On Fri 02/Sep/2022 14:27:55 +0200 Matus UHLAR - fantomas wrote:
On 25.08.22 18:10, Alessandro Vesely wrote:
I see the list operates both From: munging and ARC sealing. While I'm
clear about the former, I'm curious about how ARC works:
Do any subscribers trust the seal by isc.org?
I guess most of recipients use predefined configurations, e.g. no whitelisting.
out of curiousity, I set my opendmarc.conf:
DomainWhitelist lists.isc.org
so we'll see next time mail comes.
Please tell us.
so far, not ex
- opendmarc only uses header that's inserted by openarc milter
- openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"
They produce an ARC set on each internal passage, all having d=isc.org. That's
undoubtedly redundant, yet valid.
- opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
isc.org:isc.org:isc.org (will try)
When enabled, arc=pass should override dmarc=fail p=reject. We never get this,
because bind-users rewrite From: if author's domain has p=reject.
Trusting isc.org should suffice. Logically, when multiple domains applied
message modifications, a receiver has to trust all of them. Not necessarily
any disposition of them.
- openarc (I have installed beta from debian experimental) seems to insert
Authentication-Result: header when no ARC seal is present, though not always.
- arc for bind-users seems to fail when mailman rewrites From: header (but
DKIM is fine in this case)
I tried the Perl ARC verifier included in Mail::DKIM. On your message it
outputs:
ale@pcale:~/tmp$ arc-verify.pl < arc1.eml
ARC-Seal: v=3 pass
ARC-Message-Signature: v=3 pass
ARC-Seal: v=2 pass
ARC-Message-Signature: v=2 fail (body has been altered)
ARC-Seal: v=1 pass
ARC-Message-Signature: v=1 fail (body has been altered)
(arc-verify.pl is a copy of the module's synopsis[*].)
Then I tried it on Ged's message, earlier in this thread, and got:
ale@pcale:~/tmp$ arc-verify.pl < arc2.eml
ARC-Seal: v=3 pass
ARC-Message-Signature: v=3 pass
ARC-Seal: v=2 pass
ARC-Message-Signature: v=2 fail (message has been altered)
ARC-Seal: v=1 pass
ARC-Message-Signature: v=1 fail (message has been altered)
So both messages seem to be valid, if you trust isc.org. The failure in the
signature reflects that only the body was altered in your message, while also
the header was altered in Ged's one. As ARC allows mediators to modify
messages, only the last signature is significant.
Mailman should know about your setting in order to skip From: munging in the
copies sent to you. Currently, the copies sent to pipermail for archiving
seem to be non-munged, so this functionality exists.
do you mean I can turn off From: munging in mail sent to me?
Mailman options[†] don't include something like
*From munging*:
Set this option to /Disabled/ to receive messages with the original From:
line intact. Keep in mind that disabling this option will fail DMARC, so
keep it enabled unless your MTA either doesn't check DMARC or accepts ARC
overrides.
It doesn't seem difficult to implement. It requires trusting the users,
though. I'm going to ask Mailman developers.
Best
Ale
--
[*] https://metacpan.org/pod/Mail::DKIM::ARC::Verifier
[†] https://lists.isc.org/mailman/options/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users