote:

On 2021-03-08 10:34, Juri Haberland wrote:



checked your dkim signing, it have signed 2 Date headers, 2 From, 2
Subject, solve this :=)


Benny, it's not about *my* DKIM signature. And it is perfectly legal 
and

has a special purpose to double sign some headers, called oversigning.


h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references:dkim-signature;

double header signing

on top of that C= with simple

it could be a bug in perl Mail::DKIM, but so far spamassassin give dkim 
invalid


eof my help with it

Re: DMARC problems with some emails from the list

[Ángel L . Mateo]

El 8/3/21 a las 11:20, Benny Pedersen escribió:

On 2021-03-08 07:43, Ángel L. Mateo wrote:


I'm having problems with some emails from the list, been classified
as SPAM in my system because of DMARC failures. I'm not sure but this
may be a problem with the list configuration.


what state of dkim is c= tag ?, if it contains simple, its not that 
simple since its more strong then relaxed


if thats the case, it could be that 8bitmime is not being disabled 
before dkim signing :(


reference from amavisd dkim howto

is your dmarc test doing ARC test ?

	I don't know the exact details of the antispam configuration. But I 
have asked and the administrator told me that we are not doing ARC 
tests. He told me that the emails are marked as spam because of dkim 
failures.


--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337

Re: DMARC problems with some emails from the list

[Juri Haberland]

On 08.03.21 11:38, Benny Pedersen wrote:
> On 2021-03-08 10:34, Juri Haberland wrote:

> checked your dkim signing, it have signed 2 Date headers, 2 From, 2 
> Subject, solve this :=)

Benny, it's not about *my* DKIM signature. And it is perfectly legal and
has a special purpose to double sign some headers, called oversigning.

> and you have simple in C= tag, please check double signed headers
> 
> it does not dkim pass in perl Mail::DKIM test in spamassassin

If my signature didn't verify at your end, then it might be a problem at
your end as my DKIM signature verified at the mailing list host (as you can
see from from the ARC-Authentication-Results header and it still verified
at my host when it came back from the list (both Spamassassin and
OpenDKIM). OTOH if more people have problems with my DKIM signature then
I'd like to hear that.

>> The problem of these specific mails is the fact, that they sign one or 
>> more
>> of the following headers:
>> - Reply-To
>> - Sender
>> - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
>> List-Owner, List-Archive
> 
> this comes from dkim signing ALL mails not just ORIGINATED emails, 
> maillist should really stop sign emails, and only do the ARC sealing and 
> ARC sign it

This has nothing to do with it! The problem arises at the OP's end...
> if maillist send ORIGINNATING emails it should be signed as dkim and not 
> ARC sealed
> 
> its common sense imho
> 
> too many headers signed makes dkim break

Yes, that is the problem here, but that cannot be fixed by the people
running the ML, only be the original authors, as it concerns the DKIM
signatures of the original authors.

>> Of course these headers *will* be altered by most list software out 
>> there,
>> so the senders have to change the way they sign their mails.
> 
> altering will happend hopefully AFTER ARC sealing, so it still can be 
> verify from ARC that the originated email did pass or fail in someway, 
> in that case it works as designed

IMHO altering/adding those headers will happen *before* ARC signing or else
the ARC signature will break immediately and will be useless...

>> Your only option is to either trust the ARC-headers or to whitelist all
>> amil from this mailing list.
> 
> tell dmarc to not test maillists, but it should pass so no need

???

Regards,
  Juri

Re: DMARC problems with some emails from the list

[Benny Pedersen]

On 2021-03-08 10:34, Juri Haberland wrote:

I have looked at some of the mails that you flagged as problematic and 
yes,

those mails failed the DKIM check, even though this list seams to work
without invalidating DKIM signatures.


checked your dkim signing, it have signed 2 Date headers, 2 From, 2 
Subject, solve this :=)


and you have simple in C= tag, please check double signed headers

it does not dkim pass in perl Mail::DKIM test in spamassassin

The problem of these specific mails is the fact, that they sign one or 
more

of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
List-Owner, List-Archive


this comes from dkim signing ALL mails not just ORIGINATED emails, 
maillist should really stop sign emails, and only do the ARC sealing and 
ARC sign it


if maillist send ORIGINNATING emails it should be signed as dkim and not 
ARC sealed


its common sense imho

too many headers signed makes dkim break

Of course these headers *will* be altered by most list software out 
there,

so the senders have to change the way they sign their mails.


