Why no List-ID header in the postfix-users posts?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Why no List-ID header in the postfix-users posts?

Josh Good
Hello.

I'm trying to set up a new procmail recipe to automatically file this
mailing list's traffic into its own folder - because my old procmail
recipe (filtering by TO: [hidden email]) has proven to be
not 100% effective (somehow, some posts to the mailing list are
addressed to [hidden email] instead, and are landing directly
into my Inbox, where I can miss them or directly delete them as they are
not subject-tagged).

Anyway, from studying the headers in several posts to the list, I
haven't found the typical "List-Id:" header [1], which would have
been my first choice. I see, however, that I can use the "Sender:
[hidden email]" header for my procmail recipe. OK,
so problem solved.

All that piqued my curiosity, and I became aware that this mailing list
is not using the customary subject [tags] and body footer-disclaimer,
which are common in many other mailing lists, so I thought that posts
to this list with a DKIM signature from the original sender surely must
be received by the list subscribers with that DKIM signature not having
been invalidated - so I checked some posts to the list which had a DKIM
signature and sure enough, their DKIM signature validated fine.

I then asked to myself: this list not having subject [tags] and a body
footer, is perhaps a new development to satisfy the emerging "tyranny"
of several big ESP (email service providers) implementing DMARC [2]
with a policy of p=reject [3], or is it perhaps an old custom of this
list unrelated to DMARC? So I searched the list archives and found that
subject [tags] have never been used, but that a body footer was indeed
used in the beginning, with this message from 2002-11-06 15:32:04
being the first one to have an unaltered body without any footer:
http://marc.info/?l=postfix-users&m=103659674500641&w=2

I dug a little deeper still, and found that the domain in the Return-Path
for the list's messages (@postfix.org) has no SPF record in DNS. Also,
the mailing list host does not do any DKIM signing of the messages it
relays to the subscribers.

So I have questions.

1. Why the mailing list software is not configured to add a List-Id
header?

2. Why this mailing list has never used subject tags, and very early
in its infancy it even stopped injecting a footer into the posts? It's
obvious that was not done to accommodate for DMARC, so why was it done
this way?

3. Why is this mailing list's host not signing with DKIM the posts which
it is distributing to the subscribers?

4. Why there isn't any SPF declared for the domain (postfix.org) used
in the MAIL-FROM (a.k.a. Return-Path) of the messages sent to the
subscribers?


I will not fake ingenuity on my part, for I searched the list archives and
found this quote from Victor Duchovni [4]: "SPF cannot solve spam, but
it can, if adopted widely, do damage the Internet email infrastructure
which as it stands works very well at delivering email despite the
attacks being inflicted upon it. Spam will never go away completely
(neither will other crime), but we will learn to avoid it and police it,
despite the distraction of SPF."

So it's obvious key figures in Postfix have (had?) philosophical issues
with SPF (which I happen to love, actually). So that could answer my
fourth question above, but what about the other three?

Also, I'm curious: do you, Victor, still hold that negative view toward
SPF, thirteen years after your quoted comment above?


Regards,


[1] See RFC2919 - https://www.ietf.org/rfc/rfc2919.txt

[2] See RFC7489 - https://tools.ietf.org/html/rfc7489

[3] A DMARC policy of p=reject is known to cause trouble with so called
"indirect mail flows", of which a mailing list is the primary example -
see https://tools.ietf.org/html/rfc7960

[4] http://marc.info/?l=postfix-users&m=107415094130714&w=2


--
Josh Good

Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Wietse Venema
Josh Good:
> 1. Why the mailing list software is not configured to add a List-Id
> header?

Perhaps that's because the configuration was last updated in 2005,
at a time that List-Id was not as widely used. Let's see if this
message will have a List-Id header.

There are no footers, because to do that correctly, software has
to be MIME-aware, and the list software isn't. Having no footer is
better than having a footer that sometimes comes out as garbage.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Benny Pedersen-2
In reply to this post by Josh Good
Josh Good skrev den 2017-02-12 01:53:

> 1. Why the mailing list software is not configured to add a List-Id
> header?

good question :)

> 2. Why this mailing list has never used subject tags, and very early
> in its infancy it even stopped injecting a footer into the posts? It's
> obvious that was not done to accommodate for DMARC, so why was it done
> this way?

this will break dkim

> 3. Why is this mailing list's host not signing with DKIM the posts
> which
> it is distributing to the subscribers?

its good to see its not needed if dkim is sender signed, and the
maillist preserve that signing, so no need for more signing of maillist,
and another possible reason if not signed by sender why would it make
sense to se maillist sign it ?

what if maillist indeed is signed with dkim, would you so be
unsubscribed if some mta outthere forward it and it breaked the dkim ?

> 4. Why there isn't any SPF declared for the domain (postfix.org) used
> in the MAIL-FROM (a.k.a. Return-Path) of the messages sent to the
> subscribers?

and why is enveloppe sender sometimes cloud9.org ?

hopefully no change is needed

worst kind of management is to not check that ones own dkim get pass on
maillists

let it continue to not break dkim, other maillists have a hobby of
breaking it
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Josh Good
In reply to this post by Wietse Venema
On 2017 Feb 11, 20:27, Wietse Venema wrote:

> Josh Good:
> > 1. Why the mailing list software is not configured to add a List-Id
> > header?
>
> Perhaps that's because the configuration was last updated in 2005,
> at a time that List-Id was not as widely used. Let's see if this
> message will have a List-Id header.
>
> There are no footers, because to do that correctly, software has
> to be MIME-aware, and the list software isn't. Having no footer is
> better than having a footer that sometimes comes out as garbage.

Thanks a lot Wietse for your answers.

And yes, your post did have a List-ID:

List-Id: Postfix users <[hidden email]>

That's great! Thank you.

And I don't mean to be an annoyance, but why no subject [tags]?

Regards,

--
Josh Good

Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Benny Pedersen-2
Josh Good skrev den 2017-02-12 02:40:

> And I don't mean to be an annoyance, but why no subject [tags]?

this would break dkim
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Wietse Venema
In reply to this post by Josh Good
Josh Good:

> On 2017 Feb 11, 20:27, Wietse Venema wrote:
> > Josh Good:
> > > 1. Why the mailing list software is not configured to add a List-Id
> > > header?
> >
> > Perhaps that's because the configuration was last updated in 2005,
> > at a time that List-Id was not as widely used. Let's see if this
> > message will have a List-Id header.
> >
> > There are no footers, because to do that correctly, software has
> > to be MIME-aware, and the list software isn't. Having no footer is
> > better than having a footer that sometimes comes out as garbage.
>
> Thanks a lot Wietse for your answers.
>
> And yes, your post did have a List-ID:
>
> List-Id: Postfix users <[hidden email]>
>
> That's great! Thank you.
>
> And I don't mean to be an annoyance, but why no subject [tags]?

Tags are not needed. If you subscribe to this list, file the messages
to a dedicated folder for that list. Receiving list mail in the
primary inbox is discouraged.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Josh Good
In reply to this post by Benny Pedersen-2
On 2017 Feb 12, 02:33, Benny Pedersen wrote:
> Josh Good skrev den 2017-02-12 01:53:
>
> >2. Why this mailing list has never used subject tags, and very early
> >in its infancy it even stopped injecting a footer into the posts? It's
> >obvious that was not done to accommodate for DMARC, so why was it done
> >this way?
>
> this will break dkim

It would break the original sender's DKIM, if any. But then the mailing
list host could DKIM sign all messages just before sending them to the
list subscribers.

Because the original sender's DKIM may or may not exist, the mailing
list doing its own DKIM signing is the only way to make that list posts
are tamper-proof at all times.

> >3. Why is this mailing list's host not signing with DKIM the posts
> >which
> >it is distributing to the subscribers?
>
> its good to see its not needed if dkim is sender signed, and the
> maillist preserve that signing, so no need for more signing of maillist,
> and another possible reason if not signed by sender why would it make
> sense to se maillist sign it ?

In the post-Snowden era, cryptographically signing ALL is the way to go.
Remember, NSA not only "spies", it also "impersonates" when it needs to
do so (if it can do it). So yes, it makes sense for a mailing list to
DKIM sign the posts it sends to its subscribers.

Regards,

--
Josh Good

Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Sebastian Nielsen
I agree about the DKIM signing. I get regularly authentication failures (forensic reports) when posting to this list. Propably because my domain is set to require mandatory DKIM signing and postfix list server isn't.

However, I don't think there should be any subject tags.

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Benny Pedersen-2
In reply to this post by Josh Good
Josh Good skrev den 2017-02-12 02:51:

> It would break the original sender's DKIM, if any. But then the mailing
> list host could DKIM sign all messages just before sending them to the
> list subscribers.

how should dkim handle this ?, how should dmarc handle it ?, how should
arc handle it ?

how should mailrealays handle it when dkim is not all getting dkim pass
?

you open a can of worms when dkim is breaked

> Because the original sender's DKIM may or may not exist, the mailing
> list doing its own DKIM signing is the only way to make that list posts
> are tamper-proof at all times.

what will happend if signers signs all ?

and there signed public key is missing in dns ?

> In the post-Snowden era, cryptographically signing ALL is the way to
> go.
> Remember, NSA not only "spies", it also "impersonates" when it needs to
> do so (if it can do it). So yes, it makes sense for a mailing list to
> DKIM sign the posts it sends to its subscribers.

no, dkim is not pgp
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Benny Pedersen-2
In reply to this post by Sebastian Nielsen
Sebastian Nielsen skrev den 2017-02-12 02:55:
> I agree about the DKIM signing. I get regularly authentication
> failures (forensic reports) when posting to this list. Propably
> because my domain is set to require mandatory DKIM signing and postfix
> list server isn't.

in that case you have mailrelays that breaks dkim

postfix maillist is dmarc/dkim/spf/arc safe
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Josh Good
In reply to this post by Benny Pedersen-2
On 2017 Feb 12, 03:00, Benny Pedersen wrote:
> >In the post-Snowden era, cryptographically signing ALL is the way to
> >go.
> >Remember, NSA not only "spies", it also "impersonates" when it needs to
> >do so (if it can do it). So yes, it makes sense for a mailing list to
> >DKIM sign the posts it sends to its subscribers.
>
> no, dkim is not pgp

I don't see how your assertion is related to my comment.

DKIM does certify that a message with a valid signature has:

--authenticity (from where it comes, as control of the DNS of the sending
domain is needed).

--integrity (that the message has not been altered or mutilated).


PGP is end-to-end, DKIM is not end-to-end, but MTA-to-MTA. I never said
DKIM was end-to-end.

Regards,

--
Josh Good

Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Sebastian Nielsen
In reply to this post by Benny Pedersen-2
Theres no relay between me and postfix. And this is the report:

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: mx01.nausch.org; dmarc=fail header.from=sebbe.eu
Original-Envelope-Id: 68ED4C00088
Original-Mail-From: [hidden email]
Source-IP: 168.100.1.3 (camomile.cloud9.net)
Reported-Domain: sebbe.eu

