Re: [Ietf-dkim] DKIM-Signature: r=y and MLM

2018-10-24 Thread Hector Santos 

On 10/24/2018 4:53 PM, Дилян Палаузов wrote:

PS:

Please describe the handling, of the above message by the MLM, if the
original message contained in addition
   DKIM-Signature: v=1; d=isdg.net; r=y; …

... or something different than r=y, that permits finding faulty DKIM
implementations.


Our DKIM implementation does not support this "r=y" tag.  In general, 
per DKIM specification, all unknown DKIM-signature tags are ignored.



<<< 554 REJECTED BY SYSTEM POLICY FILTER
Last-Attempt-Date: Wed, 24 Oct 2018 20:32:15 GMT


Off hand, it appears your IP address was filtered by a Geo IP Location 
database.  This is done immediately at the connection level so we have 
limited SMTP session logs to look at.


I'm contacting you off list.

--
HLS


___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Re: [Ietf-dkim] [dmarc-ietf] DKIM-Signature: r=y and MLM

2018-10-24 Thread Hector Santos 

On 10/24/2018 5:18 PM, Kurt Andersen wrote:


On Mon, Oct 15, 2018 at 7:30 AM Hector Santos

What it should do is:

1) It should use a 1st party signature using d=dmarc.ietf.org
   to  match the new author domain dmarc.ietf.org

2) It should has hash bind the X-Original-From header to the
   signature.  Since DKIM recommends not to bind "X-" headers,
   a non "X-" header should be used, i.e. "Original-From:".  This
   means adding the header to the 'h=" field to avoid potential
   mail resend exploits using different unprotected Original-from:
   fields.

3) and finally, the dmarc.ietf.org domain should have its own
   DMARC p=reject policy to effectively replace the one it
   circumvented with the submission.

I don't understand why it is necessarily a bad thing to fall back to
the org domain (ietf.org ) as this example shows.


Because DKIM policy security was lost with the rewrite transaction.

Since the list agent took responsibility by performing a rewrite on a 
protected domain, it is reasonable to assume it would can restore the 
protection using its own secured list agent domain.  Without it, it 
leaves a security hole with the unprotected "X-Original-From" which it 
does not hash bind to the new signature.



I also don't understand how your suggestion would work to handle a
mixture of restrictive policies (some quarantine, some reject) with a
single _dmarc.dmarc.ietf.org  record
unless there is some trick DNS responder magic going on (and that
won't work well for cached responses anyway).


If I follow your comment, the specific rewrite list agent domain can 
have its own strong p=reject or quarantine.  I don't see that as a 
problem.  It would not matter what the original author domain 
restrictive policy was. It doesn't have to match.


The original domain was protected with a strong  policy. The MLM 
rather than reject the submission, ignored the policy and rewrote the 
5322.From. It does this only for p=reject policies. I have not check 
if it does it for p=quarantine.   The rewrite should be done with a 
strong policy of its own to restore the original submission and author 
domain protection. The should also be a new first party signature 
(aligned).  At a minimum, the distributed message should bind the the 
altered header so that replays can be avoided.


--
HLS


___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Re: [Ietf-dkim] DKIM-Signature: r=y and MLM

2018-10-24 Thread Дилян Палаузов 
PS:

> For example, the ietf.org mailing list has begun to rewrite and it 
> replaces the 5322.From with a dmarc.ietf.org domain, adds a new 
> X-Original-From header and resigns the message using an ietf.org 
> signer domain:
> 
>DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; 
> s=ietf1;
>   t=1537415189; bh=TJWGUVdPL8OTY+HJnUzpBRd52OaKfWjFqS68Cby0s/M=;
>   h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
>   List-Archive:List-Post:List-Help:List-Subscribe:From;
>   b=.
> X-Original-From: Hector Santos 
> From: Hector Santos 
> 
> What it should do is:
> 
>1) It should use a 1st party signature using d=dmarc.ietf.org to
>   match the new author domain dmarc.ietf.org.
> 
>2) It should has hash bind the X-Original-From header to the
>   signature.  Since DKIM recommends not to bind "X-" headers,
>   a non "X-" header should be used, i.e. "Original-From:".  This
>   means adding the header to the 'h=" field to avoid potential
>   mail resend exploits using different unprotected Original-from:
>   fields.
> 
>3) and finally, the dmarc.ietf.org domain should have its own
>   DMARC p=reject policy to effectively replace the one it
>   circumvented with the submission.
> 

Please describe the handling, of the above message by the MLM, if the
original message contained in addition
  DKIM-Signature: v=1; d=isdg.net; r=y; …

... or something different than r=y, that permits finding faulty DKIM
implementations.


Apart from this, on the last email I sent “To: Hector Santos <
hsan...@isdg.net>, ietf-dkim@ietf.org” , I got:

Date: Wed, 24 Oct 2018 20:32:15 GMT
From: Mail Delivery Subsystem 
Message-Id: <201810242032.w9okwfsc027...@mail.aegee.org>
Content-Type: multipart/report; report-type=delivery-status;
boundary="w9OKWFSc027376.1540413135/mail.aegee.org"
Content-Transfer-Encoding: 8bit
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--w9OKWFSc027376.1540413135/mail.aegee.org

The original message was received at Wed, 24 Oct 2018 20:32:10 GMT
from ipbcc2def0.dynamic.kabel-deutschland.de [188.194.222.240]

   - The following addresses had permanent fatal errors -

(reason: 554 REJECTED BY SYSTEM POLICY FILTER)

   - Transcript of session follows -
... while talking to mail.isdg.net.:
<<< 554 REJECTED BY SYSTEM POLICY FILTER
554 5.0.0 Service unavailable

--w9OKWFSc027376.1540413135/mail.aegee.org
Content-Type: message/delivery-status

Reporting-MTA: dns; mail.aegee.org
Received-From-MTA: DNS; ipbcc2def0.dynamic.kabel-deutschland.de
Arrival-Date: Wed, 24 Oct 2018 20:32:10 GMT

Final-Recipient: RFC822; hsan...@isdg.net
Action: failed
Status: 5.5.0
Diagnostic-Code: SMTP; 554 REJECTED BY SYSTEM POLICY FILTER
Last-Attempt-Date: Wed, 24 Oct 2018 20:32:15 GMT

___
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim