Re: DMARC auto-away rejects

[RW]

On Sat, 9 Apr 2016 14:50:00 -0400
Alex wrote:

> I'm just now realizing that the DMARC rules I have been using are not
> part of spamassassin proper. In fact, there are apparently no DMARC
> rules as part of spamassassin. Why is that?

Doing it properly needs new code, and no-one has done it.

> The rules I'm using are quite dated and I'm now questioning whether
> they're correct. How are people using DMARC with spamassassin?

I've updated Christian Laußat's rules for my own use to take account of
relaxed alignment, and reduce mailing-list FPs.

 http://pastebin.com/gr41CvCc

An author signature is now only needed if the alignment is strict, or
the from domain is on a (currently short) list that's known to pass
DKIM_VALID_AU. Otherwise any valid signature will do, or any signature
if there's a list-id header.

Since it sees unlikely that anyone would publish a restrictive policy
without adding a DKIM signature, I've added  a couple of meta-rules to
punish that.

> I recall some time ago there being a conversation about a DMARC
> plugin. Was that ever completed? Is it necessary?

I suspect not because spammers change their behaviour to work
around it. 

What I'm seeing is that Yahoo sets a reject policy and all the spam
that claims to be from yahoo has gone through their servers. Gmail is
being spoofed, but they only set a "none" policy. Live.com sets a "none"
policy but without even adding a DKIM header which make DMARC_FAIL_NONE
hard to score in general. I might split  DMARC_FAIL_NONE into two.

As far as fraud is concerned, spammers have long since discovered that
they don't need to make detection easy by spoofing a company's actual
email domain.

Re: DMARC auto-away rejects

[Alex]

Hi,

On Tue, Apr 5, 2016 at 2:52 AM, A. Schulze  wrote:
>
> Alan Hodgson:
>
>> I really believe that's incorrect. Relaxed alignment specifically means
>> you can
>> sign with a subdomain's key or use a subdomain for SPF.
>>
>> Read sections 3.1.2 and 10.4 of that same document, for instance.
>
> Hm. https://tools.ietf.org/html/rfc7489#section-10.4 reads like you're not
> wrong.
> I'll ask some dmarc professionals for clarification ...

I'm just now realizing that the DMARC rules I have been using are not
part of spamassassin proper. In fact, there are apparently no DMARC
rules as part of spamassassin. Why is that?

The rules I'm using are quite dated and I'm now questioning whether
they're correct. How are people using DMARC with spamassassin?

I understand I could install a milter with my MTA, but I can't do that
right now, and like the control that SA gives me. I also understand
DMARC is error-prone with mailing lists and in other cases, which is
another reason why I'd like to use it with SA.

I recall some time ago there being a conversation about a DMARC
plugin. Was that ever completed? Is it necessary?

Thanks for any ideas.
Alex

Re: DMARC auto-away rejects (updated)

[A. Schulze]

Alan Hodgson:

I really believe that's incorrect. Relaxed alignment specifically  
means you can

sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.


Alan,

you're write! DMARC folks told me so, too.

DMARC Relax alignment is true for:
   - RFC5322.From: example.com
   - DKIM or SPF authentication identifier: sub.example.com

an even true for:
   - RFC5322.From: a.example.com
   - DKIM or SPF authentication identifier: b.example.com

that was new to me. So I vote now for "not AOL's fault"

Andreas

Re: DMARC auto-away rejects

[A. Schulze]

Alan Hodgson:

I really believe that's incorrect. Relaxed alignment specifically  
means you can

sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.


Hm. https://tools.ietf.org/html/rfc7489#section-10.4 reads like you're  
not wrong.

I'll ask some dmarc professionals for clarification ...

Andreas

Re: DMARC auto-away rejects

[RW]

On Mon, 04 Apr 2016 14:24:09 -0700
Alan Hodgson wrote:

> On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote:
> 
> > As "RW" pointed out: The message has a dkim signature mx.aol.com but
> > RFC5322.From is the /parent/ domain
> > That does not align and dmarc will not pass. It's AOL's fault.
> > 
> > Andreas  
> 
> I really believe that's incorrect. Relaxed alignment specifically
> means you can sign with a subdomain's key or use a subdomain for SPF.
> 
> Read sections 3.1.2 and 10.4 of that same document, for instance.

It sounds like dmarc relaxations break some existing DKIM and SPF
usage. The original email quoted hit the DMARC rule because it hit
DKIM_VALID rather than  DKIM_VALID_AU, so presumably the DKIM whitelist
rules wouldn't work correctly either.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote:
> really?
> 
> I know DMARC as
> "example.com may dkim sign with example.com. relax alignment will
> match even for RFC5322.From sub.example.com"
> 
> but you claim
> "sub.example.com may dkim sign with sub.example.com a message with
> RFC5322.From example.com and that will be relax aligned"
> -> I don't agree.
> 
> see https://tools.ietf.org/html/rfc7489#appendix-B.1.2
> 
> 
> As "RW" pointed out: The message has a dkim signature mx.aol.com but
> RFC5322.From is the /parent/ domain
> That does not align and dmarc will not pass. It's AOL's fault.
> 
> Andreas

I really believe that's incorrect. Relaxed alignment specifically means you can 
sign with a subdomain's key or use a subdomain for SPF.

Read sections 3.1.2 and 10.4 of that same document, for instance.

Re: DMARC auto-away rejects

[A. Schulze]

Alan Hodgson:


DMARC allows a subdomain to sign the mail with a
relaxed alignment policy.


really?

I know DMARC as
"example.com may dkim sign with example.com. relax alignment will  
match even for RFC5322.From sub.example.com"


but you claim
"sub.example.com may dkim sign with sub.example.com a message with  
RFC5322.From example.com and that will be relax aligned"

-> I don't agree.

see https://tools.ietf.org/html/rfc7489#appendix-B.1.2


As "RW" pointed out: The message has a dkim signature mx.aol.com but  
RFC5322.From is the /parent/ domain

That does not align and dmarc will not pass. It's AOL's fault.

Andreas

Re: DMARC auto-away rejects

[Paul Arthur]

On 2016-04-04, RW  wrote:
> On Mon, 4 Apr 2016 15:29:40 -0400
> Alex wrote:
>
>> >> >> Can someone help me understand why this auto-away message failed
>> >> >> the DMARC tests?
>> >> >>
>> >> >> http://pastebin.com/wXhxex92
>> >> >>
>> >> >> It looks like it passed through an AOL MX, yet SPF still
>> >> >> failed.
>> >> >
>> >> > It didn't fail SPF, it failed to pass because there's no envelope
>> >> > sender address.
>> >>
>> >> DMARC think in alignments. Authentication for SPF or DKIM (or both)
>> >> must be aligned with RFC5322.From.
>> >>
>> >> SPF bind RFC5321.MailFrom to an Entiry. For any
>> >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is
>> >> required to be empty. So SPF *never* could be aligned to
>> >> RFC5322.From for such messages.
>> >
>> > FWIW  automated replies are allowed to have a null address, but
>> > it's not required.
>> >
>> > The important thing is that this one didn't.
>> >
>> >> The only way to generate a DMARC=pass is DKIM. A domainowner has to
>> >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement
>> >> to the RFC5322.From.
>> >
>> > I assume the OP knows why it didn't pass DKIM since he specifically
>> > mentioned SPF.
>>
>> No, I really don't understand. I have a basic understanding of
>> DKIM/DMARC and understand it's dependent upon SPF, which is why I
>> mentioned that.
>>
>> If I recall, these are treated essentially as DSNs, correct? In these
>> cases, the From is null.z)/x
>
> What matters here is that the the envelope sender was empty rather than
> why it was empty.
>
> I'm assuming that you are using these rules:
>
> https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
>
>
> meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>  __DMARC_POLICY_REJECT
>
>  __DMARC_POLICY_REJECT comes from a dns look-up which says that the
> policy is to reject. The rule will then fire if neither  DKIM_VALID_AU
> nor SPF_PASS hit.
>
> SPF can't be  used here because there's no envelope sender, dkim
> passes but it's signed by mx.aol.com not by the domain in the
> header from address, so DKIM_VALID_AU doesn't get hit either.

These rules are broken, then. The default identifier alignment for
DMARC is relaxed, so mail with a valid DKIM signature from *.aol.com
should pass.

>> So ultimately who's at fault here for causing this to fail? AOL? What
>> should have been done to prevent it?
>
> AOL, I guess.

AOL is doing everything correctly.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 09:34:56 PM RW wrote:
> On Mon, 04 Apr 2016 13:18:54 -0700
> 
> Alan Hodgson wrote:
> > On Monday, April 04, 2016 08:59:51 PM RW wrote:
> > > I'm assuming that you are using these rules:
> > > 
> > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
> 
> ...
> 
> > That's invalid, though. DMARC allows a subdomain to sign the mail
> > with a relaxed alignment policy. The original message should have
> > passed a DMARC test.
> 
> It's just a collection of rules that make use  of the dmarc dns
> lookup, it doesn't pretend to be a dmarc implementation. See the bottom
> of the page linked.

I see that, and it's a good disclaimer. I would disagree that those tests will 
work as intended in most cases, though. Many ESPs sign with subdomain keys. 
And clearly AOL is, too. Relaxed alignment is the DMARC default.

