Re: DMARC auto-away rejects
On Sat, 9 Apr 2016 14:50:00 -0400 Alex wrote: > I'm just now realizing that the DMARC rules I have been using are not > part of spamassassin proper. In fact, there are apparently no DMARC > rules as part of spamassassin. Why is that? Doing it properly needs new code, and no-one has done it. > The rules I'm using are quite dated and I'm now questioning whether > they're correct. How are people using DMARC with spamassassin? I've updated Christian Laußat's rules for my own use to take account of relaxed alignment, and reduce mailing-list FPs. http://pastebin.com/gr41CvCc An author signature is now only needed if the alignment is strict, or the from domain is on a (currently short) list that's known to pass DKIM_VALID_AU. Otherwise any valid signature will do, or any signature if there's a list-id header. Since it sees unlikely that anyone would publish a restrictive policy without adding a DKIM signature, I've added a couple of meta-rules to punish that. > I recall some time ago there being a conversation about a DMARC > plugin. Was that ever completed? Is it necessary? I suspect not because spammers change their behaviour to work around it. What I'm seeing is that Yahoo sets a reject policy and all the spam that claims to be from yahoo has gone through their servers. Gmail is being spoofed, but they only set a "none" policy. Live.com sets a "none" policy but without even adding a DKIM header which make DMARC_FAIL_NONE hard to score in general. I might split DMARC_FAIL_NONE into two. As far as fraud is concerned, spammers have long since discovered that they don't need to make detection easy by spoofing a company's actual email domain.
Re: DMARC auto-away rejects
Hi, On Tue, Apr 5, 2016 at 2:52 AM, A. Schulzewrote: > > Alan Hodgson: > >> I really believe that's incorrect. Relaxed alignment specifically means >> you can >> sign with a subdomain's key or use a subdomain for SPF. >> >> Read sections 3.1.2 and 10.4 of that same document, for instance. > > Hm. https://tools.ietf.org/html/rfc7489#section-10.4 reads like you're not > wrong. > I'll ask some dmarc professionals for clarification ... I'm just now realizing that the DMARC rules I have been using are not part of spamassassin proper. In fact, there are apparently no DMARC rules as part of spamassassin. Why is that? The rules I'm using are quite dated and I'm now questioning whether they're correct. How are people using DMARC with spamassassin? I understand I could install a milter with my MTA, but I can't do that right now, and like the control that SA gives me. I also understand DMARC is error-prone with mailing lists and in other cases, which is another reason why I'd like to use it with SA. I recall some time ago there being a conversation about a DMARC plugin. Was that ever completed? Is it necessary? Thanks for any ideas. Alex
Re: DMARC auto-away rejects (updated)
Alan Hodgson: I really believe that's incorrect. Relaxed alignment specifically means you can sign with a subdomain's key or use a subdomain for SPF. Read sections 3.1.2 and 10.4 of that same document, for instance. Alan, you're write! DMARC folks told me so, too. DMARC Relax alignment is true for: - RFC5322.From: example.com - DKIM or SPF authentication identifier: sub.example.com an even true for: - RFC5322.From: a.example.com - DKIM or SPF authentication identifier: b.example.com that was new to me. So I vote now for "not AOL's fault" Andreas
Re: DMARC auto-away rejects
Alan Hodgson: I really believe that's incorrect. Relaxed alignment specifically means you can sign with a subdomain's key or use a subdomain for SPF. Read sections 3.1.2 and 10.4 of that same document, for instance. Hm. https://tools.ietf.org/html/rfc7489#section-10.4 reads like you're not wrong. I'll ask some dmarc professionals for clarification ... Andreas
Re: DMARC auto-away rejects
On Mon, 04 Apr 2016 14:24:09 -0700 Alan Hodgson wrote: > On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote: > > > As "RW" pointed out: The message has a dkim signature mx.aol.com but > > RFC5322.From is the /parent/ domain > > That does not align and dmarc will not pass. It's AOL's fault. > > > > Andreas > > I really believe that's incorrect. Relaxed alignment specifically > means you can sign with a subdomain's key or use a subdomain for SPF. > > Read sections 3.1.2 and 10.4 of that same document, for instance. It sounds like dmarc relaxations break some existing DKIM and SPF usage. The original email quoted hit the DMARC rule because it hit DKIM_VALID rather than DKIM_VALID_AU, so presumably the DKIM whitelist rules wouldn't work correctly either.
