Amavis and OpenDMARC

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Nov 16 09:47:23 CET 2023 

>>>On 11/14/23 22:03, Noel Butler wrote: I would understand if those 
>>reports were required for DKIM fail or SPF fail, but missing aligned 
>>SPF pass is something common with mailing lists.
>>You only get them on failures not every message, and no, not all 
>>mailing lists fail on DKIM, those who take the time to configure 
>>mailman properly should be fine.

>>On 15/11/2023 13:59, Dave McGuire wrote:
>  Please pardon me for jumping in.  Is there a good reference article 
>for this that you could point me to?

On 16.11.23 12:13, Noel Butler wrote:
>fo=1:  a DMARC failure/forensic report is sent to you when your email 
>fails either SPF or DKIM alignment - Contrary to belief of some, no 
>you don't get bombarded with failures, perhaps this is because many 
>don't honour this.

I believe you can drop the "perhaps" part.

[...]

>Forwarding and for all intents and purposes, that includes mailing lists, 
>should rewrite sender and envelope sender addresses, this is what happens 
>with mailman when its settings are checked to do so (sadly, that is NOT 
>default settings),

Which "sender" do you mean here?

Keeping header From: and DKIM signatures is perfectly fine, if ML 
does not modify the mail, which afaik is the default setting.

>there is also a mailman 
>setting to remove existing DKIM sigs, so when you get the post, you 
>should not see the OP sigs, which should have been verified by the 
>mailing list server upon receipt of that message.

This makes sense if ML modifies body and then replaced original From: with 
its own. In such case new signature for ML domain has to be created.

I'd like to repeat that *this* list does the former and it's perfectly OK.

[...]

>Also SPF related, a non mailing list type service that forwards, 
>should receive, test and if pass, rewrite to its domain/hostname to 
>send onto where ever the forward address is, jesus people these things 
>were discovered and addressed a decade ago :)

This is commonly done for SPF using SRS, where envelope sender is changed 
but headers are kept, so anyone can verify and validate the original DKIM 
signature. SPF will also pass, but not align with header From:.


I believe the issue lies in bad formulation of condition for fo:

       1: Generate a DMARC failure report if any underlying
          authentication mechanism produced something other than an
          aligned "pass" result.


...I understand this as SPF unaligned with header From: should be reported 
for domain in header From:.


It makes sense to report missing/unaligned DKIM.

Due to forwarding the SPF can be correct and unaligned, it makes no sense to 
report this case.


The funny part is that the latter definition of "fo=s" describes SPF 
reporting differently:

       s: Generate an SPF failure report if the message failed SPF
          evaluation, regardless of its alignment.  SPF-specific
          reporting is described in [AFRF-SPF].


...I understand this as SPF failures for "your domain" in envelope from 
should be reported, independently proper alignment with header From:.


If your understanding of mentioned parts of RFC 7489 is different, please 
explain how.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

More information about the amavis-users mailing list