-----
And original mail:
-----
Authentication-Results: mx1.nausch.org;
dkim=pass (1024-bit key) header.d=sebbe.eu header.i=@sebbe.eu header.b="AnBtXcH6"
Authentication-Results: mx01.nausch.org; spf=none smtp.mailfrom=<[hidden email]> smtp.helo=camomile.cloud9.net
Received: by camomile.cloud9.net (Postfix)
id 7474A336498; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Delivered-To: [hidden email]
Received: from localhost (localhost [127.0.0.1])
by camomile.cloud9.net (Postfix) with ESMTP id 728E83310A6
for <[hidden email]>; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from camomile.cloud9.net ([127.0.0.1])
by localhost (camomile.cloud9.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wFb_dh5o0Qze for <[hidden email]>;
Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Received: by camomile.cloud9.net (Postfix, from userid 54)
id 50BF13364A0; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Delivered-To: [hidden email]
Received: from localhost (localhost [127.0.0.1])
by camomile.cloud9.net (Postfix) with ESMTP id 328E4336498
for <[hidden email]>; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from camomile.cloud9.net ([127.0.0.1])
by localhost (camomile.cloud9.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eeHrKBrRbl4U for <[hidden email]>;
Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [185.86.107.140])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by camomile.cloud9.net (Postfix) with ESMTPS id CE06D3310A6
for <[hidden email]>; Sat, 11 Feb 2017 20:55:57 -0500 (EST)
Received: from linuxlite-desktop (localhost [127.0.0.1])
by dns2.sebbe.eu (Postfix) with ESMTP id 2E31476024B
for <[hidden email]>; Sun, 12 Feb 2017 02:55:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sebbe.eu; s=root;
t=1486864555; bh=QG62M3r5Lc+7o9a5bmtrhKgDItf9g2IQHyYASOb1hFc=;
h=Date:From:To:In-Reply-To:References:Subject:From;
b=AnBtXcH6dIzWlO8tvRvhYxjFfHth6ioQDTnHiSmRl2ZFgRs6P9eUsrIRcUeJuABKT
aXDhQlpzqGTNehqqtKamWb4cc5VqOLATXeR/2hD2Uiz63QQJHMyiC6eAzUzarfvwjU
NpXW2pHtVj/J7c+XO/rrKeapamzY8aCTiPImxI6k=
Received: from [192.168.3.90] (unknown [192.168.3.90])
by dns1.sebbe.eu (Postfix) with ESMTP id 323CB76024B
for <[hidden email]>; Sun, 12 Feb 2017 02:55:41 +0100 (CET)
Date: Sun, 12 Feb 2017 02:55:39 +0100
From: Sebastian Nielsen <[hidden email]>
To: [hidden email]
Message-ID: <[hidden email]>
In-Reply-To: <[hidden email]>
References: <[hidden email]> <[hidden email]> <[hidden email]>
Subject: Re: Why no List-ID header in the postfix-users posts?
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256;
boundary="----=_Part_17_905167004.1486864541512"
User-Agent: WristMail for Android
X-Hashcash: 1:26:170212:[hidden email]::8sJRinKtSCxqHE9u:000000000000000000000000000000000003Mp9h
Sender: [hidden email]
Precedence: bulk
List-Id: Postfix users <[hidden email]>
List-Post: <mailto:[hidden email]>
List-Help: <http://www.postfix.org/lists.html>;
List-Unsubscribe: <mailto:[hidden email]>
List-Subscribe: <mailto:[hidden email]>
-----


As you see, its not going through even if dkim = pass.
I think DKIM on postfix list server would solve that.

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

MickTW8
In reply to this post by Josh Good
On 12/02/2017 00:53, Josh Good wrote:
> Hello.
>
> I'm trying to set up a new procmail recipe to automatically file this
> mailing list's traffic into its own folder - because my old procmail
> recipe (filtering by TO: [hidden email]) has proven to be
> not 100% effective (somehow, some posts to the mailing list are
> addressed to [hidden email] instead, and are landing directly
> into my Inbox, where I can miss them or directly delete them as they are
> not subject-tagged).
Suggestion :
When Sender is '[hidden email]' move message to 'Postfix'
The above works for me every time.

Best wishes,

Mick.



Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Viktor Dukhovni
In reply to this post by Josh Good
On Sun, Feb 12, 2017 at 02:40:09AM +0100, Josh Good wrote:

> And I don't mean to be an annoyance, but why no subject [tags]?