altering will happend hopefully AFTER ARC sealing, so it still can be 
verify from ARC that the originated email did pass or fail in someway, 
in that case it works as designed



Your only option is to either trust the ARC-headers or to whitelist all
amil from this mailing list.


tell dmarc to not test maillists, but it should pass so no need

Re: DMARC problems with some emails from the list

[Benny Pedersen]

On 2021-03-08 07:43, Ángel L. Mateo wrote:


I'm having problems with some emails from the list, been classified
as SPAM in my system because of DMARC failures. I'm not sure but this
may be a problem with the list configuration.


what state of dkim is c= tag ?, if it contains simple, its not that 
simple since its more strong then relaxed


if thats the case, it could be that 8bitmime is not being disabled 
before dkim signing :(


reference from amavisd dkim howto

is your dmarc test doing ARC test ?


I attach the log for the failures in the last week.


does not help me helping you

Re: DMARC problems with some emails from the list

[Juri Haberland]

On 08.03.21 07:43, Ángel L. Mateo wrote:
> Hello,
> 
>   I'm having problems with some emails from the list, been classified as 
> SPAM in my system because of DMARC failures. I'm not sure but this may 
> be a problem with the list configuration.
> 
> 
>   I attach the log for the failures in the last week.

I have looked at some of the mails that you flagged as problematic and yes,
those mails failed the DKIM check, even though this list seams to work
without invalidating DKIM signatures.

The problem of these specific mails is the fact, that they sign one or more
of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
List-Owner, List-Archive

Of course these headers *will* be altered by most list software out there,
so the senders have to change the way they sign their mails.

Your only option is to either trust the ARC-headers or to whitelist all
amil from this mailing list.


Cheers,
  Juri

DMARC problems with some emails from the list

[Ángel L . Mateo]

Hello,

	I'm having problems with some emails from the list, been classified as 
SPAM in my system because of DMARC failures. I'm not sure but this may 
be a problem with the list configuration.



I attach the log for the failures in the last week.

--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337


dovecot_dmarc.csv.log.gz
Description: application/gzip

Dmarc

[Latin Bishop via dovecot]

Trying to implement dmarc and looking at configuration file 
Wondering if one should change reject failures to true and how can I get this 
before I start rejecting emails 

AuthservID mail.example.com
PidFile /var/run/opendmarc.pid #Debian default
RejectFailures false
Syslog true
TrustedAuthservIDs mail.example.com,mail2.example.com
UMask 0002
UserID opendmarc:opendmarc
IgnoreHosts /etc/opendmarc/ignore.hosts
HistoryFile /var/run/opendmarc/opendmarc.dat
#for testing:
SoftwareHeader true

Sent from my iPad

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 11/02/2019 09:48, Michael A. Peters via dovecot wrote:

> On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, 
> Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via 
> dovecot wrote:
> 
> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution, 
> 
> A general broad mailing list whitelist will be problematic, do work it needs 
> to look for specific list type hidden headers,  spammers and nasties will 
> incorporate those headers into their trash that impersonates mailing lists 
> and voila, they pass.

However the majority of spammers do not spam with a properly configured
Reverse DNS - so detect the list header and skip DMARC if list headers
are present AND Reverse DNS matched the HELO/EHLO

Also, DMARC isn't really anti-spam technology, it's anti-spoof
technology.

Rather than fake mail list headers, spammers will just use domains w/o a
DMARC policy. Much easier. 

I know your just nit picking but what the hell, I've got a few minutes
before my meeting 

anti spoofing is also anti spam, most legit emailers dont spoof, bad
guys love to, so anything that reduces noise in email can be considered
"anti spam" 

postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim,
whatever ... they all work to reduce noise and thats all the end users
care about. 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 11/02/2019 09:46, Michael A. Peters via dovecot wrote:





However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header >and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO





A hell of a lot do, though (this is pretty average percentages here)

Accepted 70.07%
Rejected  29.93%
-
Total  100.00%
=

5xx Reject relay denied 4.27%
5xx Reject unknown user 7.93%
5xx Reject sender address 7.32%
5xx Reject unknown client host 52.44%
5xx Reject RBL 3.66%
5xx Reject milter 24.39%
=
Total 5xx Rejects 100.00%

unknown client host was high as 95% up till about 10 years ago, so they 
are slowly learning.





