Re: Stripping Received: headers

2016-10-30 Thread Noel Jones 
On 10/30/2016 5:16 AM, Den1 wrote:
> 
> You are saying that "there is only one action allowed per header". I guess
> this is the reason why it does not work. My
> /^User-Agent: .*/   IGNORE  triggers 
> 
> and all the other rules like
> /^Received: .*/ IGNORE
> /^X-Originating-IP:/IGNORE
> and so on are not taken into account/consideration then and therefore do not
> work, is that right?

One action per header line.  header_checks wouldn't be very useful
if it only allowed one entry for the entire header section.  Surely
this is clear in the documentation.

> 
> Plus, you mentioned in your other post that header_checks and
> smtp_header_checks if used together may mangle each other and conflict? Did

No, that's not what I said.  header_checks work on input.
smtp_header_checks work during smtp delivery to a remote system.

A separate statement: don't mangle headers that aren't yours.


Although I'm somewhat dismayed you can't get your header_checks
working, I'll remind you that Received: headers are extremely
low-value in terms of information leakage.  So this isn't really
worth wasting any more time on.




  -- Noel Jones

SV: DKIM not verifying without signature

2016-10-30 Thread Sebastian Nielsen 
You can add "AlwaysAddARHeader yes"
Then opendkim will always add a verification header even if no signature.

There is also also the following options available:
On-BadSignature 
On-Default 
On-DNSError 
On-InternalError 
On-KeyNotFound 
On-NoSignature 
On-Security 
On-SignatureError 

Which can be set if you want to reject or otherwise process mail with
certain signature errors. For example, rejecting mails with no DKIM sig.



Bill Cole: What he is out after, is the "Theres no signature" result.
Not adding a header, could mean a bogus source could insert a fake
"Signature valid" header and pass DKIM validation.
By always adding a verification result, even when no sig is found, a fake
header would mean theres a double result, or (if opendkim is configured to
remove fake headers) only the genuine header, which means it can be easily
detected that somebody is attempting to cheat.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Robert Fitzpatrick
Skickat: den 30 oktober 2016 17:44
Till: Postfix 
Ämne: DKIM not verifying without signature

The opendkim mailing lists seems not available any longer, so thought I'd
try here. I'm trying to get a handle on how to setup DKIM properly on a
gateway server, not even sure if what I'm trying to do is possible. 
This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the
smarthost for the subject domain.

I can get opendkim to sign when coming from a entry in the TrustedHosts
file, but it is not verifying unless a signature if present. Does dkim only
verify when a signature is added or can I setup so the domain is verified
with or without a signature? It would be ideal to get the
'Authentication-Results' header to use in SA scoring and reject as needed. I
do have an SA rule now that gives a high kill score when a message hits
SPF_FAIL without hitting DKIM_VALID as well. But, it seems SPF is not enough
these days.

 From what I understand from the opendkim man page is the 'Mode' default is
'sv' to sign and verify. Didn't think 'On-BadSignature' should be used since
there is no signature. Here is my opendkim.conf:

LogWhy  yes
Syslog  yes
SyslogSuccess   yes
Canonicalizationrelaxed/simple
KeyTable/usr/local/etc/opendkim/KeyTable
SigningTable/usr/local/etc/opendkim/SigningTable
ExternalIgnoreList  /usr/local/etc/opendkim/TrustedHosts
InternalHosts   /usr/local/etc/opendkim/TrustedHosts
Socket  inet:8891@localhost
ReportAddress   postmas...@webtent.net
SendReports yes

And the contents of my TrustedHosts file:

#127.0.0.1
#localhost
208.38.145.0/26
216.139.202.0/27

I commented out the localhost portions because it was signing twice, both
after the initial Received header and then again after received by the
filter. The latter two networks are internal network sources I do not want
to verify, only sign.

I send a message hoping to be rejected and it is not, the resulting headers
show nothing dkim related:

> Return-Path: 
> Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4])
>   by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106
>   for ; Sun, 30 Oct 2016 11:55:23 -0400
> Received: from localhost (localhost [127.0.0.1])
>   by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange)
with ESMTP id 5991AD7E50
>   for ; Sun, 30 Oct 2016 11:55:23 -0400 (EDT)
> Received: from mx2.webtent.net ([127.0.0.1])  by localhost 
> (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP  id 
> 08148-06 for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
> Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
> client-ip=96.254.71.164; helo=[192.168.1.110]; 
> envelope-from=administra...@subjectdomain.com; 
> receiver=rob...@rfitz.com
> Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164])
>   by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange)
with ESMTP id A11D7D7E46
>   for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
> Message-ID: <581617e9.5080...@subjectdomain.com>
> Date: Sun, 30 Oct 2016 11:55:21 -0400
> From: MRI Tampa 
> User-Agent: Postbox 4.0.8 (Windows/20151105)
> MIME-Version: 1.0
> To: Rob Fitzpatrick 
> Subject: Test DKIM with no auth
> References: <58161558.2090...@subjectdomain.com> 
> <58161684.7010...@subjectdomain.com>
> In-Reply-To: <58161684.7010...@subjectdomain.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> X-Virus-Scanned: WebTent Mailguard 1.0.3
> X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5  
> tests=BAYES_00=-1.9, SPF_PASS=-0.001