Re: DMARC auto-away rejects
On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote: > really? > > I know DMARC as > "example.com may dkim sign with example.com. relax alignment will > match even for RFC5322.From sub.example.com" > > but you claim > "sub.example.com may dkim sign with sub.example.com a message with > RFC5322.From example.com and that will be relax aligned" > -> I don't agree. > > see https://tools.ietf.org/html/rfc7489#appendix-B.1.2 > > > As "RW" pointed out: The message has a dkim signature mx.aol.com but > RFC5322.From is the /parent/ domain > That does not align and dmarc will not pass. It's AOL's fault. > > Andreas I really believe that's incorrect. Relaxed alignment specifically means you can sign with a subdomain's key or use a subdomain for SPF. Read sections 3.1.2 and 10.4 of that same document, for instance.
Re: DMARC auto-away rejects
Alan Hodgson: DMARC allows a subdomain to sign the mail with a relaxed alignment policy. really? I know DMARC as "example.com may dkim sign with example.com. relax alignment will match even for RFC5322.From sub.example.com" but you claim "sub.example.com may dkim sign with sub.example.com a message with RFC5322.From example.com and that will be relax aligned" -> I don't agree. see https://tools.ietf.org/html/rfc7489#appendix-B.1.2 As "RW" pointed out: The message has a dkim signature mx.aol.com but RFC5322.From is the /parent/ domain That does not align and dmarc will not pass. It's AOL's fault. Andreas
Re: DMARC auto-away rejects
On 2016-04-04, RWwrote: > On Mon, 4 Apr 2016 15:29:40 -0400 > Alex wrote: > >> >> >> Can someone help me understand why this auto-away message failed >> >> >> the DMARC tests? >> >> >> >> >> >> http://pastebin.com/wXhxex92 >> >> >> >> >> >> It looks like it passed through an AOL MX, yet SPF still >> >> >> failed. >> >> > >> >> > It didn't fail SPF, it failed to pass because there's no envelope >> >> > sender address. >> >> >> >> DMARC think in alignments. Authentication for SPF or DKIM (or both) >> >> must be aligned with RFC5322.From. >> >> >> >> SPF bind RFC5321.MailFrom to an Entiry. For any >> >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is >> >> required to be empty. So SPF *never* could be aligned to >> >> RFC5322.From for such messages. >> > >> > FWIW automated replies are allowed to have a null address, but >> > it's not required. >> > >> > The important thing is that this one didn't. >> > >> >> The only way to generate a DMARC=pass is DKIM. A domainowner has to >> >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement >> >> to the RFC5322.From. >> > >> > I assume the OP knows why it didn't pass DKIM since he specifically >> > mentioned SPF. >> >> No, I really don't understand. I have a basic understanding of >> DKIM/DMARC and understand it's dependent upon SPF, which is why I >> mentioned that. >> >> If I recall, these are treated essentially as DSNs, correct? In these >> cases, the From is null.z)/x > > What matters here is that the the envelope sender was empty rather than > why it was empty. > > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from a dns look-up which says that the > policy is to reject. The rule will then fire if neither DKIM_VALID_AU > nor SPF_PASS hit. > > SPF can't be used here because there's no envelope sender, dkim > passes but it's signed by mx.aol.com not by the domain in the > header from address, so DKIM_VALID_AU doesn't get hit either. These rules are broken, then. The default identifier alignment for DMARC is relaxed, so mail with a valid DKIM signature from *.aol.com should pass. >> So ultimately who's at fault here for causing this to fail? AOL? What >> should have been done to prevent it? > > AOL, I guess. AOL is doing everything correctly.
Re: DMARC auto-away rejects
On Monday, April 04, 2016 09:34:56 PM RW wrote: > On Mon, 04 Apr 2016 13:18:54 -0700 > > Alan Hodgson wrote: > > On Monday, April 04, 2016 08:59:51 PM RW wrote: > > > I'm assuming that you are using these rules: > > > > > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > ... > > > That's invalid, though. DMARC allows a subdomain to sign the mail > > with a relaxed alignment policy. The original message should have > > passed a DMARC test. > > It's just a collection of rules that make use of the dmarc dns > lookup, it doesn't pretend to be a dmarc implementation. See the bottom > of the page linked. I see that, and it's a good disclaimer. I would disagree that those tests will work as intended in most cases, though. Many ESPs sign with subdomain keys. And clearly AOL is, too. Relaxed alignment is the DMARC default.