--
Kind Regards,

Noel Butler

This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written 
authority
to do so. If you are not the intended recipient, please notify the 
sender
then delete all copies of this message including attachments, 
immediately.
Confidentiality, copyright, and legal privilege are not waived or lost 
by
reason of the mistaken delivery of this message. Only PDF and ODF 
documents

accepted, please do not send proprietary formatted documents

Re: offtopic: rant about thoughtless enabling DMARC checks

[Michael A. Peters via dovecot]

On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote:

On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:



fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution,



A general broad mailing list whitelist will be problematic, do work it 
needs to look for specific list type hidden headers,  spammers and 
nasties will incorporate those headers into their trash that 
impersonates mailing lists and voila, they pass.


However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO




Also, DMARC isn't really anti-spam technology, it's anti-spoof technology.

Rather than fake mail list headers, spammers will just use domains w/o a 
DMARC policy. Much easier.

Re: offtopic: rant about thoughtless enabling DMARC checks

[Michael A. Peters via dovecot]

On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:



fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution,



A general broad mailing list whitelist will be problematic, do work it 
needs to look for specific list type hidden headers,  spammers and 
nasties will incorporate those headers into their trash that 
impersonates mailing lists and voila, they pass.


However the majority of spammers do not spam with a properly configured 
Reverse DNS - so detect the list header and skip DMARC if list headers 
are present AND Reverse DNS matched the HELO/EHLO

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:

> fixing mailman will be the fail, solve it by letting opendkim and opendmarc 
> not reject detected maillist will be solution,

A general broad mailing list whitelist will be problematic, do work it
needs to look for specific list type hidden headers,  spammers and
nasties will incorporate those headers into their trash that
impersonates mailing lists and voila, they pass. there is no quick and
easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one
that gets narky at lists, and despite all the spf haters dreams, I've
never had a problem with spf and lists, and we were an early beta
adopter of spf) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Aki Tuomi via dovecot]

> On 10 February 2019 at 00:28 "A. Schulze via dovecot"  
> wrote:
> 
> 
> 
> 
> Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> > I'll review the settings when we manage to upgrade to mailman3
> 
> Hello Aki,
> 
> before updating to mailman3 consider an simpler update to latest mailman2.
> 
> you're using 2.1.15, current mailman2 is 2.1.29
> Your missing an /significant amount/ of DMARC fixes!
> 
> and: more off-topic:
> while my messages *to* the dovecot list are sent using STARTTLS,
> messages *from*  wursti.dovecot.fi are sent without encryption.
> any reason to stay on unencrypted SMTP?
> 
> Andreas
>

Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159])
by mail.dovecot.fi (Postfix) with ESMTPS id 7EE3B2B3C9C;
Sun, 10 Feb 2019 00:29:15 +0200 (EET)

ESMTPS indicates that TLS was used. Also I took the trouble to check the 
maillogs from talvi to verify that your mail was delivered using TLS.

Aki

Re: offtopic: rant about thoughtless enabling DMARC checks

[Benny Pedersen via dovecot]

Noel Butler via dovecot skrev den 2019-02-10 01:51:


... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around
the world, heh, like thats going to happen :)


fixing mailman will be the fail, solve it by letting opendkim and 
opendmarc not reject detected maillist will be solution, even if openarc 
comes or not, in cpan Mail::Milter::Authenticated its solved, but who 
use it other then fastmail.fm ? :=)

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Benny Pedersen via dovecot]

A. Schulze via dovecot skrev den 2019-02-09 23:28:

Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:

I'll review the settings when we manage to upgrade to mailman3


before updating to mailman3 consider an simpler update to latest 
mailman2.


will any of this implement openarc sealing ? :=)


you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!


we all missing the point of missing opendmarc that can test for openarc 
sealing and be done with all the mess :(


or add a wiki to opendkim to make it autodetect maillists just like cpan 
Mail::Milter::Authenticated does it


if it cant be done in opendkim lua we loose all


and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?


