Hi Franco, Dear List
Thank you for your feedback.
1) I configured mailman3 [1] dmarc_mitigate_action to "munge_from" (to
replace the from header) and dmarc_mitigate_unconditionally to true. My
thought was that this would mean that there can no longer be a dmarc
policy which sets dkim to strict. This way, an invalid dkim signature
would no longer be such a big problem. But I was probably wrong. I don't
want to set up the mails to be re-signed overnight, maybe there is an
option to remove the signature. If anyone has experience with mailman3
and dkim, please write to me directly.
2) The SPF RR was a bit of a back and forth. I sent an email to the
person who manages swinog.ch on 2023-05-10 to replace the : with a =.
However, the email seems to have been forgotten or lost and I also
forgot to ask again. I will do that today.
Jonas
[1]:
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
On 6/8/23 08:24, Franco Hug via swinog wrote:
Hi swinog / init7
Thanks @adrian for the report and @daniel for pointing out the NXDOMAIN issue.
Maybe this is well-known, but I would like to point out that this swinog list
has a problem with DKIM and SPF.
1) DKIM: not valid ("message has been altered") because of the email forwarding
without re-signing
2) SPF: wrong record
Authentication-Results: opendkim.logging.ch;
dkim=fail (2048-bit key) reason="fail (message has been altered)"
header.d=switch.ch header.b=qiNTrxHE
Received-SPF: permerror (lists.swinog.ch: Unknown mechanism type 'redirect' in 'v=spf1'
record) receiver=mx3.logging.ch; identity=mailfrom;
envelope-from="swinog-boun...@lists.swinog.ch"; helo=vmaill01.sys.init7.net;
client-ip=82.197.188.230
Received: from vmaill01.sys.init7.net (vmaill01.sys.init7.net [82.197.188.230])
SPF misconfiguration:
dig +short lists.swinog.ch txt
"v=spf1 redirect:init7.net"
The correct record should read as:
"v=spf1 redirect=init7.net"
See https://www.rfc-editor.org/rfc/rfc7208#section-6.1
While 2) would be an easy fix, 1) might involve some more work.
My 2 cents - Gruass, Franco
On 08.06.23 07:42, Daniel Stirnimann via swinog wrote:
Hi Adrian,
On 07.06.23 21:33, Adrian Ulrich via swinog wrote:
I'm pretty surprised that of the 1.7M domains with an MX record, only 57% have
DKIM
I don't see how one could reliability gather this data from DNS:
DKIM allows you to specify a selector in the header of the mail: This mail for
example will use 'sx1' as the selector (check out the header ;-) ):
$ dig +short txt sx1._domainkey.blinkenlights.ch
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC[....]
But without ever receiving a mail from me: how would you know?
You could try to send a query for '_domainkey.blinkenlights.ch' and you MAY
receive a NOERROR reply - but that's not guaranteed: My DNS will just return an
NXDOMAIN:
$ dig txt _domainkey.blinkenlights.ch|grep status:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10153
Your nameserver breaks https://www.rfc-editor.org/rfc/rfc8020
This document states clearly that when a DNS resolver receives a
response with a response code of NXDOMAIN, it means that the domain
name which is thus denied AND ALL THE NAMES UNDER IT do not exist.
Daniel
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