Re: DMARC auto-away rejects

[RW]

On Mon, 04 Apr 2016 13:18:54 -0700
Alan Hodgson wrote:

> On Monday, April 04, 2016 08:59:51 PM RW wrote:
> > I'm assuming that you are using these rules:
> > 
> > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
...
> That's invalid, though. DMARC allows a subdomain to sign the mail
> with a relaxed alignment policy. The original message should have
> passed a DMARC test.

It's just a collection of rules that make use  of the dmarc dns
lookup, it doesn't pretend to be a dmarc implementation. See the bottom
of the page linked.

Re: DMARC auto-away rejects

[Alan Hodgson]

On Monday, April 04, 2016 08:59:51 PM RW wrote:
> I'm assuming that you are using these rules:
> 
> https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/
> 
> 
> meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
>  __DMARC_POLICY_REJECT
> 
>  __DMARC_POLICY_REJECT comes from a dns look-up which says that the
> policy is to reject. The rule will then fire if neither  DKIM_VALID_AU
> nor SPF_PASS hit.
> 
> SPF can't be  used here because there's no envelope sender, dkim
> passes but it's signed by mx.aol.com not by the domain in the
> header from address, so DKIM_VALID_AU doesn't get hit either.
> 

That's invalid, though. DMARC allows a subdomain to sign the mail with a 
relaxed alignment policy. The original message should have passed a DMARC 
test.

> > So ultimately who's at fault here for causing this to fail? AOL? What
> > should have been done to prevent it?
> 
> AOL, I guess.

Uh, no. The test is bad.

Re: DMARC auto-away rejects

[RW]

On Mon, 4 Apr 2016 15:29:40 -0400
Alex wrote:

> Hi,
> 
> >> >> Can someone help me understand why this auto-away message failed
> >> >> the DMARC tests?
> >> >>
> >> >> http://pastebin.com/wXhxex92
> >> >>
> >> >> It looks like it passed through an AOL MX, yet SPF still
> >> >> failed.  
> >> >
> >> > It didn't fail SPF, it failed to pass because there's no envelope
> >> > sender address.  
> >>
> >> DMARC think in alignments. Authentication for SPF or DKIM (or both)
> >> must be aligned with RFC5322.From.
> >>
> >> SPF bind RFC5321.MailFrom to an Entiry. For any
> >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is
> >> required to be empty. So SPF *never* could be aligned to
> >> RFC5322.From for such messages.  
> >
> > FWIW  automated replies are allowed to have a null address, but
> > it's not required.
> >
> > The important thing is that this one didn't.
> >  
> >> The only way to generate a DMARC=pass is DKIM. A domainowner has to
> >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement
> >> to the RFC5322.From.  
> >
> > I assume the OP knows why it didn't pass DKIM since he specifically
> > mentioned SPF.  
> 
> No, I really don't understand. I have a basic understanding of
> DKIM/DMARC and understand it's dependent upon SPF, which is why I
> mentioned that.
> 
> If I recall, these are treated essentially as DSNs, correct? In these
> cases, the From is null.z)/x

What matters here is that the the envelope sender was empty rather than
why it was empty.

I'm assuming that you are using these rules:

https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/


meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
 __DMARC_POLICY_REJECT

 __DMARC_POLICY_REJECT comes from a dns look-up which says that the
policy is to reject. The rule will then fire if neither  DKIM_VALID_AU
nor SPF_PASS hit.

SPF can't be  used here because there's no envelope sender, dkim
passes but it's signed by mx.aol.com not by the domain in the
header from address, so DKIM_VALID_AU doesn't get hit either.


> So ultimately who's at fault here for causing this to fail? AOL? What
> should have been done to prevent it?

AOL, I guess.

 

Re: DMARC auto-away rejects

[A. Schulze]

Alex:


So ultimately who's at fault here for causing this to fail? AOL? What
should have been done to prevent it?


it depends who generate the DSN.
 - AOL?
   -> then they should DKIM sign their own message.
 - an AOL customer sending on behalf of his own AOL address via AOL  
infrastructure?
   -> then AOL should DKIM sign the message. They autenticate the  
customer and authorize the submission

 - a third party?
   -> submission is not authorized to use aol.com as RFC5322.From.
   -> AOL suggest to reject the message (DMARC Policy p=reject)

Andreas

Re: DMARC auto-away rejects

[Benny Pedersen]

On 4. apr. 2016 21.29.51 Alex  wrote:


So ultimately who's at fault here for causing this to fail? AOL? What
should have been done to prevent it?


envelope sender changes on nexthop, so there can be another sender domain 
pr hop

Re: DMARC auto-away rejects

[RW]

On Mon, 4 Apr 2016 20:25:15 +0100
RW wrote:


> FWIW  automated replies are allowed to have a null address, but
> it's not required. 
> 
> The important thing is that this one didn't.

