Re: [mailop] mailop + DMARC + mailman = mung_from

[Renaud Allard via mailop]

On 02/23/2016 11:46 AM, Andrew C Aitchison wrote:


(Assuming the operators/rule-setters care about DKIM)
I'd expect spamassassin to  score a broken DKIM signature,
but ignore (or treat separately) an X-Header.




spamassassin default score for a broken DKIM is:

0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

Just the contrary of what you would think.



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Andrew C Aitchison]

On Tue, 23 Feb 2016, John Levine wrote:


> I turn the old signature into an X-header, which strips it of its
> power as far as machine validation goes, but leaves it available for
> human debugging if desired.

An X-Header and a broken DKIM signature have exactly the same
validation power: none.  It doesn't hurt much (give or take Steve's
note about debugging) but it also accomplishes nothing.


(Assuming the operators/rule-setters care about DKIM)
I'd expect spamassassin to  score a broken DKIM signature,
but ignore (or treat separately) an X-Header.


Personally, I really dislike looking at DMARC policy on mail that
doesn't already score as pretty spammy.


--
Dr. Andrew C. Aitchison

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[John Levine]

>I turn the old signature into an X-header, which strips it of its
>power as far as machine validation goes, but leaves it available for
>human debugging if desired.

An X-Header and a broken DKIM signature have exactly the same
validation power: none.  It doesn't hurt much (give or take Steve's
note about debugging) but it also accomplishes nothing.

>I really dislike leaving a no-longer-valid DKIM signature in place...

You've made that clear, but that's not much of an argument about why
it would be a good idea.

Personally, I really dislike looking at DMARC policy on mail that
doesn't already score as pretty spammy.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Steve Atkins]

> On Feb 22, 2016, at 12:48 PM, Jim Popovitch  wrote:
> 
> On Mon, Feb 22, 2016 at 1:46 PM, John Levine  wrote:
 IMHO, Mailman should strip the existing DKIM header and Mailop.org should 
 sign anew.
>>> 
>>> Yes!  That is the perfect and proper way, despite some rants by less
>>> experienced mailinglist operators.
>> 
>> Hi.  I've been running mailing lists since the late 1970s and having
>> actually read the DKIM specs and written a fair amount of DKIM code, I
>> know that stripping signatures makes no difference unless someone's
>> mail filters are breathtakingly broken.
> 
> But leaving the DKIM signatures provides what actual value with modern
> MLMs (i.e. not .forward files, etc.)  ?

The same value as most of the other trace headers - debugging problems
after the fact. "This mail was apparently DKIM signed when sent by the
original author" (probably) isn't terribly useful to automation, but it is for
human debugging.

Cheers,
  Steve


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Al Iverson]

On Mon, Feb 22, 2016 at 2:48 PM, Jim Popovitch  wrote:
> On Mon, Feb 22, 2016 at 1:46 PM, John Levine  wrote:
 IMHO, Mailman should strip the existing DKIM header and Mailop.org should 
 sign anew.
>>>
>>>Yes!  That is the perfect and proper way, despite some rants by less
>>>experienced mailinglist operators.
>>
>> Hi.  I've been running mailing lists since the late 1970s and having
>> actually read the DKIM specs and written a fair amount of DKIM code, I
>> know that stripping signatures makes no difference unless someone's
>> mail filters are breathtakingly broken.
>
> But leaving the DKIM signatures provides what actual value with modern
> MLMs (i.e. not .forward files, etc.)  ?

I'm going to say it's an irrelevant question, because even just the
headers that I excerpted in the thread are enough to suggest that John
and Google might disagree on what constitutes broken.

Regards,
Al

--
Al Iverson
www.aliverson.com
(312)725-0130

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Jim Popovitch]

On Mon, Feb 22, 2016 at 1:46 PM, John Levine  wrote:
>>> IMHO, Mailman should strip the existing DKIM header and Mailop.org should 
>>> sign anew.
>>
>>Yes!  That is the perfect and proper way, despite some rants by less
>>experienced mailinglist operators.
>
> Hi.  I've been running mailing lists since the late 1970s and having
> actually read the DKIM specs and written a fair amount of DKIM code, I
> know that stripping signatures makes no difference unless someone's
> mail filters are breathtakingly broken.

But leaving the DKIM signatures provides what actual value with modern
MLMs (i.e. not .forward files, etc.)  ?

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[John Levine]

>> IMHO, Mailman should strip the existing DKIM header and Mailop.org should 
>> sign anew.
>
>Yes!  That is the perfect and proper way, despite some rants by less
>experienced mailinglist operators.