And the log entries show:

> root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog Oct

Re: DKIM not verifying without signature

2016-10-30 Thread Bill Cole 

On 30 Oct 2016, at 12:43, Robert Fitzpatrick wrote:

The opendkim mailing lists seems not available any longer, so thought 
I'd try here. I'm trying to get a handle on how to setup DKIM properly 
on a gateway server, not even sure if what I'm trying to do is 
possible. This gateway serves as an MX with ClamAV+Amavisd+SA 
filtering as well as the smarthost for the subject domain.


I can get opendkim to sign when coming from a entry in the 
TrustedHosts file, but it is not verifying unless a signature if 
present. Does dkim only verify when a signature is added or can I 
setup so the domain is verified with or without a signature?


Can you set up magic? or machine telepathy?

If there's no DKIM signature, what exactly do you think opendkim can use 
to do a verification?


[snip... I'm sure it's significant, but I'm not familiar enough with 
opendkim to see a problem...]



And the contents of my TrustedHosts file:

#127.0.0.1
#localhost
208.38.145.0/26
216.139.202.0/27

I commented out the localhost portions because it was signing twice, 
both after the initial Received header and then again after received 
by the filter. The latter two networks are internal network sources I 
do not want to verify, only sign.


The trick in preventing that is not to stop trusting localhost but 
rather to make the after-filter smtpd instance not use opendkim. Share 
your 'postconf -nf' and 'postconf -Mf' output for help on doing that. 
It's probably just a matter of adding no_milters to the "-o 
receive_override_options=" directive for the after-filter smtpd 
definition in master.cf.


I send a message hoping to be rejected and it is not, the resulting 
headers show nothing dkim related:


Right. It's not from a source you want opendkim to sign for and opendkim 
has no signature it could try to verify. DKIM can only provide a 
thumbs-up or a shrug, it has no useful repudiation result. Anything 
looking at headers afterwards can see that there's no signature, which 
by the definition of DKIM is logically equivalent to an invalid 
signature. To convert the meaning of no signature into a derogatory 
assertion, you would need to use something like ADSP or DMARC whereby a 
domain owner can assert that unsigned or mis-signed mail claiming to be 
from them should be deemed bogus.


HOWEVER, note this:


Return-Path: 

[...]
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-ip=96.254.71.164; helo=[192.168.1.110]; 
envelope-from=administra...@subjectdomain.com; 
receiver=rob...@rfitz.com

[...]

From: MRI Tampa 


This means SPF has authenticated the RC5321.MailFrom (envelope 
sender/Return-Path) which happens in this case to match the RFC5322.From 
(From header) so no rational filtering system would consider it forged 
or reject the mail on the basis that it lacks a DKIM signature.

DKIM not verifying without signature

2016-10-30 Thread Robert Fitzpatrick 
The opendkim mailing lists seems not available any longer, so thought 
I'd try here. I'm trying to get a handle on how to setup DKIM properly 
on a gateway server, not even sure if what I'm trying to do is possible. 
This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as 
the smarthost for the subject domain.


I can get opendkim to sign when coming from a entry in the TrustedHosts 
file, but it is not verifying unless a signature if present. Does dkim 
only verify when a signature is added or can I setup so the domain is 
verified with or without a signature? It would be ideal to get the 
'Authentication-Results' header to use in SA scoring and reject as 
needed. I do have an SA rule now that gives a high kill score when a 
message hits SPF_FAIL without hitting DKIM_VALID as well. But, it seems 
SPF is not enough these days.


From what I understand from the opendkim man page is the 'Mode' default 
is 'sv' to sign and verify. Didn't think 'On-BadSignature' should be 
used since there is no signature. Here is my opendkim.conf:


LogWhy  yes
Syslog  yes
SyslogSuccess   yes
Canonicalizationrelaxed/simple
KeyTable/usr/local/etc/opendkim/KeyTable
SigningTable/usr/local/etc/opendkim/SigningTable
ExternalIgnoreList  /usr/local/etc/opendkim/TrustedHosts
InternalHosts   /usr/local/etc/opendkim/TrustedHosts
Socket  inet:8891@localhost
ReportAddress   postmas...@webtent.net
SendReports yes

And the contents of my TrustedHosts file:

#127.0.0.1
#localhost
208.38.145.0/26
216.139.202.0/27

I commented out the localhost portions because it was signing twice, 
both after the initial Received header and then again after received by 
the filter. The latter two networks are internal network sources I do 
not want to verify, only sign.


