Big problem with this mailing list and Majordomo regarding DMARC

classic Classic list List threaded Threaded
48 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
Hi,

since I first tposted yesterday to this mailing list I got 100s of
rejected DMARC reports because Majordomo is not able to or configured
correctly to handle DMARC records.
The headers are not re-written correctly and so DKIM from my mail is
expected in 100s of mails from different IPs (forwarded) but not mine,
with the SPF of postfix.org
This looks something like this then :

<record>
  <row>
   <source_ip>168.100.1.7</source_ip> ... NOT MY IP
   <count>1</count>
   <policy_evaluated>
    <disposition>reject</disposition>
    <dkim>fail</dkim>
    <spf>fail</spf>
   </policy_evaluated>
  </row>
  <identifiers>
   <header_from>prvtmail.net</header_from> ... BUT MY HEADER
  </identifiers>
  <auth_results>
   <spf>
    <domain>postfix.org</domain> .... SPF FROM POSTFIX.ORG
    <result>none</result>
   </spf>
   <dkim>
    <domain>prvtmail.net</domain>
    <result>fail</result>
   </dkim>
  </auth_results>
 </record>
</feedback>

This is totally wrong and so my mails don't get delivered correctly it
seems.

Can you please get back to me on that?

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
change to dmarc policy away from reject

i get dmarc pass from my own posts, but i have now dissabled milters from
trusted maillists ips

all the best, problem is solved if and when openarc and opendmarc test if
its openarc sealed
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
thanks for your reply.
I get dmarc pass from everywhere normally and also from every tool. this
is a majordomo problem because with other lists that are not on
majordomo there is no problem I can see. there are also articles
existing regarding this "bug" I saw now. it just does not rewrite the
from-address header "correctly" to come from postfix list rather than my
domain. so my posts are rejected by a lot of users. I am not sure if I
want to change my policy and open world for spoofing just for a piece of
software which cannot handle this correctly in 2019. but maybe I have to.
how you mean you get dmarc pass from your own posts? you mean the one
mail(post) itself you send or? because all other "forwarded" by
majordomo should fail also if I correctly understand the problem that
lies underneath. so you have dmarc to report only?


On 19/04/2019 12:12, Benny Pedersen wrote:
> change to dmarc policy away from reject
>
> i get dmarc pass from my own posts, but i have now dissabled milters
> from trusted maillists ips
>
> all the best, problem is solved if and when openarc and opendmarc test
> if its openarc sealed

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Wietse Venema
Sign your email with DKIM. The Postfix list is DKIM-safe.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Nick-5
In reply to this post by TG Servers
On 2019-04-19 10:43 BST, TG Servers wrote:
>    <dkim>
>     <domain>prvtmail.net</domain>
>     <result>fail</result>
>    </dkim>

You might want to consider reducing the list of headers in your DKIM
signatures.  E.g. your signed-headers list includes 'sender' but the
mailing list adds its own 'sender', which is enough to invalidate your
signature.
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by TG Servers
TG Servers skrev den 2019-04-19 12:45:
> thanks for your reply.
> I get dmarc pass from everywhere normally and also from every tool.
> this
> is a majordomo problem

well i dont care :=)

# cat /etc/postfix/smtpd_milters_map.cidr
#
# postfix maillist disable all milters

168.100.1.3                             DISABLE
168.100.1.4                             DISABLE
168.100.1.7                             DISABLE
2604:8d00:0:1::3                        DISABLE
2604:8d00:0:1::4                        DISABLE
2604:8d00:0:1::7                        DISABLE

# grep milter main.cf
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_maps.cidr

add ips to postscreen whitelist if you use rbl that block posstfix
maillist
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by Wietse Venema
Wietse Venema skrev den 2019-04-19 13:05:
> Sign your email with DKIM. The Postfix list is DKIM-safe.

is there a diff on postfix sender ips ?

