Re: [mailop] mailop + DMARC + mailman = mung_from
On 02/23/2016 11:46 AM, Andrew C Aitchison wrote: (Assuming the operators/rule-setters care about DKIM) I'd expect spamassassin to score a broken DKIM signature, but ignore (or treat separately) an X-Header. spamassassin default score for a broken DKIM is: 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid Just the contrary of what you would think. smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
On Tue, 23 Feb 2016, John Levine wrote: > I turn the old signature into an X-header, which strips it of its > power as far as machine validation goes, but leaves it available for > human debugging if desired. An X-Header and a broken DKIM signature have exactly the same validation power: none. It doesn't hurt much (give or take Steve's note about debugging) but it also accomplishes nothing. (Assuming the operators/rule-setters care about DKIM) I'd expect spamassassin to score a broken DKIM signature, but ignore (or treat separately) an X-Header. Personally, I really dislike looking at DMARC policy on mail that doesn't already score as pretty spammy. -- Dr. Andrew C. Aitchison ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
>I turn the old signature into an X-header, which strips it of its >power as far as machine validation goes, but leaves it available for >human debugging if desired. An X-Header and a broken DKIM signature have exactly the same validation power: none. It doesn't hurt much (give or take Steve's note about debugging) but it also accomplishes nothing. >I really dislike leaving a no-longer-valid DKIM signature in place... You've made that clear, but that's not much of an argument about why it would be a good idea. Personally, I really dislike looking at DMARC policy on mail that doesn't already score as pretty spammy. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
> On Feb 22, 2016, at 12:48 PM, Jim Popovitchwrote: > > On Mon, Feb 22, 2016 at 1:46 PM, John Levine wrote: IMHO, Mailman should strip the existing DKIM header and Mailop.org should sign anew. >>> >>> Yes! That is the perfect and proper way, despite some rants by less >>> experienced mailinglist operators. >> >> Hi. I've been running mailing lists since the late 1970s and having >> actually read the DKIM specs and written a fair amount of DKIM code, I >> know that stripping signatures makes no difference unless someone's >> mail filters are breathtakingly broken. > > But leaving the DKIM signatures provides what actual value with modern > MLMs (i.e. not .forward files, etc.) ? The same value as most of the other trace headers - debugging problems after the fact. "This mail was apparently DKIM signed when sent by the original author" (probably) isn't terribly useful to automation, but it is for human debugging. Cheers, Steve ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
On Mon, Feb 22, 2016 at 2:48 PM, Jim Popovitchwrote: > On Mon, Feb 22, 2016 at 1:46 PM, John Levine wrote: IMHO, Mailman should strip the existing DKIM header and Mailop.org should sign anew. >>> >>>Yes! That is the perfect and proper way, despite some rants by less >>>experienced mailinglist operators. >> >> Hi. I've been running mailing lists since the late 1970s and having >> actually read the DKIM specs and written a fair amount of DKIM code, I >> know that stripping signatures makes no difference unless someone's >> mail filters are breathtakingly broken. > > But leaving the DKIM signatures provides what actual value with modern > MLMs (i.e. not .forward files, etc.) ? I'm going to say it's an irrelevant question, because even just the headers that I excerpted in the thread are enough to suggest that John and Google might disagree on what constitutes broken. Regards, Al -- Al Iverson www.aliverson.com (312)725-0130 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
On Mon, Feb 22, 2016 at 1:46 PM, John Levinewrote: >>> IMHO, Mailman should strip the existing DKIM header and Mailop.org should >>> sign anew. >> >>Yes! That is the perfect and proper way, despite some rants by less >>experienced mailinglist operators. > > Hi. I've been running mailing lists since the late 1970s and having > actually read the DKIM specs and written a fair amount of DKIM code, I > know that stripping signatures makes no difference unless someone's > mail filters are breathtakingly broken. But leaving the DKIM signatures provides what actual value with modern MLMs (i.e. not .forward files, etc.) ? -Jim P. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
