[SAC] [postgis-devel] DMARC/DKIM mitigation on maling lists

strk · October 27, 2023, 8:20am

[ moving conversation to SAC mailing list as I think it belongs there ]

On Thu, Oct 26, 2023 at 02:08:45PM +0200, Sandro Santilli via postgis-devel wrote:

Ok, this is now live for postgis-tickets. I had to:

  1. Set "Replace the From" to "no"
     postgis-tickets Administrator Authentication

  2. Disable "Reply-to" munging
     postgis-tickets Administrator Authentication

  3. Remove footer from the non-digest options
     postgis-tickets Administrator Authentication

You can see the subsequente differences from the archive:
The postgis-tickets October 2023 Archive by date

Laurențiu (in Cc) tested sending a DKIM-signed email to the
postgis-tickets configured as mentioned above and the mail was found
to still break the DKIM signature.

Here's what I get as Authentication-Results header when the mail arrives
to my mailbox:

  Authentication-Results:
    dkim=fail ("headers rsa verify failed") header.d=dend.ro header.s=fm2 header.b="HQmGmY/I";
    dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b=o8qZA0x2;
    dmarc=fail reason="SPF not aligned (relaxed)" header.from=dend.ro (policy=quarantine);
    spf=pass

Magnus: if we wanted to compare with PostgreSQL lits, would any of
those lists be good test targets ?

Does anyone know if this the DKIM failures above could still have to do with
mailman configuration ?

NOTE: I've set Reply-To: sac@lists.osgeo.org but I'm not sure how
postgis-devel and sac mailman lists will threat it...

--strk;

gdt · October 31, 2023, 1:36am

Sandro Santilli <strk@kbt.io> writes:

Ok, this is now live for postgis-tickets. I had to:

  1. Set "Replace the From" to "no"
     https://lists.osgeo.org/mailman/admin/postgis-tickets/general

  2. Disable "Reply-to" munging
     https://lists.osgeo.org/mailman/admin/postgis-tickets/general

  3. Remove footer from the non-digest options
     https://lists.osgeo.org/mailman/admin/postgis-tickets/nondigest

You can see the subsequente differences from the archive:
https://lists.osgeo.org/pipermail/postgis-tickets/2023-October/date.html

Laurențiu (in Cc) tested sending a DKIM-signed email to the
postgis-tickets configured as mentioned above and the mail was found
to still break the DKIM signature.

Here's what I get as Authentication-Results header when the mail arrives
to my mailbox:

  Authentication-Results:
    dkim=fail ("headers rsa verify failed") header.d=dend.ro header.s=fm2 header.b="HQmGmY/I";
    dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b=o8qZA0x2;
    dmarc=fail reason="SPF not aligned (relaxed)" header.from=dend.ro (policy=quarantine);
    spf=pass

Magnus: if we wanted to compare with PostgreSQL lits, would any of
those lists be good test targets ?

Does anyone know if this the DKIM failures above could still have to do with
mailman configuration ?

I think the way to debug this is to store both the original message as
it went to the mailman server and the one as delivered and then diff
them. I have had some success guessing at what was munged and finding a
version that passed, but diff is really vastly easier.

I find it odd for outgoing mail from people to have Sender: as for
normal human-sent mail, it should just be From:. And, I would not
really expect Sender: to be covered by DKIM. I just sent a normal email
to another person, and my outgoing DKIM header is

h=From:To:Cc:Subject:References:Date:In-Reply-To;

(I am still in the process of subscribing here, so please keep me in cc
for now.)

lnicola · October 31, 2023, 8:49am

On Tue, Oct 31, 2023, at 03:36, Greg Troxel wrote:

I think the way to debug this is to store both the original message as
it went to the mailman server and the one as delivered and then diff
them. I have had some success guessing at what was munged and finding a
version that passed, but diff is really vastly easier.

I added more details to https://trac.osgeo.org/osgeo/ticket/3011#comment:7. I'm almost certain the Sender header is to blame.

