<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 12pt; font-family: Verdana,Geneva,sans-serif'>
<p id="reply-intro">On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br /><br />Keeping header From: and DKIM signatures is perfectly fine, if ML does not modify the mail, which afaik is the default setting.</div>
</blockquote>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">This also depends on how you set DKIM's canonicalization</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br />there is also a mailman setting to remove existing DKIM sigs, so when you get the post, you should not see the OP sigs, which should have been verified by the mailing list server upon receipt of that message.<br />This makes sense if ML modifies body and then replaced original From: with its own. In such case new signature for ML domain has to be created.<br /><br /><span style="white-space: nowrap;">I'd like to repeat that *this* list does the former and it's perfectly OK.</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
</blockquote>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">I repeat depends upon canonicalization, like only if you set c = relaxed/relaxed.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">The fact this list does not modify the body by adding a footer also helps those who use relaxed/simple.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Anyone using simple/simple should have a DKIM fail and plenty use that setting, prior to July this year - when I was using this address on file with Federal Law Enforcement agencies for receiving shall we say certain formal requests ;) I used fully strict with simple/simple - as earlier posts on this list would show</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">dkim=fail reason="signature verification failed" (2048-bit key) header.d=ausics.net</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br /><span style="white-space: nowrap;">I believe the issue lies in bad formulation of condition for fo:</span><br /><br /><span style="white-space: nowrap;"> 1: Generate a DMARC failure report if any underlying</span><br /><span style="white-space: nowrap;"> authentication mechanism produced something other than an</span><br /><span style="white-space: nowrap;"> aligned "pass" result.</span><br /><br /></div>
</blockquote>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">I've never had an fo=1 SPF failure report, because DKIM would pass, even when used on lists, I don't get them, my weekly reports do say we get plenty of DKIM unaligned, but no forensic reports, I used to get them when I posted to dovecot users, but I think Aki's fixed the settings as last couple posts I never got any forensic reports.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br />...I understand this as SPF unaligned with header From: should be reported for domain in header From:.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
</blockquote>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">SPF should only check and report on envelope-sender/return-path, if and only if that does not exist it should use the EHLO domain, it should not care about From, last time I looked - a decade or so ago - it never did, but lets try something...</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">
<p>telnet mail.ausics.net 25<br />Trying 120.88.115.158...<br />Connected to mail.ausics.net.<br />Escape character is '^]'.<br />220 mail.ausics.net ESMTP Postfix - Hello, is there anybody in there, just nod if you can hear me, is there anyone at home<br />ehlo roswell.ausics.net<br />250-mail.ausics.net<br />250-PIPELINING<br />250-SIZE 51200000<br />250-ETRN<br />250-STARTTLS<br />250-ENHANCEDSTATUSCODES<br />250-8BITMIME<br />250-DSN<br />250 CHUNKING<br />mail from:root@ns2.ausics.net<br />250 2.1.0 Ok<br />rcpt to: noel.butler@ausics.net<br />250 2.1.5 Ok<br />data<br />354 End data with <CR><LF>.<CR><LF><br />From: Mickeymouse@mi6.gov<br />To: noel.butler@ausics.net<br />Subject: rattrap</p>
<p>test<br />.<br />250 2.0.0 Ok: queued as 20350200097</p>
</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">..... Message passed, of course it got a rather high spam score for missing Date and a few other impersonate gov rules SA rules lol</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br /><br /><span style="white-space: nowrap;">It makes sense to report missing/unaligned DKIM.</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
</blockquote>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">Then set fo=d :)</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<p><br /></p>
<div id="signature">-- <br />
<p>Regards,<br />Noel Butler</p>
<table border="1" width="748" cellspacing="0" cellpadding="1">
<tbody>
<tr>
<td style="text-align: left;">
<p><span style="font-size: 9pt;"><span style="font-family: arial,helvetica,sans-serif;">This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.</span></span></p>
</td>
</tr>
</tbody>
</table>
<p><br /></p>
</div>
</body></html>