maybe same reason dovecot have a mx record ? :=)

but good catch if in ip is same as out ip

Re: offtopic: rant about thoughtless enabling DMARC checks

[Noel Butler via dovecot]

On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:

> * Juri Haberland via dovecot:
> 
>> Blindly enabling DMARC checks without thinking about the consequences
>> for themselves should not be the problem of other well behaving
>> participants.
> 
> Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
> the issue was not on the receiving end, but the reject policy for the
> originating domain.
> 
> Personally, I choose to treat "reject" as if it was "quarantine",
> i.e. affected mail is rerouted to a specific folder.
> 
>> And Aki, please go back to "munge only if needed" - munging all
>> messages leads to a really bad "user experience".
> 
> Only speak for yourself please.
> 
> -Ralph

+1 (for entire post) 

... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around the
world, heh, like thats going to happen :) 

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[A. Schulze via dovecot]

Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> I'll review the settings when we manage to upgrade to mailman3

Hello Aki,

before updating to mailman3 consider an simpler update to latest mailman2.

you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!

and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?

Andreas

Re: offtopic: rant about thoughtless enabling DMARC checks

[Ralph Seichter via dovecot]

* Juri Haberland via dovecot:

> Blindly enabling DMARC checks without thinking about the consequences
> for themselves should not be the problem of other well behaving
> participants.

Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
the issue was not on the receiving end, but the reject policy for the
originating domain.

Personally, I choose to treat "reject" as if it was "quarantine",
i.e. affected mail is rerouted to a specific folder.

> And Aki, please go back to "munge only if needed" - munging all
> messages leads to a really bad "user experience".

Only speak for yourself please.

-Ralph

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Juri Haberland via dovecot]

On 09/02/2019 20:13, Michael A. Peters via dovecot wrote:
> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.
> 
> can you please let me know where to find those patches?

https://sourceforge.net/p/opendmarc/tickets/180/

Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/.

I have an Ubuntu-PPA where you can get a package with all of the above
patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc).


Cheers,
  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Michael A. Peters via dovecot]

On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

*snip*


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.




What I wanted to do, was sniff mailman in headers and if it was sent by 
mail, reject if reverse DNS didn't match HELO/EHLO and white list from 
OpenDMARC enforcement if it did. That would prevent most spoofed that 
tried to look like Mailman since spoofed mail rarely has reverseDNS 
properly set up but Mailman admins tend to.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Michael A. Peters via dovecot]

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:

For some reason mailman failed to "munge from" for senders with dmarc policy ;(

It's now configured to always munge to avoid this again.


I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.


can you please let me know where to find those patches?

I ran DMARC in testing on one domain and had to disable it because over 
95% of the reports were false positives from mailing lists, and the few 
that were genuine spoofed would have easily been caught by spam/malware 
filters anyway.


However a project I am working on, DMARC is highly desired. Designing a 
white-list for known mailing lists is something I want to do.


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Juri Haberland via dovecot]

On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:
>> On 09 February 2019 at 20:48 Juri Haberland via dovecot < 
>> dovecot@dovecot.org 
>> <mailto:dovecot@dovecot.org>> wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.

> Wonder how many would do this though?

Yeah, unfortunately not enough...

>> And everyone using p=reject should think about it as well - as I said,
>> DMARC does not play well with mailing lists, so setting p=reject on a
>> domain used to participate on mailing lists is not wise, to say the least.
>> You should not follow Yahoo and AOL - you know, why they did it, don't you?

> Unfortunately this is usually required by many common providers such as 
> microsoft and google, otherwise they refuse your mail.

That is definitely not true. They might require you to have DKIM and/or SPF
and maybe even a DMARC policy, but they definitely don't require p=reject!
Most of my domains have p=none and our mails are accepted by all major
providers...

> Hope you understand .

Understood. Had to write that mail anyway ;-)

  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Aki Tuomi via dovecot]

 
 
  
   
  
  
   
On 09 February 2019 at 20:48 Juri Haberland via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
   
   

 For some reason mailman failed to "munge from" for senders with dmarc policy ;(


 


 It's now configured to always munge to avoid this again.