on 2604:8d00:0:1::7 i get DKIM_ADSP_ALL
on 168.100.1.3 i get DKIM_VALID_AU
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by TG Servers
TG Servers skrev den 2019-04-19 12:45:
> thanks for your reply.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prvtmail.net;
        s=def; t=1555670709;
h=from:from:sender:reply-to:subject:subject:date:date:
         message-id:message-id:to:to:cc:mime-version:mime-version:
         content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references:openpgp:autocrypt;
        bh=RFjoFU2lJVzkjZeWBGwFSeilqzQF8lu0j7X2EyRnK4U=;
        b=aLZdpa23z8loA2H4r1JNojxvVUuvddV5lYrQFfw4kQjbhLUXEu16ZKegbUiIQRLysy+eJ/
        aaMKjIF7ySs2RnZxclXw5QioNE1e7tuz26owsY2fDP2di2qiYLlocXNyZv0YOWxqCxnQ+A
        S/b6tNvNa4yRAE5reMi79GgiosooHfTmZhNKh0y8FzN5WMSJ/eIBjcnHl3OkNy4tC5R2wKUy
        y7YgJoy+8eippeZlU6kurUo/neZ5np+DzLcNU8wlpIdhHOmrj57NMGC6woiYU+gxaBJvPW
        s7tMDQm3vaWFjcrgDR+Ff2HmfKwIkLTRiQhdA9wCtZ4ZYxFfnVTt3l5Cbubdkw==

where is the other From ?

and mime-version ?

reducuce signed headers to what opendkim use, dont oversign all headers
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
In reply to this post by Benny Pedersen-2
The problem is the header that is appended by majordomo it seems
according to this
https://outofcontrol.ca/blog/patch-majordomo-to-work-with-dmarc

The postfix sender IP from my mail server is 116.203.154.189 which is
verified correctly against DKIM and SPF
Then majordomo forwards the mails to the list users with postfix sender
IP 168.100.1.3, 168.100.1.4 or 168.100.1.7but applies the header from of
my server, which of course does not validate anymore

My mail

 <source_ip>116.203.154.189</source_ip> THIS IS MY SERVER IP, CORRECT
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>prvtmail.net</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>prvtmail.net</domain>
        <result>pass</result>
        <selector>def</selector>
      </dkim>
      <spf>
        <domain>prvtmail.net</domain>
        <result>pass</result>
      </spf>

MAJORDOMO FORWARDED

 <source_ip>168.100.1.7</source_ip> ... MAJORDOMO IP
   <count>1</count>
   <policy_evaluated>
    <disposition>reject</disposition>
    <dkim>fail</dkim>
    <spf>fail</spf>
   </policy_evaluated>
  </row>
  <identifiers>
   <header_from>prvtmail.net</header_from> ... BUT MY HEADER
  </identifiers>
  <auth_results>
   <spf>
    <domain>postfix.org</domain> .... SPF FROM POSTFIX.ORG
    <result>none</result>
   </spf>
   <dkim>
    <domain>prvtmail.net</domain> ... DKIM failed of course
    <result>fail</result>
   </dkim>
  </auth_results>



On 19/04/2019 13:36, Benny Pedersen wrote:
> Wietse Venema skrev den 2019-04-19 13:05:
>> Sign your email with DKIM. The Postfix list is DKIM-safe.
>
> is there a diff on postfix sender ips ?
>
> on 2604:8d00:0:1::7 i get DKIM_ADSP_ALL
> on 168.100.1.3 i get DKIM_VALID_AU

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
In reply to this post by Benny Pedersen-2
I am signing with rspamd, will have to check the options there
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# Domain to use for DKIM signing: can be "header" (MIME From),
"envelope" (SMTP From) or "auth" (SMTP username)
use_domain = "header";

sign_headers =
'(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:\
(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:\
resent-to:resent-cc:resent-from:resent-sender:resent-message-id:\
(o)in-reply-to:(o)references:list-id:list-owner:list-unsubscribe:\
list-subscribe:list-post:(o)openpgp:(o)autocrypt';   

... o are oversigned headers

I will have to check this against opendkim then, thanks

On 19/04/2019 13:42, Benny Pedersen wrote:

> TG Servers skrev den 2019-04-19 12:45:
>> thanks for your reply.
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prvtmail.net;
>     s=def; t=1555670709;
> h=from:from:sender:reply-to:subject:subject:date:date:
>      message-id:message-id:to:to:cc:mime-version:mime-version:
>      content-type:content-type:
>      content-transfer-encoding:content-transfer-encoding:
>      in-reply-to:in-reply-to:references:references:openpgp:autocrypt;
>     bh=RFjoFU2lJVzkjZeWBGwFSeilqzQF8lu0j7X2EyRnK4U=;
>     b=aLZdpa23z8loA2H4r1JNojxvVUuvddV5lYrQFfw4kQjbhLUXEu16ZKegbUiIQRLysy+eJ/
>
>     aaMKjIF7ySs2RnZxclXw5QioNE1e7tuz26owsY2fDP2di2qiYLlocXNyZv0YOWxqCxnQ+A
>
>     S/b6tNvNa4yRAE5reMi79GgiosooHfTmZhNKh0y8FzN5WMSJ/eIBjcnHl3OkNy4tC5R2wKUy
>
>     y7YgJoy+8eippeZlU6kurUo/neZ5np+DzLcNU8wlpIdhHOmrj57NMGC6woiYU+gxaBJvPW
>
>     s7tMDQm3vaWFjcrgDR+Ff2HmfKwIkLTRiQhdA9wCtZ4ZYxFfnVTt3l5Cbubdkw==
>
> where is the other From ?
>
> and mime-version ?
>
> reducuce signed headers to what opendkim use, dont oversign all headers

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by TG Servers
TG Servers skrev den 2019-04-19 13:50:
> The problem is the header that is appended by majordomo it seems
> according to this
> https://outofcontrol.ca/blog/patch-majordomo-to-work-with-dmarc

and you still sign sender header ?

no more help from me
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
In reply to this post by Nick-5
Yes thanks Nick I am signing with rspamd and will have to check the
signed headers there
as this seems not compliant, I already checked that from the other
mails, thanks for the hint to you, too

On 19/04/2019 13:16, Nick wrote:
> On 2019-04-19 10:43 BST, TG Servers wrote:
>>    <dkim>
>>     <domain>prvtmail.net</domain>
>>     <result>fail</result>
>>    </dkim>
> You might want to consider reducing the list of headers in your DKIM
> signatures.  E.g. your signed-headers list includes 'sender' but the
> mailing list adds its own 'sender', which is enough to invalidate your
> signature.

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

B. Reino
On Fri, 19 Apr 2019, TG Servers wrote:

> Yes thanks Nick I am signing with rspamd and will have to check the
> signed headers there
> as this seems not compliant, I already checked that from the other
> mails, thanks for the hint to you, too

I also use rspamd, and had exactly the same problem you're facing now.
I now (for some time already) use a more relaxed sign_headers in my
local.d/dkim_signing.conf

sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';

i.e. no oversigning and no "sender" in there.

(I also have policy=none and send received reports to /dev/null but don't
tell anyone! :)

Cheers,
Bernardo.