Hi.  I've been running mailing lists since the late 1970s and having
actually read the DKIM specs and written a fair amount of DKIM code, I
know that stripping signatures makes no difference unless someone's
mail filters are breathtakingly broken.

I realize that such brokenness exists here and there, but we really
should know better than to pander to it.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Ian Eiloart]

> On 22 Feb 2016, at 09:14, Renaud Allard via mailop  wrote:
> 
> Hi,
> 
> I am not sure it does the trick, …
...
> In the headers, I have:
> Return-path: 
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mailplus2015-12; 
> d=mailplus.nl;
> From: David Hofstee 
> 
> So it seems the From: header has not been changed.

That’s because the domain doesn’t publish dmarc records. The header is only 
munged for domains that do publish dmarc records. In this thread, the email 
from Franck Martin has this header:

From: Franck Martin via mailop 

And yours has this From header:

From: Renaud Allard via mailop 

-- 
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Renaud Allard via mailop]

Hi,

I am not sure it does the trick, at least for me, or maybe you disabled 
it afterwards. Here is an excerpt from my logs.


2016-02-22 10:03:22 [7439] H=chilli.nosignal.org 
[2001:41c8:51:83:feff:ff:fe00:a0b]:50689 I=[2001:bc8:3186:100::a1fa]:25 
Warning: CSA status: unknown
2016-02-22 10:03:22 [7439] 1aXmOo-0001vz-1d DKIM: d=mailplus.nl 
s=mailplus2015-12 c=relaxed/relaxed a=rsa-sha256 [verification failed - 
signature did not verify (headers probably modified in transit)]


In the headers, I have:
Return-path: 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mailplus2015-12; 
d=mailplus.nl;

From: David Hofstee 

So it seems the From: header has not been changed.

Regards

On 02/09/2016 09:41 AM, Simon Lyall wrote:


I was away last week [1] so just caught up on the DMARC discussion.

As an experiment I've changed the mailman settings[2] for DMARC'd emails
to "Munge From"[3] which should change their from address to the list's.

We'll see how that goes.

Simon.
Mailop co-mod

[1] - at Linux.conf.au , great conference, highly recommended

[2] - Last time I looked I'd swear the option wasn't there so possibly
mailman was upgraded by Andy recently

[3] - http://wiki.list.org/DEV/DMARC






smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Franck Martin via mailop]

Awesome, many thanks.

(and let's see if it works)

On Tue, Feb 9, 2016 at 12:41 AM, Simon Lyall  wrote:

>
> I was away last week [1] so just caught up on the DMARC discussion.
>
> As an experiment I've changed the mailman settings[2] for DMARC'd emails
> to "Munge From"[3] which should change their from address to the list's.
>
> We'll see how that goes.
>
> Simon.
> Mailop co-mod
>
> [1] - at Linux.conf.au , great conference, highly recommended
>
> [2] - Last time I looked I'd swear the option wasn't there so possibly
> mailman was upgraded by Andy recently
>
> [3] - http://wiki.list.org/DEV/DMARC
>
>
> --
> Simon Lyall  |  Very Busy  |  Web: http://www.simonlyall.com/
> "To stay awake all night adds a day to your life" - Stilgar
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] mailop + DMARC + mailman = mung_from

[Al Iverson]

Looks good!

--
Al Iverson - Minneapolis - (312) 275-0130
Simple DNS Tools since 2008: xnnd.com
www.spamresource.com & aliverson.com


On Tue, Feb 9, 2016 at 1:00 PM, Franck Martin via mailop
 wrote:
> Awesome, many thanks.
>
> (and let's see if it works)
>
> On Tue, Feb 9, 2016 at 12:41 AM, Simon Lyall  wrote:
>>
>>
>> I was away last week [1] so just caught up on the DMARC discussion.
>>
>> As an experiment I've changed the mailman settings[2] for DMARC'd emails
>> to "Munge From"[3] which should change their from address to the list's.
>>
>> We'll see how that goes.
>>
>> Simon.
>> Mailop co-mod
>>
>> [1] - at Linux.conf.au , great conference, highly recommended
>>
>> [2] - Last time I looked I'd swear the option wasn't there so possibly
>> mailman was upgraded by Andy recently
>>
>> [3] - http://wiki.list.org/DEV/DMARC
>>
>>
>> --
>> Simon Lyall  |  Very Busy  |  Web: http://www.simonlyall.com/
>> "To stay awake all night adds a day to your life" - Stilgar
>>
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop