Amavis and OpenDMARC

Noel Butler noel.butler at ausics.net
Tue Nov 21 03:06:00 CET 2023 

On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:

> Keeping header From: and DKIM signatures is perfectly fine, if ML does 
> not modify the mail, which afaik is the default setting.

This also depends on how you set DKIM's canonicalization

> there is also a mailman setting to remove existing DKIM sigs, so when 
> you get the post, you should not see the OP sigs, which should have 
> been verified by the mailing list server upon receipt of that message.
> This makes sense if ML modifies body and then replaced original From: 
> with its own. In such case new signature for ML domain has to be 
> created.
> 
> I'd like to repeat that *this* list does the former and it's perfectly 
> OK.

I repeat depends upon canonicalization, like only if you set c = 
relaxed/relaxed.
The fact this list does not modify the body by adding a footer also 
helps those who use relaxed/simple.

Anyone using simple/simple should have a DKIM fail and plenty use that 
setting, prior to July this year - when I was using this address on file 
with Federal Law Enforcement agencies for receiving shall we say certain 
formal requests ;) I used fully strict with simple/simple - as earlier 
posts on this list would show

dkim=fail reason="signature verification failed" (2048-bit key) 
header.d=ausics.net

> I believe the issue lies in bad formulation of condition for fo:
> 
> 1: Generate a DMARC failure report if any underlying
> authentication mechanism produced something other than an
> aligned "pass" result.

I've never had an fo=1 SPF failure report, because DKIM would pass, even 
when used on lists, I don't get them, my weekly reports do say we get 
plenty of DKIM unaligned, but no forensic reports, I used to get them 
when I posted to dovecot users, but I think Aki's fixed the settings as 
last couple posts I never got any forensic reports.

> ...I understand this as SPF unaligned with header From: should be 
> reported for domain in header From:.

SPF should only check and report on envelope-sender/return-path, if and 
only if that does not exist it should use the EHLO domain, it should not 
care about From, last time I looked - a decade or so ago - it never did, 
but lets try something...

telnet mail.ausics.net 25
Trying 120.88.115.158...
Connected to mail.ausics.net.
Escape character is '^]'.
220 mail.ausics.net ESMTP Postfix - Hello, is there anybody in there, 
just nod if you can hear me, is there anyone at home
ehlo roswell.ausics.net
250-mail.ausics.net
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
mail from:root at ns2.ausics.net
250 2.1.0 Ok
rcpt to: noel.butler at ausics.net
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
 From: Mickeymouse at mi6.gov
To: noel.butler at ausics.net
Subject: rattrap

test
.
250 2.0.0 Ok: queued as 20350200097

.....  Message passed, of course it got a rather high spam score for 
missing Date and a few other impersonate gov rules SA rules lol

> It makes sense to report missing/unaligned DKIM.

Then set fo=d  :)

-- 
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20231121/f458ec03/attachment.htm>

More information about the amavis-users mailing list