   
   
I'd say, let Mailman throw all people off the list that have enabled DMARC
   
   
checking without using exceptions for the lists they are on. It's a known
   
   
    fact that DMARC does not cope well with mailing lists. Blindly enabling
   
   
DMARC checks without thinking about the consequences for themselves should
   
   
not be the problem of other well behaving participants.
   
   
  
  
   The problem is that it would drop all gmail users for a start, which there are plenty of. Also judging from the amount of bounces ww got it seemed like half the subscribers would drop out.
  
  
   
Most people use OpenDMARC and there are patches to mark certain hosts as
   
   
mailing lists senders, so it is possible.
   
   
  
  
   Wonder how many would do this though?
  
  
   
And everyone using p=reject should think about it as well - as I said,
   
   
DMARC does not play well with mailing lists, so setting p=reject on a
   
   
domain used to participate on mailing lists is not wise, to say the least.
   
   
You should not follow Yahoo and AOL - you know, why they did it, don't you?
   
   
  
  
   Unfortunately this is usually required by many common providers such as microsoft and google, otherwise they refuse your mail.
  
  
   
And Aki, please go back to "munge only if needed" - munging all messages
   
   
leads to a really bad "user experience".
   
   
  
  
   It does not seem to work correctly. I'll review the settings when we manage to upgrade to mailman3
  
  
   
Thanks.
   
   
  
  
   Hope you understand .
  
  
   
  
  
   Aki
  
  
   
   

   
   
Back to lurking,
   
   
Juri
   
  
  
   
  
  
   ---
   Aki Tuomi
   
 

offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

[Juri Haberland via dovecot]

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
> For some reason mailman failed to "munge from" for senders with dmarc policy 
> ;(
> 
> It's now configured to always munge to avoid this again.

I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.

And everyone using p=reject should think about it as well - as I said,
DMARC does not play well with mailing lists, so setting p=reject on a
domain used to participate on mailing lists is not wise, to say the least.
You should not follow Yahoo and AOL - you know, why they did it, don't you?

And Aki, please go back to "munge only if needed" - munging all messages
leads to a really bad "user experience".

Thanks.


Back to lurking,
  Juri

Re: DMARC policies

[Aki Tuomi]

> On 30 November 2018 at 13:46 Keith Edmunds  wrote:
> 
> 
> At the risk of being AOLish, me too. Unsubbed from Mailman, but still
> receiving mails.
> 
> Where do I go to stop them (and why have they suddenly started arriving)?
> -- 
> "Never, never, never give up" - Winston Churchill

I am bit uncertain if you have actually unsubscribed or just disabled delivery 
(these are two different things).

If people are experiencing problem unsubscribing, you can also send
mail to 

dovecot-unsubscr...@dovecot.org

with 'UNSUBSCRIBE' as subject.

Just a note that we have not forcefully subscribed anyone to the list.

Aki

Re: DMARC policies

[Stuart Henderson]

On 2018/11/30 10:55, Frederick Thomssen wrote:
> Hi guys
> 
> Why do I get these e-mails?

You were subscribed to the dovecot mailing list but probably had it set
to 'mail delivery: disabled' (possibly you read messages via archive
and have subscribed so you can reply, but don't want to receive email
copies of the messages).

Unsubscribe by sending mail to dovecot-requ...@dovecot.org with subject
'unsubscribe'.

Unsubscribe or change back to 'delivery: disabled' by web by going to
https://dovecot.org/mailman/options/dovecot

> On 30. 11. 18 10:50, gli...@gmail.com wrote:
> > Same problem here.
> > 
> > https://dovecot.org/mailman/options/dovecot-news
> > 
> > Sadly the remind password button / unsubscribe email button click and claim
> > to send me a email but they don't.
> > 
> > Assume its due a high mailq with the amount of messages that need to go out?

Give it time. If all the email addresses which were disabled due to
delivery failures have now been re-enabled, there are likely to be
messages to a bunch of failing addresses in the queue, it will take a
while before these get auto disabled again and things get back to
normal.

Hopefully there aren't too many invalid addresses in this set, too
many failures will trigger large mail hosts to start blocking the list
sender..

Re: DMARC policies

[Keith Edmunds]

At the risk of being AOLish, me too. Unsubbed from Mailman, but still
receiving mails.

Where do I go to stop them (and why have they suddenly started arriving)?
-- 
"Never, never, never give up" - Winston Churchill

Re: DMARC policies

[Giles Coochey]

Maybe check that the "X-Original-To" header in the email is actually to you?