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
Bernardo,

yes, the problem is the defaults rspamd is using don't correspond to
RFC6376, which is itself from 2011 but rather respect 4871 which is
older and was obsoleted by RFC6376.
Of course one is responsible himself but more sane defaults would be
nice here...
I will change that accordingly to RFC6376 (opendkim standard) now and
the problem should be gone here, too.
/dev/null is always the nice way :)

Cheers

On 19/04/2019 15:48, B. Reino wrote:

> On Fri, 19 Apr 2019, TG Servers wrote:
>
>> Yes thanks Nick I am signing with rspamd and will have to check the
>> signed headers there
>> as this seems not compliant, I already checked that from the other
>> mails, thanks for the hint to you, too
>
> I also use rspamd, and had exactly the same problem you're facing now.
> I now (for some time already) use a more relaxed sign_headers in my
> local.d/dkim_signing.conf
>
> sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';
>
> i.e. no oversigning and no "sender" in there.
>
> (I also have policy=none and send received reports to /dev/null but
> don't tell anyone! :)
>
> Cheers,
> Bernardo.
>

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by B. Reino
B. Reino skrev den 2019-04-19 15:48:

> sign_headers =
> 'from:to:subject:date:message-id:in-reply-to:references';

man 5 opendkim.conf

dont sign headers that are added or changed remotely
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by TG Servers
TG Servers skrev den 2019-04-19 15:56:

> Bernardo,
>
> yes, the problem is the defaults rspamd is using don't correspond to
> RFC6376, which is itself from 2011 but rather respect 4871 which is
> older and was obsoleted by RFC6376.
> Of course one is responsible himself but more sane defaults would be
> nice here...
> I will change that accordingly to RFC6376 (opendkim standard) now and
> the problem should be gone here, too.
> /dev/null is always the nice way :)

please reopen this one https://github.com/rspamd/rspamd/issues/1691

its not fixed yet
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

B. Reino
In reply to this post by Benny Pedersen-2
On Fri, 19 Apr 2019, Benny Pedersen wrote:

> B. Reino skrev den 2019-04-19 15:48:
>
>> sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';
>
> man 5 opendkim.conf
>
> dont sign headers that are added or changed remotely

I'm not sure I follow here. AFAIK all of the headers I mentioned above are
user/MUA generated (.. I know Message-ID can be generated by MTA if the
MUA sucks and doesn't do it itself).

Care to clarify?

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

TG Servers
In reply to this post by TG Servers
according to RFC this would be the full list for rspamd

 sign_headers = 'from:reply-to:subject:date:\
 to:cc:resent-to:resent-cc:resent-from:resent-date\
 in-reply-to:references:<all the list commands I could not use here
because the mailing list interprets them as commands :) and blocks the
message>';

although they leave it open as "subjective" regarding message-id,
in-reply-to and references

On 19/04/2019 16:13, Benny Pedersen wrote:
> B. Reino skrev den 2019-04-19 15:48:
>
>> sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';
>
> man 5 opendkim.conf
>
> dont sign headers that are added or changed remotely

Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

B. Reino
On Fri, 19 Apr 2019, TG Servers wrote:

> according to RFC this would be the full list for rspamd
>
>  sign_headers = 'from:reply-to:subject:date:\
>  to:cc:resent-to:resent-cc:resent-from:resent-date\
>  in-reply-to:references:<all the list commands I could not use here
> because the mailing list interprets them as commands :) and blocks the
> message>';
>
> although they leave it open as "subjective" regarding message-id,
> in-reply-to and references
Thanks for the clarification!

Yet, "subjective" (or trade-off, etc.) does not mean "will be changed
remotely", so I fail to see the issue here (and man 5 opendkim.conf does
not mention it AFAICT..)

Cheers.
Reply | Threaded
Open this post in threaded view
|

Re: Big problem with this mailing list and Majordomo regarding DMARC

Benny Pedersen-2
In reply to this post by TG Servers
TG Servers skrev den 2019-04-19 16:48:
> according to RFC this would be the full list for rspamd
>
>  sign_headers = 'from:reply-to:subject:date:\
>  to:cc:resent-to:resent-cc:resent-from:resent-date\
>  in-reply-to:references:<all the list commands I could not use here
> because the mailing list interprets them as commands :) and blocks the
> message>';

mailman changes reply-to, no ?

is it time to let rspamd solve its own problems ?
123