The Mailman developers discussed it in 2006, but it didn't go anywhere. I don't think DKIM existed in 2006.

I find it odd for outgoing mail from people to have Sender: as for
normal human-sent mail, it should just be From:. And, I would not
really expect Sender: to be covered by DKIM.

My messages from Fastmail don't have a Sender header, but it's still covered by DKIM so it can't be spoofed. Gmail doesn't include it in DKIM, though.

I just sent a normal email to another person, and my outgoing DKIM header is
h=From:To:Cc:Subject:References:Date:In-Reply-To;

It will depend on the configuration (as we've seen with Gmail), but some people even recommend signing an extra empty header instance, to prevent new ones from being added:

https://serverfault.com/questions/1145777/dkim-signing-duplicate-header-signing-in-dkim-signature/1145782#1145782

There is a discussion in https://datatracker.ietf.org/doc/html/rfc6376#section-5.4.

Specifically, this snippet is non-normative, but it says:

For this reason, signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised.

Laurentiu

strk · November 7, 2023, 11:01am

As we know have a draft recommendation for mailing lists:
https://trac.osgeo.org/osgeo/ticket/3011#comment:23

Would anyone with admin access of this mailing list (sac) want to try
following those recommendations for this list ? That way we can verify
the instruction are clear and at the same time have broader test of
the recommended configuration.

Starting point:
https://lists.osgeo.org/mailman/admin/sac

Current administrators are: Hobu, me, Jeff McKenna and Regina, all in Cc.

--strk;

strk · November 8, 2023, 11:22am

Given the enthusiasm, I did this myself.
The SAC mailing list is now officially the second mailing list testing
the new settings.

--strk;

On Tue, Nov 07, 2023 at 12:01:23PM +0100, Sandro Santilli via Sac wrote:

As we know have a draft recommendation for mailing lists:
https://trac.osgeo.org/osgeo/ticket/3011#comment:23

Would anyone with admin access of this mailing list (sac) want to try
following those recommendations for this list ? That way we can verify
the instruction are clear and at the same time have broader test of
the recommended configuration.

Starting point:
https://lists.osgeo.org/mailman/admin/sac

Current administrators are: Hobu, me, Jeff McKenna and Regina, all in Cc.

neteler · November 8, 2023, 12:12pm

On Wed, Nov 8, 2023 at 12:23 PM Sandro Santilli <strk@kbt.io> wrote:

Given the enthusiasm, I did this myself.
The SAC mailing list is now officially the second mailing list testing
the new settings.

For the record:
I don't like at all that there is no more the [SAC] suffix in the Subject.

Markus

--strk;

On Tue, Nov 07, 2023 at 12:01:23PM +0100, Sandro Santilli via Sac wrote:
> As we know have a draft recommendation for mailing lists:
> https://trac.osgeo.org/osgeo/ticket/3011#comment:23
>
> Would anyone with admin access of this mailing list (sac) want to try
> following those recommendations for this list ? That way we can verify
> the instruction are clear and at the same time have broader test of
> the recommended configuration.
>
> Starting point:
> https://lists.osgeo.org/mailman/admin/sac
>
> Current administrators are: Hobu, me, Jeff McKenna and Regina, all in Cc.

gdt · November 8, 2023, 12:31pm

Markus Neteler <neteler@osgeo.org> writes:

On Wed, Nov 8, 2023 at 12:23 PM Sandro Santilli <strk@kbt.io> wrote:

Given the enthusiasm, I did this myself.
The SAC mailing list is now officially the second mailing list testing
the new settings.

For the record:
I don't like at all that there is no more the [SAC] suffix in the Subject.

I think it's important that we don't discuss "subject tag is missing"
disconnected from "From: line has been set to an incorrect value". It
is in general (given that we allow people to join lists from domains
that have DMARC policies!) one or the other.