On 30/11/2018 10:01, Jan Vítek wrote:
Same problem here. I clicked the unsubscribed button, but didnt 
receive the email.



Regards
Jan


On 30. 11. 18 10:50, gli...@gmail.com wrote:

Same problem here.

https://dovecot.org/mailman/options/dovecot-news

Sadly the remind password button / unsubscribe email button click and 
claim

to send me a email but they don't.

Assume its due a high mailq with the amount of messages that need to 
go out?


Regards
Rory


-Original Message-
From: dovecot  On Behalf Of Michal 
Szymanski

Sent: Friday, 30 November 2018 11:47
To: Per Jessen 
Cc: Aki Tuomi ; dovecot@dovecot.org
Subject: Re: DMARC policies

Hi,

I have just started to get dovecot list messages which I had not been
receiving until today. How can I opt out (again)?

regards, Michal Szymanski

On Fri, Nov 30, 2018 at 10:42:22AM +0100, Per Jessen wrote:

Aki Tuomi wrote:

On 30.11.2018 10.03, Per Jessen wrote:


Hi AKi

I guess my address was re-subscribed then?  I was subscribed as
nomail before, do I need to update that myself?

thanks
Per



Yes. I had to do it with an automated script and mailman withlist
interface is crappy. Sorry about this.


No problem,  these things happen.


/Per


--
   Michal Szymanski (msz at astrouw dot edu dot pl)
   Warsaw University Observatory, Warszawa, POLAND

Re: DMARC policies

[Jan Vítek]

Same problem here. I clicked the unsubscribed button, but didnt receive 
the email.



Regards
Jan


On 30. 11. 18 10:50, gli...@gmail.com wrote:

Same problem here.

https://dovecot.org/mailman/options/dovecot-news

Sadly the remind password button / unsubscribe email button click and claim
to send me a email but they don't.

Assume its due a high mailq with the amount of messages that need to go out?

Regards
Rory


-Original Message-
From: dovecot  On Behalf Of Michal Szymanski
Sent: Friday, 30 November 2018 11:47
To: Per Jessen 
Cc: Aki Tuomi ; dovecot@dovecot.org
Subject: Re: DMARC policies

Hi,

I have just started to get dovecot list messages which I had not been
receiving until today. How can I opt out (again)?

regards, Michal Szymanski

On Fri, Nov 30, 2018 at 10:42:22AM +0100, Per Jessen wrote:

Aki Tuomi wrote:

On 30.11.2018 10.03, Per Jessen wrote:


Hi AKi

I guess my address was re-subscribed then?  I was subscribed as
nomail before, do I need to update that myself?

thanks
Per



Yes. I had to do it with an automated script and mailman withlist
interface is crappy. Sorry about this.


No problem,  these things happen.


/Per


--
   Michal Szymanski (msz at astrouw dot edu dot pl)
   Warsaw University Observatory, Warszawa, POLAND

Re: DMARC policies

[Victor]

UNSUBSCRIBE

Re: DMARC policies

[Frederick Thomssen]

Hi guys

Why do I get these e-mails?

Cheers
Freddy

> Am 30.11.2018 um 10:42 schrieb Per Jessen :
> 
> Aki Tuomi wrote:
>>> On 30.11.2018 10.03, Per Jessen wrote:
>>> 
>>> Hi AKi
>>> 
>>> I guess my address was re-subscribed then?  I was subscribed as nomail
>>> before, do I need to update that myself? 
>>> thanks
>>> Per
>>> 
>>> 
>> Yes. I had to do it with an automated script and mailman withlist
>> interface is crappy. Sorry about this.
> 
> No problem,  these things happen.
> 
> 
> /Per

RE: DMARC policies

[glide3]

Same problem here.

https://dovecot.org/mailman/options/dovecot-news

Sadly the remind password button / unsubscribe email button click and claim
to send me a email but they don't.

Assume its due a high mailq with the amount of messages that need to go out?