I send a message hoping to be rejected and it is not, the resulting 
headers show nothing dkim related:



Return-Path: 
Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4])
by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106
for ; Sun, 30 Oct 2016 11:55:23 -0400
Received: from localhost (localhost [127.0.0.1])
by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with 
ESMTP id 5991AD7E50
for ; Sun, 30 Oct 2016 11:55:23 -0400 (EDT)
Received: from mx2.webtent.net ([127.0.0.1])
 by localhost (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP
 id 08148-06 for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-ip=96.254.71.164; helo=[192.168.1.110]; 
envelope-from=administra...@subjectdomain.com; receiver=rob...@rfitz.com
Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164])
by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with 
ESMTP id A11D7D7E46
for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
Message-ID: <581617e9.5080...@subjectdomain.com>
Date: Sun, 30 Oct 2016 11:55:21 -0400
From: MRI Tampa 
User-Agent: Postbox 4.0.8 (Windows/20151105)
MIME-Version: 1.0
To: Rob Fitzpatrick 
Subject: Test DKIM with no auth
References: <58161558.2090...@subjectdomain.com> 
<58161684.7010...@subjectdomain.com>
In-Reply-To: <58161684.7010...@subjectdomain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: WebTent Mailguard 1.0.3
X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5
 tests=BAYES_00=-1.9, SPF_PASS=-0.001


And the log entries show:


root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog
Oct 30 11:55:21 mx2 postfix/smtpd[8876]: A11D7D7E46: 
client=media.rfitz.com[96.254.71.164]
Oct 30 11:55:21 mx2 postfix/cleanup[8818]: A11D7D7E46: 
message-id=<581617e9.5080...@subjectdomain.com>
Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: media.rfitz.com [96.254.71.164] 
not internal
Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: not authenticated
Oct 30 11:55:21 mx2 postfix/qmgr[8810]: A11D7D7E46: 
from=, size=954, nrcpt=1 (queue active)
Oct 30 11:55:23 mx2 postfix/smtp[8901]: A11D7D7E46: to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.5/0/0.01/1.7, dsn=2.6.0, 
status=sent (250 2.6.0 Ok, id=08148-06, from MTA: 250 2.0.0 Ok: queued as 5991AD7E50)
Oct 30 11:55:23 mx2 postfix/qmgr[8810]: A11D7D7E46: removed


--
Robert

Re: Stripping Received: headers

2016-10-30 Thread Den1 
Noel Jones-2 wrote
> On 10/29/2016 1:45 AM, Den1 wrote:
>> Could you please, advise where do I exactly place those three in order
>> for
>> them to work (based on my postconf -n and postconf -Mf pasted here)? 
>> 
>> 1.) -o cleanup_service_name=subcleanup
> 
> The above line may be added after any smtpd service in master.cf,
> and must be indented.
> http://www.postfix.org/smtpd.8.html
> 
>> 2.)  subcleanup unix n   -   -   -   0   cleanup
> 
> This line can be added anywhere in master.cf, followed by indented
> options accepted by cleanup(8), such as "  -o header_checks=."
> http://www.postfix.org/cleanup.8.html
> 
>> 3.) -o smtp_header_checks=regexp:/etc/postfix/header_checks
> 
> smtp_header_checks are a property of the smtp(8) delivery transport.
>  As such, it can be added after any "smtp" transport in master.cf.
> http://www.postfix.org/smtp.8.html
> 
> Some things to keep in mind...
> - only one action is allowed per header.  If a header matches
> multiple lines in your header_checks file, only the first match is
> performed.
> - You can have postfix log all the headers it examines with a
> header_check like:
> /./ INFO
> Note this prevents any further matches from being processed (one
> action per header).
> - postfix does see headers added by milters, see mime_header_checks
> (default value $header_checks).
> - postfix does not see headers added after postfix has received the
> mail, such as headers added by downstream content filters or a
> next-hop relay.
> - read the documentation!  Great effort has been put into
> documenting postfix clearly and correctly.
> 
> http://www.postfix.org/documentation.html
> http://www.postfix.org/header_checks.5.html
> http://www.postfix.org/postconf.5.html (for main.cf syntax)
> http://www.postfix.org/master.5.html (for master.cf syntax)
> 
>   -- Noel Jones

Thank you so much for your tips. I really do appreciate.

I have read of course the docs for many times before trying to implement it
but it still does not work. I could've missed something somewhere. I will
keep on trying though.

You are saying that "there is only one action allowed per header". I guess
this is the reason why it does not work. My
/^User-Agent: .*/   IGNORE  triggers 

and all the other rules like
/^Received: .*/ IGNORE
/^X-Originating-IP:/IGNORE
and so on are not taken into account/consideration then and therefore do not
work, is that right?

Plus, you mentioned in your other post that header_checks and
smtp_header_checks if used together may mangle each other and conflict? Did
I understand you correctly? I will toggle them just to test and to check if
that could be the reason as well...  I haven't tried yet to use either
header_checks or smtp_header_checks only. I have always used them both at
the same time. Would be thankful for any further comments. 






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Stripping-Received-headers-tp56953p86997.html
Sent from the Postfix Users mailing list archive at Nabble.com.