Re: New filters auth and sign

2024-06-01 Thread Kirill A . Korinsky 
On Sat, 01 Jun 2024 08:45:00 +0100,
"Corey Hickman"  wrote:
> 
> does it have policy server included? for instance, when DKIM fails, the 
> policy can be set up to deny the message.
> 

Right now it ignores DMARC as if it doesn't exist.

Doing a DMARC lookup for domain and inserting it's results into the header
is possible and not a big deal, but it has some issues.

The first is parsing the From header. It is durable, but different MUA may
follow different logic and parser for this can be quite complicated. And
complicated means bugs.

The second is more ideological. DMARC needs something that aggregates the
results and sends out reports. It shouldn't be a filter for smtpd. But a
filter can write it's decision to log, and something should harvest it to
process and create reports that need to be sent. Anyway, forensic reports,
which should be close to real-time and include a lot of things from the
original email, is a much more complicated story.

All this brings up the question of personal data / GDPR and DMARC. I know of
a very good analysis of DMARC and GDPR in the case of German law [1], which
can be summarized as a quote:

  The reports are fundamentally permitted and justified under data
  protection law. However, the principle of proportionality is to be
  complied with at all times.

Based on this analysis, I assume that only aggregated reports can be used
without legal headaches in the EU.

But implementing only a part of DMARC seems as much worse than not
implementing it at all, and implementing it in its entirety requires a lot
of pieces in place, much more than just a filter.

Thus, DMARC was discussed on the OpenBSD mailing lists a few months ago [2].

As a conclusion, I personally use the p=none policy, because I assume that
my mail should be delivered, and To is not the final destination, it's a
kind of starting direction of the mail's way to the recipient.

Footnotes:
[1]  
https://certified-senders.org/wp-content/uploads/2018/08/Report_DMARC_and_GDPR.pdf

[2]  https://marc.info/?l=openbsd-misc=171015367409290=2

-- 
wbr, Kirill

Re: New filters auth and sign

2024-06-01 Thread Corey Hickman 
June 1, 2024 at 7:34 AM, "Kirill A. Korinsky"  wrote:



> 
> Greetings,
> 
> I'd like to announce a two new filters for OpenSMTD which better to use
> 
> together: auth and sign.
> 

does it have policy server included? for instance, when DKIM fails, the policy 
can be set up to deny the message.

Thanks.

Re: New filters auth and sign

2024-05-31 Thread Kirill A . Korinsky 
On Sat, 01 Jun 2024 00:34:41 +0100,
Kirill A. Korinsky  wrote:
> 
> Greetings,
> 
> I'd like to announce a two new filters for OpenSMTD which better to use
> together: auth and sign.
>

Oops, wrong list. It should be m...@opensmtpd.org.

Sorry for nosy.

-- 
wbr, Kirill

New filters auth and sign

2024-05-31 Thread Kirill A . Korinsky 
Greetings,

I'd like to announce a two new filters for OpenSMTD which better to use
together: auth and sign.

auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds
Authentication-Results header or ARC-Authentication-Results.

sign is a filter which adds DKMI or ARC signature, or ARC seal.

For example, I run configuration:

  filter "auth" proc-exec "filter-auth"
  listen on egress port smtp ... filter { admdscrub, "auth", dnsbl }

  filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D 
/etc/mail/domains \
 -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user 
_dkimsign group _dkimsign
  filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

  filter arc_auth proc-exec "filter-auth -A"
  filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign
  filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \
 -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign 
group _dkimsign

  filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal }

  listen on egress port submission ... filter sign

Here all incomming messages is autorised by adding Authentication-Results,
and all outcomming messages:
 - signed by two DKMI signature with correct domain (list in /etc/mail/domains)
 - signed by one ARC signature with domain mx.catap.net
 - seal by one ARC seal with domain mx.catap.net

Yeah, it is possible to use different selectors for ARC signature and seal,
but I haven't tested it.

The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify
and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD.

Man pages for both filters are updated.

Thus, sign filter is drop-in replacment for filter-dkimsign.

Code available here:
 - https://github.com/catap/opensmtpd-filter-auth
 - https://github.com/catap/opensmtpd-filter-sign

I also attached ports for OpenBSD which I used to run it.

How stable it is? Well, enough to share and ask for feedback. It may
contains bugs, but it should be fine to use.

Produced signature was tested against gmail, yahoo, icloud.com and dkimpy
and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or
47 (what does it mean?) and produced invalid signature as the next in ARC
chain (tested by dkimpy).

Thus, this email were sent via server which uses that filters, so, headers
from this email a good example.

-- 
wbr, Kirill


filters.tgz
Description: Binary data