Re: DMARC auto-away rejects
On Mon, 04 Apr 2016 13:18:54 -0700 Alan Hodgson wrote: > On Monday, April 04, 2016 08:59:51 PM RW wrote: > > I'm assuming that you are using these rules: > > > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ ... > That's invalid, though. DMARC allows a subdomain to sign the mail > with a relaxed alignment policy. The original message should have > passed a DMARC test. It's just a collection of rules that make use of the dmarc dns lookup, it doesn't pretend to be a dmarc implementation. See the bottom of the page linked.
Re: DMARC auto-away rejects
On Monday, April 04, 2016 08:59:51 PM RW wrote: > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from a dns look-up which says that the > policy is to reject. The rule will then fire if neither DKIM_VALID_AU > nor SPF_PASS hit. > > SPF can't be used here because there's no envelope sender, dkim > passes but it's signed by mx.aol.com not by the domain in the > header from address, so DKIM_VALID_AU doesn't get hit either. > That's invalid, though. DMARC allows a subdomain to sign the mail with a relaxed alignment policy. The original message should have passed a DMARC test. > > So ultimately who's at fault here for causing this to fail? AOL? What > > should have been done to prevent it? > > AOL, I guess. Uh, no. The test is bad.
Re: DMARC auto-away rejects
On Mon, 4 Apr 2016 15:29:40 -0400 Alex wrote: > Hi, > > >> >> Can someone help me understand why this auto-away message failed > >> >> the DMARC tests? > >> >> > >> >> http://pastebin.com/wXhxex92 > >> >> > >> >> It looks like it passed through an AOL MX, yet SPF still > >> >> failed. > >> > > >> > It didn't fail SPF, it failed to pass because there's no envelope > >> > sender address. > >> > >> DMARC think in alignments. Authentication for SPF or DKIM (or both) > >> must be aligned with RFC5322.From. > >> > >> SPF bind RFC5321.MailFrom to an Entiry. For any > >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is > >> required to be empty. So SPF *never* could be aligned to > >> RFC5322.From for such messages. > > > > FWIW automated replies are allowed to have a null address, but > > it's not required. > > > > The important thing is that this one didn't. > > > >> The only way to generate a DMARC=pass is DKIM. A domainowner has to > >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement > >> to the RFC5322.From. > > > > I assume the OP knows why it didn't pass DKIM since he specifically > > mentioned SPF. > > No, I really don't understand. I have a basic understanding of > DKIM/DMARC and understand it's dependent upon SPF, which is why I > mentioned that. > > If I recall, these are treated essentially as DSNs, correct? In these > cases, the From is null.z)/x What matters here is that the the envelope sender was empty rather than why it was empty. I'm assuming that you are using these rules: https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT __DMARC_POLICY_REJECT comes from a dns look-up which says that the policy is to reject. The rule will then fire if neither DKIM_VALID_AU nor SPF_PASS hit. SPF can't be used here because there's no envelope sender, dkim passes but it's signed by mx.aol.com not by the domain in the header from address, so DKIM_VALID_AU doesn't get hit either. > So ultimately who's at fault here for causing this to fail? AOL? What > should have been done to prevent it? AOL, I guess.
Re: DMARC auto-away rejects
Alex: So ultimately who's at fault here for causing this to fail? AOL? What should have been done to prevent it? it depends who generate the DSN. - AOL? -> then they should DKIM sign their own message. - an AOL customer sending on behalf of his own AOL address via AOL infrastructure? -> then AOL should DKIM sign the message. They autenticate the customer and authorize the submission - a third party? -> submission is not authorized to use aol.com as RFC5322.From. -> AOL suggest to reject the message (DMARC Policy p=reject) Andreas
Re: DMARC auto-away rejects
On 4. apr. 2016 21.29.51 Alexwrote: So ultimately who's at fault here for causing this to fail? AOL? What should have been done to prevent it? envelope sender changes on nexthop, so there can be another sender domain pr hop
Re: DMARC auto-away rejects
On Mon, 4 Apr 2016 20:25:15 +0100 RW wrote: > FWIW automated replies are allowed to have a null address, but > it's not required. > > The important thing is that this one didn't. I meant this one didn't have an address, rather than didn't have a null address.
