Re: New filters auth and sign
On Sat, 01 Jun 2024 08:45:00 +0100, "Corey Hickman" wrote: > > does it have policy server included? for instance, when DKIM fails, the > policy can be set up to deny the message. > Right now it ignores DMARC as if it doesn't exist. Doing a DMARC lookup for domain and inserting it's results into the header is possible and not a big deal, but it has some issues. The first is parsing the From header. It is durable, but different MUA may follow different logic and parser for this can be quite complicated. And complicated means bugs. The second is more ideological. DMARC needs something that aggregates the results and sends out reports. It shouldn't be a filter for smtpd. But a filter can write it's decision to log, and something should harvest it to process and create reports that need to be sent. Anyway, forensic reports, which should be close to real-time and include a lot of things from the original email, is a much more complicated story. All this brings up the question of personal data / GDPR and DMARC. I know of a very good analysis of DMARC and GDPR in the case of German law [1], which can be summarized as a quote: The reports are fundamentally permitted and justified under data protection law. However, the principle of proportionality is to be complied with at all times. Based on this analysis, I assume that only aggregated reports can be used without legal headaches in the EU. But implementing only a part of DMARC seems as much worse than not implementing it at all, and implementing it in its entirety requires a lot of pieces in place, much more than just a filter. Thus, DMARC was discussed on the OpenBSD mailing lists a few months ago [2]. As a conclusion, I personally use the p=none policy, because I assume that my mail should be delivered, and To is not the final destination, it's a kind of starting direction of the mail's way to the recipient. Footnotes: [1] https://certified-senders.org/wp-content/uploads/2018/08/Report_DMARC_and_GDPR.pdf [2] https://marc.info/?l=openbsd-misc=171015367409290=2 -- wbr, Kirill
Re: New filters auth and sign
June 1, 2024 at 7:34 AM, "Kirill A. Korinsky" wrote: > > Greetings, > > I'd like to announce a two new filters for OpenSMTD which better to use > > together: auth and sign. > does it have policy server included? for instance, when DKIM fails, the policy can be set up to deny the message. Thanks.
Re: New filters auth and sign
On Sat, 01 Jun 2024 00:34:41 +0100, Kirill A. Korinsky wrote: > > Greetings, > > I'd like to announce a two new filters for OpenSMTD which better to use > together: auth and sign. > Oops, wrong list. It should be m...@opensmtpd.org. Sorry for nosy. -- wbr, Kirill
New filters auth and sign
Greetings, I'd like to announce a two new filters for OpenSMTD which better to use together: auth and sign. auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds Authentication-Results header or ARC-Authentication-Results. sign is a filter which adds DKMI or ARC signature, or ARC seal. For example, I run configuration: filter "auth" proc-exec "filter-auth" listen on egress port smtp ... filter { admdscrub, "auth", dnsbl } filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D /etc/mail/domains \ -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user _dkimsign group _dkimsign filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_auth proc-exec "filter-auth -A" filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal } listen on egress port submission ... filter sign Here all incomming messages is autorised by adding Authentication-Results, and all outcomming messages: - signed by two DKMI signature with correct domain (list in /etc/mail/domains) - signed by one ARC signature with domain mx.catap.net - seal by one ARC seal with domain mx.catap.net Yeah, it is possible to use different selectors for ARC signature and seal, but I haven't tested it. The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD. Man pages for both filters are updated. Thus, sign filter is drop-in replacment for filter-dkimsign. Code available here: - https://github.com/catap/opensmtpd-filter-auth - https://github.com/catap/opensmtpd-filter-sign I also attached ports for OpenBSD which I used to run it. How stable it is? Well, enough to share and ask for feedback. It may contains bugs, but it should be fine to use. Produced signature was tested against gmail, yahoo, icloud.com and dkimpy and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or 47 (what does it mean?) and produced invalid signature as the next in ARC chain (tested by dkimpy). Thus, this email were sent via server which uses that filters, so, headers from this email a good example. -- wbr, Kirill filters.tgz Description: Binary data