I meant this one didn't have an address, rather than didn't have a null
address.

Re: DMARC auto-away rejects

[Alex]

Hi,

>> >> Can someone help me understand why this auto-away message failed
>> >> the DMARC tests?
>> >>
>> >> http://pastebin.com/wXhxex92
>> >>
>> >> It looks like it passed through an AOL MX, yet SPF still failed.
>> >
>> > It didn't fail SPF, it failed to pass because there's no envelope
>> > sender address.
>>
>> DMARC think in alignments. Authentication for SPF or DKIM (or both)
>> must be aligned with RFC5322.From.
>>
>> SPF bind RFC5321.MailFrom to an Entiry. For any
>> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is
>> required to be empty. So SPF *never* could be aligned to
>> RFC5322.From for such messages.
>
> FWIW  automated replies are allowed to have a null address, but
> it's not required.
>
> The important thing is that this one didn't.
>
>> The only way to generate a DMARC=pass is DKIM. A domainowner has to
>> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement
>> to the RFC5322.From.
>
> I assume the OP knows why it didn't pass DKIM since he specifically
> mentioned SPF.

No, I really don't understand. I have a basic understanding of
DKIM/DMARC and understand it's dependent upon SPF, which is why I
mentioned that.

If I recall, these are treated essentially as DSNs, correct? In these
cases, the From is null.

So ultimately who's at fault here for causing this to fail? AOL? What
should have been done to prevent it?

Re: DMARC auto-away rejects

[RW]

On Mon, 04 Apr 2016 20:35:42 +0200
A. Schulze wrote:

> RW:
> 
> > On Mon, 4 Apr 2016 13:00:11 -0400
> > Alex wrote:
> >  
> >> Hi,
> >>
> >> Can someone help me understand why this auto-away message failed
> >> the DMARC tests?
> >>
> >> http://pastebin.com/wXhxex92
> >>
> >> It looks like it passed through an AOL MX, yet SPF still failed.  
> >
> > It didn't fail SPF, it failed to pass because there's no envelope
> > sender address.  
> 
> DMARC think in alignments. Authentication for SPF or DKIM (or both)  
> must be aligned with RFC5322.From.
> 
> SPF bind RFC5321.MailFrom to an Entiry. For any  
> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is  
> required to be empty. So SPF *never* could be aligned to
> RFC5322.From for such messages.


FWIW  automated replies are allowed to have a null address, but
it's not required. 

The important thing is that this one didn't.

> The only way to generate a DMARC=pass is DKIM. A domainowner has to  
> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement
> to the RFC5322.From.

I assume the OP knows why it didn't pass DKIM since he specifically
mentioned SPF.

Re: DMARC auto-away rejects

[A. Schulze]

A. Schulze:


So SPF *never* could be aligned to RFC5322.From for such messages.

even if spf=pass...

The only way to generate a DMARC=pass is DKIM. A domainowner has to  
DKIM-sign DeliveryStatusNotification or Autoresonder in alignement  
to the RFC5322.From.

This is even more important if the domain use p=quarantine or p=reject.


like to see an exapmle? write to echo at signing-milter do org

Andreas

Re: DMARC auto-away rejects

[A. Schulze]

RW:


On Mon, 4 Apr 2016 13:00:11 -0400
Alex wrote:


Hi,

Can someone help me understand why this auto-away message failed the
DMARC tests?

http://pastebin.com/wXhxex92

It looks like it passed through an AOL MX, yet SPF still failed.


It didn't fail SPF, it failed to pass because there's no envelope sender
address.


DMARC think in alignments. Authentication for SPF or DKIM (or both)  
must be aligned with RFC5322.From.


SPF bind RFC5321.MailFrom to an Entiry. For any  
DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is  
required to be empty. So SPF *never* could be aligned to RFC5322.From  
for such messages.


The only way to generate a DMARC=pass is DKIM. A domainowner has to  
DKIM-sign DeliveryStatusNotification or Autoresonder in alignement to  
the RFC5322.From.

This is even more important if the domain use p=quarantine or p=reject.

Andreas

Re: DMARC auto-away rejects

[RW]

On Mon, 4 Apr 2016 13:00:11 -0400
Alex wrote:

> Hi,
> 
> Can someone help me understand why this auto-away message failed the
> DMARC tests?
> 
> http://pastebin.com/wXhxex92
> 
> It looks like it passed through an AOL MX, yet SPF still failed.

It didn't fail SPF, it failed to pass because there's no envelope sender
address.