Regards
Rory


-Original Message-
From: dovecot  On Behalf Of Michal Szymanski
Sent: Friday, 30 November 2018 11:47
To: Per Jessen 
Cc: Aki Tuomi ; dovecot@dovecot.org
Subject: Re: DMARC policies

Hi,

I have just started to get dovecot list messages which I had not been
receiving until today. How can I opt out (again)?

regards, Michal Szymanski

On Fri, Nov 30, 2018 at 10:42:22AM +0100, Per Jessen wrote:
> Aki Tuomi wrote:
> >On 30.11.2018 10.03, Per Jessen wrote:
> >
> >>Hi AKi
> >>
> >>I guess my address was re-subscribed then?  I was subscribed as 
> >>nomail before, do I need to update that myself?
> >>
> >>thanks
> >>Per
> >>
> >>
> >Yes. I had to do it with an automated script and mailman withlist 
> >interface is crappy. Sorry about this.
> 
> No problem,  these things happen.
> 
> 
> /Per

--
  Michal Szymanski (msz at astrouw dot edu dot pl)
  Warsaw University Observatory, Warszawa, POLAND

Re: DMARC policies

[Hendy Irawan]

You can visit https://dovecot.org/mailman/listinfo/dovecot

Hendy Irawan, MSc - Twitter  - LinkedIn
 - orcid.org/-0002-5231-2802


On Fri, Nov 30, 2018 at 4:47 PM Michal Szymanski  wrote:

> Hi,
>
> I have just started to get dovecot list messages which I had not been
> receiving until today. How can I opt out (again)?
>
> regards, Michal Szymanski
>
> On Fri, Nov 30, 2018 at 10:42:22AM +0100, Per Jessen wrote:
> > Aki Tuomi wrote:
> > >On 30.11.2018 10.03, Per Jessen wrote:
> > >
> > >>Hi AKi
> > >>
> > >>I guess my address was re-subscribed then?  I was subscribed as nomail
> > >>before, do I need to update that myself?
> > >>
> > >>thanks
> > >>Per
> > >>
> > >>
> > >Yes. I had to do it with an automated script and mailman withlist
> > >interface is crappy. Sorry about this.
> >
> > No problem,  these things happen.
> >
> >
> > /Per
>
> --
>   Michal Szymanski (msz at astrouw dot edu dot pl)
>   Warsaw University Observatory, Warszawa, POLAND
>

Re: DMARC policies

[Michal Szymanski]

Hi,

I have just started to get dovecot list messages which I had not been
receiving until today. How can I opt out (again)?

regards, Michal Szymanski

On Fri, Nov 30, 2018 at 10:42:22AM +0100, Per Jessen wrote:
> Aki Tuomi wrote:
> >On 30.11.2018 10.03, Per Jessen wrote:
> >
> >>Hi AKi
> >>
> >>I guess my address was re-subscribed then?  I was subscribed as nomail
> >>before, do I need to update that myself?
> >>
> >>thanks
> >>Per
> >>
> >>
> >Yes. I had to do it with an automated script and mailman withlist
> >interface is crappy. Sorry about this.
> 
> No problem,  these things happen.
> 
> 
> /Per

-- 
  Michal Szymanski (msz at astrouw dot edu dot pl)
  Warsaw University Observatory, Warszawa, POLAND

Re: DMARC policies

[Per Jessen]

Aki Tuomi wrote:

On 30.11.2018 10.03, Per Jessen wrote:


Hi AKi

I guess my address was re-subscribed then?  I was subscribed as nomail
before, do I need to update that myself? 


thanks
Per



Yes. I had to do it with an automated script and mailman withlist
interface is crappy. Sorry about this.


No problem,  these things happen.


/Per

Re: DMARC policies

[Michael A. Peters]

On 11/29/2018 11:13 PM, Aki Tuomi wrote:

Hi!

It seems we accidentically had a high amount of subscribers temporarily
disabled due to DMARC on some sender's host. We have now taken actions
to prevent this in the future and all temporarily disabled members have
been restored.

Aki




I've seen that happen on several lists.

I disabled DMARC on my mail servers. I really like the concept but way 
way way too many false positives.


Mostly lists, but also what sometimes happens - primary MX for 
whatever.com is down so mail goes to their backup with then relays it to 
their primary when primary back up, but their backup MX obviously isn't 
in my SPF record and they have things mis-configured causing a DMARC 
trigger.


I like the concept but it seems to have too many problems in implementation.