>> IMHO, Mailman should strip the existing DKIM header and Mailop.org should >> sign anew. > >Yes! That is the perfect and proper way, despite some rants by less >experienced mailinglist operators. Hi. I've been running mailing lists since the late 1970s and having actually read the DKIM specs and written a fair amount of DKIM code, I know that stripping signatures makes no difference unless someone's mail filters are breathtakingly broken. I realize that such brokenness exists here and there, but we really should know better than to pander to it. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
> On 22 Feb 2016, at 09:14, Renaud Allard via mailopwrote: > > Hi, > > I am not sure it does the trick, … ... > In the headers, I have: > Return-path: > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mailplus2015-12; > d=mailplus.nl; > From: David Hofstee > > So it seems the From: header has not been changed. That’s because the domain doesn’t publish dmarc records. The header is only munged for domains that do publish dmarc records. In this thread, the email from Franck Martin has this header: From: Franck Martin via mailop And yours has this From header: From: Renaud Allard via mailop -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
Hi, I am not sure it does the trick, at least for me, or maybe you disabled it afterwards. Here is an excerpt from my logs. 2016-02-22 10:03:22 [7439] H=chilli.nosignal.org [2001:41c8:51:83:feff:ff:fe00:a0b]:50689 I=[2001:bc8:3186:100::a1fa]:25 Warning: CSA status: unknown 2016-02-22 10:03:22 [7439] 1aXmOo-0001vz-1d DKIM: d=mailplus.nl s=mailplus2015-12 c=relaxed/relaxed a=rsa-sha256 [verification failed - signature did not verify (headers probably modified in transit)] In the headers, I have: Return-path:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mailplus2015-12; d=mailplus.nl; From: David Hofstee So it seems the From: header has not been changed. Regards On 02/09/2016 09:41 AM, Simon Lyall wrote: I was away last week [1] so just caught up on the DMARC discussion. As an experiment I've changed the mailman settings[2] for DMARC'd emails to "Munge From"[3] which should change their from address to the list's. We'll see how that goes. Simon. Mailop co-mod [1] - at Linux.conf.au , great conference, highly recommended [2] - Last time I looked I'd swear the option wasn't there so possibly mailman was upgraded by Andy recently [3] - http://wiki.list.org/DEV/DMARC smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
Awesome, many thanks. (and let's see if it works) On Tue, Feb 9, 2016 at 12:41 AM, Simon Lyallwrote: > > I was away last week [1] so just caught up on the DMARC discussion. > > As an experiment I've changed the mailman settings[2] for DMARC'd emails > to "Munge From"[3] which should change their from address to the list's. > > We'll see how that goes. > > Simon. > Mailop co-mod > > [1] - at Linux.conf.au , great conference, highly recommended > > [2] - Last time I looked I'd swear the option wasn't there so possibly > mailman was upgraded by Andy recently > > [3] - http://wiki.list.org/DEV/DMARC > > > -- > Simon Lyall | Very Busy | Web: http://www.simonlyall.com/ > "To stay awake all night adds a day to your life" - Stilgar > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] mailop + DMARC + mailman = mung_from
Looks good! -- Al Iverson - Minneapolis - (312) 275-0130 Simple DNS Tools since 2008: xnnd.com www.spamresource.com & aliverson.com On Tue, Feb 9, 2016 at 1:00 PM, Franck Martin via mailopwrote: > Awesome, many thanks. > > (and let's see if it works) > > On Tue, Feb 9, 2016 at 12:41 AM, Simon Lyall wrote: >> >> >> I was away last week [1] so just caught up on the DMARC discussion. >> >> As an experiment I've changed the mailman settings[2] for DMARC'd emails >> to "Munge From"[3] which should change their from address to the list's. >> >> We'll see how that goes. >> >> Simon. >> Mailop co-mod >> >> [1] - at Linux.conf.au , great conference, highly recommended >> >> [2] - Last time I looked I'd swear the option wasn't there so possibly >> mailman was upgraded by Andy recently >> >> [3] - http://wiki.list.org/DEV/DMARC >> >> >> -- >> Simon Lyall | Very Busy | Web: http://www.simonlyall.com/ >> "To stay awake all night adds a day to your life" - Stilgar >> >> >> ___ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop