Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Trojitá, a fast Qt IMAP e-mail client http://www.trojita.flaska.net/ I also use http://opendkim.org/ http://www.trusteddomain.org/opendmarc/ as milters on Postfix Active development, I'm sure they could all use some help, or forks for alternatives, I don't know, I'm not involved in development per se, just a user, and I have to get off the property of any of these places with my code before anything happens. All that Finnish osalliyhdistys and by the time a Swede gets online all hell breaks loose./ On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote: On 2022-10-11 14:05, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-10-11 13:42: ... Indeed, it's because you set the following headers in dkim signing headers:- from : subject : date : to : message-id Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- from:subject:date:to:message-id Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- OX:- Date:From:To:In-Reply-To:References:Subject:From IRM:- x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-transfer-encoding:content-type:from iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further. Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) Good luck. Zakaria.
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-10-11 14:05, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-10-11 13:42: On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. i have no frinds, but it might be related https://gitlab.com/fumail/fuglu/-/issues/262 with my conservative list of signed headers it pass Indeed, it's because you set the following headers in dkim signing headers:- from : subject : date : to : message-id Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- from:subject:date:to:message-id Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- OX:- Date:From:To:In-Reply-To:References:Subject:From IRM:- x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-transfer-encoding:content-type:from iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further. Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) Good luck. Zakaria.
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 10/11/22 07:42, hi@zakaria.website wrote: Another update yet with a solution. I found the causing issue with DKIM and DMARC failure when a signed email pass through mailing list such as dovecot as I expected, it has nothing to do with the mailing list but it's to do with DKIM signing headers set. It's due to one of or several headers in the DKIM signing set, getting added or modified after signing at dovecot end. Anyhow, here is the DKIM signing headers set in this mailing list, that it should work and it will prevent the batch of DMARC emails and bad signature from happening again. from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Please forgive me for jumping in, but I just noticed this. I (like many others) have issues with mailing lists and the flurry of DMARC emails after posting. I'm using OpenDKIM. There's a lot of material out there about proper configuration of DKIM, but nothing really definitive, with lots of "it depends on your requirements" type of noncommittal crap. Email use cases don't differ THAT much. So does what you said above mean that you've come up with a working configuration to address the issue of mailing lists causing DKIM to barf due to header modifications? If so, can you tell me more about specifically what you're doing, like which headers you're signing and how? I've been at my wits' end with this for some time; DKIM (and SPF etc etc) seem to be really quite awful overall. Thanks, -Dave -- Dave McGuire, AK4HZ New Kensington, PA
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
hi@zakaria.website skrev den 2022-10-11 13:42: On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. i have no frinds, but it might be related https://gitlab.com/fumail/fuglu/-/issues/262 with my conservative list of signed headers it pass
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022 Feb 16, at 10:22, Chris Bennett wrote: > On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote: >> Thats a TLD ban. Meaning *.ru is banned. >> >> same applies for my domain for example, I ban *.xyz, *.date and a few others. > I don't understand at all why banning tld is reasonable. For the same reason that banning roadrunner was reasonable, the vast majority of mail from these new TLDs is nothing but spam, and I mean at levels far higher than the 97% of general email spam percentage. When I blacklisted .top I has getting hundreds of thousands of spam emails a day on a quite small mail server, so much mail that it was overwhelming my server. I have seen very few new olds that are not major spam magnets, and when I do, I unblock them. But my default position is that ever TLD is locked except for the ones I specifically allow. > I'm not rich. The vast majority of olds are quite cheap. > I can't afford to buy domain names that cost $200 a year to purchase. > .com .net .info , etc. have run out of the names I wish to use. If you are paying $200/yr for a domain name you are doing something very wrong. I am saying about $12/year. Maybe as high as $15/yr? I'd have to check, it is such a low number I don't really know. > I have never ever sent a single spam email, but you would block my emails? Yep. > Bluntly said, but without malice, that attitude favors the rich > over the poor. No, it's not an economic issue at all. You are confusing your DESIRE for a cheap domain 'you want' with having to get a domain in a skeezy TLD. > I refuse to trust the BIG guys. That is your choice. My choice is to not accept mail from .xyz or .rocks or .top or many hundreds of others. Email, having been designed a long time ago, has no mechanism for stopping bad behavior, so it is up to each admin to do what they can to stop unwanted mail. The vast majority of email that is sent is dangerous, malicious, illegal, or unwanted. Not like 505, but in the high 90s. The mail that a system accepts is based on a variety of trust characteristcis that are pretty much unique to every server. My mail server checks the IP address for every connection against several RBLs, checked the connection for certain behaviors before it even allows the connection to start talking to the mail server. Once communication occurs, it checks a lot more things before accepting the message. Nearly every connection attempt is refused and nearly every message that is attempted to be sent is rejected. Even so, of the mail that is accepted, 80% is spam and ends up in the user's junk mail box. > My dad uses yahoo and > gets emails yanked away while he is reading it. This has nothing to do with TLDs. > There are many other methods to block spam. > IMHO, blocking by tld is a bit harsh. That is your opinion and that is fine. But your opinion has zero effect on admins who block TLDs. You have no idea how big an issue spam really is and how much time mail mins spend trying to control it to simply a deluge. This also is probably not the best group for this discussion. -- I loved you when our love was blessed I love you now there's nothing left But sorrow and a sense of overtime
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote: > Thats a TLD ban. Meaning *.ru is banned. > > same applies for my domain for example, I ban *.xyz, *.date and a few others. > I don't understand at all why banning tld is reasonable. I'm not rich. I buy .rocks and .xyz .rocks really works well with the domain name. .xyz is short, memorable and easy to type. I can't afford to buy domain names that cost $200 a year to purchase. .com .net .info , etc. have run out of the names I wish to use. I have never ever sent a single spam email, but you would block my emails? Bluntly said, but without malice, that attitude favors the rich over the poor. I refuse to trust the BIG guys. My dad uses yahoo and gets emails yanked away while he is reading it. Also, I can't find a server company that has IP blocks that are clean enough. I truly wish I could. There are many other methods to block spam. IMHO, blocking by tld is a bit harsh. But you have the right to do whatever method you wish. I will only point out my thoughts. SPAM sucks! :-) -- Chris Bennett
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On February 4, 2022 11:56:53 AM AKST, Lev Serebryakov wrote: > After that I've got several DMARC reports about "spam" from my domain. All > these reports are about my mailing list post. > Interesting. That's exactly how DMARC is supposed to work with reporting enabled. So you've got that set up correctly at any rate! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.