This list carefully avoids modifying the message headers and body.
Therefore, this list requires no ugly DMARC work-around hacks.  I
am sure that we should keep it that way.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Josh Good
In reply to this post by Sebastian Nielsen
On 2017 Feb 12, 03:13, Sebastian Nielsen wrote:

> Theres no relay between me and postfix. And this is the report:
>
> Feedback-Type: auth-failure
> Version: 1
> User-Agent: OpenDMARC-Filter/1.3.2
> Auth-Failure: dmarc
> Authentication-Results: mx01.nausch.org; dmarc=fail header.from=sebbe.eu
> Original-Envelope-Id: 68ED4C00088
> Original-Mail-From: [hidden email]
> Source-IP: 168.100.1.3 (camomile.cloud9.net)
> Reported-Domain: sebbe.eu
>
> -----
> And original mail:
> -----
> Authentication-Results: mx1.nausch.org;
> dkim=pass (1024-bit key) header.d=sebbe.eu header.i=@sebbe.eu header.b="AnBtXcH6"
> Authentication-Results: mx01.nausch.org; spf=none smtp.mailfrom=<[hidden email]> smtp.helo=camomile.cloud9.net
> Received: by camomile.cloud9.net (Postfix)
> id 7474A336498; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
> Delivered-To: [hidden email]
(...snip...)
>
>
> As you see, its not going through even if dkim = pass.
> I think DKIM on postfix list server would solve that.

That's weird, if the DKIM mechanism passes, then DMARC should pass too,
provided the email address in the Header-From is aligned with the DKIM
signature which passed..

In your headers, we see that DKIM passes OK when you received you own
post to the list.

And then this is your DMARC record:

$ host -t txt _dmarc.sebbe.eu
_dmarc.sebbe.eu descriptive text "v=DMARC1\; p=reject\; sp=reject\; ri=604800\; rf=afrf\; aspf=s\; adkim=s\; rua=mailto:[hidden email]\; ruf=mailto:[hidden email]\; pct=100\; fo=1\;"


See that non-default "fo=1" you have there? That's whay you are getting
a DMARC result of fail:

See RFC 7489, Section 6.3, page 18:

""
fo:  Failure reporting options (plain-text; OPTIONAL; default is "0")

        0: Generate a DMARC failure report if all underlying
           authentication mechanisms fail to produce an aligned "pass"
           result.

        1: Generate a DMARC failure report if any underlying
           authentication mechanism produced something other than an
           aligned "pass" result.
""

Go with the DMARC default of "fo=0" and you should be fine.


Also, you should NOT use p=reject in your DMARC record if you post to
mailing lists, see RFC7960, Section 3.2.3.1:

""
Mailing Lists may also have the following DMARC interoperability
issues:

        Subscribed members may not receive email from members that post
        using domains that publish a DMARC "p=reject" policy.

        Mailing Lists may interpret DMARC-related email rejections as an
        inability to deliver email to the Recipients that are checking and
        enforcing DMARC policy.  This processing may cause subscribers
        that are checking and enforcing DMARC policy to be inadvertently
        suspended or removed from the Mailing List.
""

It all means: if you post to a mailing list with a DMARC policy of
p=reject, you risk (A) not having your posts received by the other
subscribers, and (B) accidentally causing OTHER subscribers to be
unsubcribed from the list because they could start rejecting your posts
at anytime based on your owun published DMARC policy, and the mailing
software could wrongly assume the subscribed address of OTHER subscribers
has become stale.

So take action:
1. change "fo=1" to "fo=0".
2. remove "p=reject", or use a different subdomain/domain to post to
mailing lists.

Regards,

--
Josh Good

Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

lists@lazygranch.com
In reply to this post by Sebastian Nielsen
How would a get a print out of email uses that fail DKIM, SPF, or both?

A few months ago there was chatter about how to rewrite the subject header to indicate the SPF and DKIM status. Unfortunately nothing further.

Further, how does DKIM prove the message wasn't altered? To my knowledge, SPF proves the message came from a qualified server and DKIM proves the FQDN is a match.