With a modified subject, some senders are going to get rewritten and
then From: won't match per-sender filters in MUAs and more importantly
the "reply" MUA risks sending to the list. It's this consequence which
has to be weighed against not having subject tags.

(FWIW, I believe that if DKIM had been well established when mailman was
being written, the subject tag feature would not have been introduced or
at least not become normal.)

gdt · November 8, 2023, 12:43pm

This is not really related to dealing with DMARC, but I noticed
something in your message.

Here are the headers in the messaeg, minus a couple added by my system
(spam filtering scores) omitted to reduce noise.

  - Your message has a From: of neteler@osgeo.org.
  - it was actually sent via google.
    * google did not include your client's IP address (that's great)
    * google has an X-Google-DKIM-Signature instead of DKIM-Signature
      (This is bizarre but not news to me)
    * google's faux DKIM header is from 1e100.net
      (also odd but not news)
  - osgeo.org applied a dkim signature from osgeo.org to the list
    message

This last point is normal in many ways; it signs the mail as coming from
osgeo so that people can

welcomelist_from_dkim *@* osgeo.org

to not filter things coming from the list. However, your message did
not actually come from osgeo.org, it seems, and thus really shouldn't
have gotten a fresh DKIM signature.

What you are doing is of course totally normal, but in the world of
DKIM/DMARC (and then ARC) that I think we are heading to, outgoing mail
has to be handled by the outgoing MTA of the domain, and not sent via
some other domain's MTA.

This is particularly an issue for people with secondary email addresses,
like this case.

