Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
It appears that Bill Cole via mailop said: >Usually a command-line MUA on a POSIX system will use the local >'sendmail' implementation, which may be the "real" Sendmail or may be an >alternative such as that provided by Postfix, which directly injects >messages into a local mail queue rather than speaking SMTP. Well, sometimes. The Mac on which I am typing this is running postfix set up to forward everything to the submission server on a smarthost. It's always been common to have small POSIX systems set up as stubs relaying through a bigger one. Going the other way, sometimes it's an MUA that speaks, POP or IMAP, sometimes it's fetchmail to a local mailbox. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Branch: Fixing incorrect headers in emails
>>second guess sendersOf course, you should never "guess" anything. For >>example, dont correct spelling errors in subject lines.Im talking when a >>header is incorrect, invalid, or unparseable, or if header is unuseable for >>snother reason **AND** the fault is easily fixable.As I said, if there is >>characters in Subject which crash MUAs or causes backup jobs to stall, just >>delete those characters.Or when Date: header is off (which then causes email >>to land in the middle of inbox - super irritating), just replace it with >>current date/time.Or if a forward is setup and you don't want to break SPF or >>DMARC with strict alignment.For example:If al...@yourdomain.com is forwarded >>to a...@example.org, do this:From: sender@somedomain.comTo: >>alice@yourdomain.comforward as:From: alice@yourdomain.comTo: >>aa@example.orgReply-To: sen...@somedomain.com(strip any DKIM signatures and >>resign with key for yourdomain.com)There is many modifications done by MTAs >>that is fully legit. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
On 2023-01-18 at 16:52 -0800, Brandon Long wrote: > Note that Gmail implements > https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3 option 2, notably: >In the second > attac case, recipients specified in the "To:" and "Cc:" lines each are sent >a copy of the message with the "Bcc:" line removed as above, but the >recipients on the "Bcc:" line get a separate copy of the message >containing a "Bcc:" line. (When there are multiple recipient >addresses in the "Bcc:" field, some implementations actually send a >separate copy of the message to each recipient with a "Bcc:" >containing only the address of that particular recipient. > > Gmail actually does the part in the parenthesis, each individual bcc > recipient will get a message with themselves in the bcc > (or rather, the single email address that the message was sent to that > eventually reached them) I should note that the user-is-in-bcc approach could be helpful wrt dkim-replay attacks, since the attacker-controlled account they used to receive the dkim-signed spam mail would be present in the bcc header (and thus stand out). It would be less conspicuous to include themselves in To: or Cc: (This would obviously require the DKIM header to include bcc, which for instance gmail is not doing) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
Dňa 22. januára 2023 13:11:44 UTC používateľ Alessandro Vesely via mailop napísal: >Are classic command line tools à la mailx considered MUAs? Are you asking me? Both, the RFC 5068 and RFC 6409, defines MUA in similar way (with slighty different words): + RFC 5068: Mail User Agent (MUA) -- works on behalf of end users to create a message and perform initial "submission" into the transmission infrastructure... + RFC 6409: Message User Agent (MUA) -- A process that acts (often on behalf of a user and with a user interface) to compose and submit new messages... (I ommit the receving parts) Thus IMO mailx is MUA: + it composes (new) message on behalf of (some) user + it submits (new) message to email transmission + it has UI (actually CLI) IMO key here is "initial submission" and "new message", the UI is not important and if some (computer) account is user or not is hard to distinguish, at least in general. Have you another opinion? > They typically send to local port 25, which accepts relaying from all local > users. Receiving message from users (as not from other MTA) is submission and RFC is clear in that must be autentificated. But one of mentioned method is authentication by IP, which IMO is this localhost case. In other words, it doesn't matter, if it is over port 25, 587 or 465, the MTA acts as MSA in this case, because it receves **new** message. I don't know how other MTA/MSA, but in exim that "relaying" from localhost must be explicitly configured (AFAIK it is in default/example config, at least on Debian). But i require real auth even on local connections eg. on webserver (with some exceptions over stdin), to prevent "random" PHP scripts to send emails via local MSA. AFAIK, port 25 is used for MSA only due historical reason or to simplify configuration on localhost. People are often confused by that both, MTA and MSA, are often in the same daemon and that both uses SMTP and thus they try to distinguish them by port number, but port can be virtually anything (with some limitation due MX record format). > DKIM signing depends on how local mail is filtered; at mine signing comes > before submitting, in a pipeline ending with sendmail. I don't understand what do you mean by "filtering" here, perhaps deciding which messages will be signed and which not? IMO DKIM signing depends on private key and message content (and settings how to sign), but it seems that we are about different things... To create already signed message as new and initially send it is possible, even with mailx, but AFAIK it cannot sign it itself. regards -- Slavko https://www.slavino.sk/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
On 2023-01-22 at 08:11:44 UTC-0500 (Sun, 22 Jan 2023 14:11:44 +0100) Alessandro Vesely via mailop is rumored to have said: Are classic command line tools à la mailx considered MUAs? Yes. They typically send to local port 25, which accepts relaying from all local users. Not so much. Usually a command-line MUA on a POSIX system will use the local 'sendmail' implementation, which may be the "real" Sendmail or may be an alternative such as that provided by Postfix, which directly injects messages into a local mail queue rather than speaking SMTP. DKIM signing depends on how local mail is filtered; at mine signing comes before submitting, in a pipeline ending with sendmail. That's uncommon. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
On Sun 22/Jan/2023 12:02:26 +0100 Slavko via mailop wrote: Dňa 21 Jan 2023 13:22:09 -0500 John R Levine via mailop napísal: Sorry, but I have no idea what model you are talking about. MUAs invariably send mail to the MSA over an authenticated channel, and I have never seen an MUA sign a message's headers. That depends on what you consider as MUA. Is web app, which "sends emails to MSA over authenticated channel" MUA? IMO yes, and i have at least one web app which provides DKIM sign (webtrees). I don't use that feature, as i consider it as bad approach, i even don't understand how it is supposed to work, but it is there. Are classic command line tools à la mailx considered MUAs? They typically send to local port 25, which accepts relaying from all local users. DKIM signing depends on how local mail is filtered; at mine signing comes before submitting, in a pipeline ending with sendmail. If that way of submitting is unusual for origination, for forwarding it's not. With the difference that the envelope is not derived from the header in the latter case. While the final effect is similar to Bcc:, forwarding implies an external mechanism to input recipient addresses. Excuse me for repeating the obvious. Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [FEEDBACK REQUEST] Allowing Messages with Bcc to travel the internet.
Ahoj, Dňa 21 Jan 2023 13:22:09 -0500 John R Levine via mailop napísal: > Sorry, but I have no idea what model you are talking about. MUAs > invariably send mail to the MSA over an authenticated channel, and I > have never seen an MUA sign a message's headers. That depends on what you consider as MUA. Is web app, which "sends emails to MSA over authenticated channel" MUA? IMO yes, and i have at least one web app which provides DKIM sign (webtrees). I don't use that feature, as i consider it as bad approach, i even don't understand how it is supposed to work, but it is there. regards -- Slavko https://www.slavino.sk pgputxOyM8w7k.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