From: Sebastian Nielsen
Sent: Saturday, February 11, 2017 5:56 PM
Subject: Re: Why no List-ID header in the postfix-users posts?

I agree about the DKIM signing. I get regularly authentication failures (forensic reports) when posting to this list. Propably because my domain is set to require mandatory DKIM signing and postfix list server isn't.

However, I don't think there should be any subject tags.
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Benny Pedersen-2
In reply to this post by Sebastian Nielsen
Sebastian Nielsen skrev den 2017-02-12 03:13:
> Theres no relay between me and postfix. And this is the report:

spf strict

https://dmarcian-eu.com/dmarc-inspector/sebbe.eu

why ?

note you get dkim pass ?
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Chris-3
In reply to this post by Josh Good
On Sun, 2017-02-12 at 01:53 +0100, Josh Good wrote:

> Hello.
>
> I'm trying to set up a new procmail recipe to automatically file this
> mailing list's traffic into its own folder - because my old procmail
> recipe (filtering by TO: [hidden email]) has proven to be
> not 100% effective (somehow, some posts to the mailing list are
> addressed to [hidden email] instead, and are landing
> directly
> into my Inbox, where I can miss them or directly delete them as they
> are
> not subject-tagged).
>
> Anyway, from studying the headers in several posts to the list, I
> haven't found the typical "List-Id:" header [1], which would have
> been my first choice. I see, however, that I can use the "Sender:
> [hidden email]" header for my procmail recipe. OK,
> so problem solved.
>
---------%<--------

I've been using this recipe for, well, for years

:0
* ^Sender: [hidden email]
$POSTF

HTH

Chris

--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:59:21 up 8 days, 12:57, 2 users, load average: 0.39, 0.23, 0.19
Ubuntu 16.04.1 LTS, kernel 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18
14:10:15 UTC 2017

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Bill Cole-3
In reply to this post by lists@lazygranch.com
On 11 Feb 2017, at 21:53, [hidden email] wrote:

> Further, how does DKIM prove the message wasn't altered? To my
> knowledge, SPF proves the message came from a qualified server and
> DKIM proves the FQDN is a match. 

DKIM signs a hash of the canonicalized message body and the set of
headers specified in the signature. Modify the body or any of those
headers, the signature breaks.
Reply | Threaded
Open this post in threaded view
|

Re: Why no List-ID header in the postfix-users posts?

Josh Good
In reply to this post by lists@lazygranch.com
On 2017 Feb 11, 18:53, [hidden email] wrote:

>
>    How would a get a print out of email uses that fail DKIM, SPF, or
>    both?
>
>    A few months ago there was chatter about how to rewrite the subject
>    header to indicate the SPF and DKIM status. Unfortunately nothing
>    further.
>
>    Further, how does DKIM prove the message wasn't altered? To my
>    knowledge, SPF proves the message came from a qualified server and
>    DKIM proves the FQDN is a match.

Anyone can DKIM sign an email message which passed through his systems,
even if the DKIM signer is not the original sender.

DMARC exists to ensure that a valid DKIM signature is aligned (~coincides) with
the email address in the Header-From.

A valid DKIM signature, irrespective of DMARC alignment, cryptographically
assures that the message has not been altered/tampered with since it
was signed.

A valid DKIM signature plus DMARC alignment, cryptographically assures
the message has not been altered and that it is authentic (i.e., the
provenance of the message is authenticated).

That's not saying all DKIM signed and DMARC aligned email is legit.
Spammers can perfectly send spam with a header-from like this:

From: PayPal Notification <[hidden email]>

and have it DKIM signed and DMARC aligned.

However, if you get an email with a Header-From like this:

From: Paypal Notification <[hidden email]>

with a valid DKIM signature and which is DMARC aligned, you can rest
assured that either the email is legit, or Paypal has been hacked to
death from the inside.

Regards,

--
Josh Good

12