Re: DMARC auto-away rejects
Hi, >> >> Can someone help me understand why this auto-away message failed >> >> the DMARC tests? >> >> >> >> http://pastebin.com/wXhxex92 >> >> >> >> It looks like it passed through an AOL MX, yet SPF still failed. >> > >> > It didn't fail SPF, it failed to pass because there's no envelope >> > sender address. >> >> DMARC think in alignments. Authentication for SPF or DKIM (or both) >> must be aligned with RFC5322.From. >> >> SPF bind RFC5321.MailFrom to an Entiry. For any >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is >> required to be empty. So SPF *never* could be aligned to >> RFC5322.From for such messages. > > FWIW automated replies are allowed to have a null address, but > it's not required. > > The important thing is that this one didn't. > >> The only way to generate a DMARC=pass is DKIM. A domainowner has to >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement >> to the RFC5322.From. > > I assume the OP knows why it didn't pass DKIM since he specifically > mentioned SPF. No, I really don't understand. I have a basic understanding of DKIM/DMARC and understand it's dependent upon SPF, which is why I mentioned that. If I recall, these are treated essentially as DSNs, correct? In these cases, the From is null. So ultimately who's at fault here for causing this to fail? AOL? What should have been done to prevent it?
Re: DMARC auto-away rejects
On Mon, 04 Apr 2016 20:35:42 +0200 A. Schulze wrote: > RW: > > > On Mon, 4 Apr 2016 13:00:11 -0400 > > Alex wrote: > > > >> Hi, > >> > >> Can someone help me understand why this auto-away message failed > >> the DMARC tests? > >> > >> http://pastebin.com/wXhxex92 > >> > >> It looks like it passed through an AOL MX, yet SPF still failed. > > > > It didn't fail SPF, it failed to pass because there's no envelope > > sender address. > > DMARC think in alignments. Authentication for SPF or DKIM (or both) > must be aligned with RFC5322.From. > > SPF bind RFC5321.MailFrom to an Entiry. For any > DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is > required to be empty. So SPF *never* could be aligned to > RFC5322.From for such messages. FWIW automated replies are allowed to have a null address, but it's not required. The important thing is that this one didn't. > The only way to generate a DMARC=pass is DKIM. A domainowner has to > DKIM-sign DeliveryStatusNotification or Autoresonder in alignement > to the RFC5322.From. I assume the OP knows why it didn't pass DKIM since he specifically mentioned SPF.
Re: DMARC auto-away rejects
A. Schulze: So SPF *never* could be aligned to RFC5322.From for such messages. even if spf=pass... The only way to generate a DMARC=pass is DKIM. A domainowner has to DKIM-sign DeliveryStatusNotification or Autoresonder in alignement to the RFC5322.From. This is even more important if the domain use p=quarantine or p=reject. like to see an exapmle? write to echo at signing-milter do org Andreas
Re: DMARC auto-away rejects
RW: On Mon, 4 Apr 2016 13:00:11 -0400 Alex wrote: Hi, Can someone help me understand why this auto-away message failed the DMARC tests? http://pastebin.com/wXhxex92 It looks like it passed through an AOL MX, yet SPF still failed. It didn't fail SPF, it failed to pass because there's no envelope sender address. DMARC think in alignments. Authentication for SPF or DKIM (or both) must be aligned with RFC5322.From. SPF bind RFC5321.MailFrom to an Entiry. For any DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is required to be empty. So SPF *never* could be aligned to RFC5322.From for such messages. The only way to generate a DMARC=pass is DKIM. A domainowner has to DKIM-sign DeliveryStatusNotification or Autoresonder in alignement to the RFC5322.From. This is even more important if the domain use p=quarantine or p=reject. Andreas
Re: DMARC auto-away rejects
On Mon, 4 Apr 2016 13:00:11 -0400 Alex wrote: > Hi, > > Can someone help me understand why this auto-away message failed the > DMARC tests? > > http://pastebin.com/wXhxex92 > > It looks like it passed through an AOL MX, yet SPF still failed. It didn't fail SPF, it failed to pass because there's no envelope sender address.