Return-Path: <SRS0=aK0C=GV=lists.osgeo.org=sac-bounces@osgeo.org>
Received: from lists.osgeo.org (osgeo6.osgeo.osuosl.org [140.211.15.3])
  by s1.lexort.com (Postfix) with ESMTP id 3C5AF4106FC
  for <gdt@lexort.com>; Wed, 8 Nov 2023 07:12:35 -0500 (EST)
Authentication-Results: s1.lexort.com; dkim=pass (2048-bit key) header.d=osgeo.org header.i=@osgeo.org header.b=UNpkdFdY
Received: from osgeo6.osgeo.osuosl.org (localhost [127.0.0.1]) by lists.osgeo.org (Postfix) with ESMTP id 0B62C613C189; Wed, 8 Nov 2023 04:12:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=osgeo.org; s=mail;
  t=1699445555; bh=t9fnzoscK2inK9dMf/tp0yVIc8rjv0kXC2dDl45Vroo=;
  h=References:In-Reply-To:From:Date:Subject:To:List-Id:
   List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
   From;
  b=UNpkdFdYJ8dzuwk0GFzWV9/pOHlXlGis4n0/DlM4U/D1CWwhHQRJyH/r44VSZiK2P
   XRftYOiCqz+wcOv4a30b10R+iPs/yaOl/wJ3o2pZgvZtxdLGYBVSrrh2H9qTyziH7E
   oC+V3Svwoz42k9vBJedBtyyiSaIUw0ABmsVf/n7DwovBYLuYFJfBguSWTQfTDpXmIL
   paTV8+EtKJmS4VhCbWEoj0zd7jrPKpW4SYdORfZv+5xafBV6VCf1of5qquuUETaQ4n
   Ua/DfIIXn0EkhHIqoEpuxI9rRtNKKp/X7pZpJ0BomwmE/DlaT7ow4V5qRdX3Yl1P9x
   JUzfaSQR6dsKw==
Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com
[209.85.218.44])
by lists.osgeo.org (Postfix) with ESMTPS id 16A9661424E2
for <sac@lists.osgeo.org>; Wed, 8 Nov 2023 04:12:34 -0800 (PST)
Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-9be02fcf268so1018084566b.3 for <sac@lists.osgeo.org>; Wed, 08 Nov 2023 04:12:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1699445552; x=1700050352;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=t9fnzoscK2inK9dMf/tp0yVIc8rjv0kXC2dDl45Vroo=;
b=pgVGUXFdAx4A0sEZfZ71kljzEyuYrPKyhvAUpWC3Do6XHrwU2eb/SdnejG68Ru3f0+
ZbxAvbeJMaRsPOQUDOvXyFwb3DrbHaAKBOy1i1jIUAl2EJ4LcLPLG7OIxAWdhq4yfk82
cFBtwitK6fXe+d23LDnv2Cg0HtuiL+R2oW61iKqOoZjTOX1AY4HLcZHQjUyjjgNkFtEI
Ea2G5QzXHu9xliV5mj73CMhcr0mk7V7zvvpLQLI9cD3iGMiObK2MWiBCKgAPTONiJ7bf
lnF94yQNP4YfQ5rXnoHZuTdqbdr20BlGSI115CeIK7i0okOVmcQ/CGDnhxWbFfmLtQ3s
d4FA==
X-Gm-Message-State: AOJu0YwMOweh84+TOLPC9d0OrokjDMT9yM8dulJTKwn2VS0qCpinQRDT 40WoYEKJjHUAlVxuXw3kA69WyBxa1LY7Jm88c+PsH8c5JcSuYhzK
X-Google-Smtp-Source: AGHT+IG4643go/OrYZcNMGW0yDmUgNSBfKL3rKMHfirB+eWjU+sdTKmnKsviiTwccgg0QT7IXoBShIGGkWfX/Bm+EeI=
X-Received: by 2002:a17:907:7ba5:b0:9df:bc8d:fbc8 with SMTP id ne37-20020a1709077ba500b009dfbc8dfbc8mr1472978ejc.37.1699445552259; Wed, 08 Nov 2023 04:12:32 -0800 (PST)
MIME-Version: 1.0
References: <002a01da075d$776917e0$663b47a0$@pcorp.us>
<rmi34xy1y0k.fsf@s1.lexort.com>
<002b01da075f$893ec210$9bbc4630$@pcorp.us> <rmir0lizekw.fsf@s1.lexort.com>
<003401da078b$d7e29410$87a7bc30$@pcorp.us> <ZTpWzZ4Qvri1CFmb@c19>
<ZTty0VH3w3kmuGIT@c19> <rmizfzzinds.fsf@s1.lexort.com>
<8ef85620-59d4-40c8-ac7e-07af8ba3aa09@betaapp.fastmail.com>
<ZUoZAzLW4b/6w+AI@c19> <ZUtvhmhiRTGb/Bhe@c19>
In-Reply-To: <ZUtvhmhiRTGb/Bhe@c19>
From: Markus Neteler <neteler@osgeo.org>
Date: Wed, 8 Nov 2023 13:12:20 +0100
Message-ID: <CALFmHhsecrhbhECRAj5sDTJtA2o1+dZncxt--SrMbVG8Wq4=_g@mail.gmail.com>
Subject: Re: DMARC/DKIM mitigation on maling lists
To: sac@lists.osgeo.org, jmckenna@gatewaygeomatics.com, howard@hobu.co, lr@pcorp.us
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: sac@lists.osgeo.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: System Administration Committee Discussion/OSGeo <sac.lists.osgeo.org>
List-Unsubscribe: <https://lists.osgeo.org/mailman/options/sac>, <mailto:sac-request@lists.osgeo.org?subject=unsubscribe>
List-Archive: <http://lists.osgeo.org/pipermail/sac/>
List-Post: <mailto:sac@lists.osgeo.org>
List-Help: <mailto:sac-request@lists.osgeo.org?subject=help>
List-Subscribe: <https://lists.osgeo.org/mailman/listinfo/sac>, <mailto:sac-request@lists.osgeo.org?subject=subscribe>
Errors-To: sac-bounces@lists.osgeo.org
X-Greylist: Sender IP whitelisted by DNSRBL, not delayed by milter-greylist-4.6.4 (s1.lexort.com [71.19.148.97]); Wed, 08 Nov 2023 07:12:35 -0500 (EST)

strk · November 8, 2023, 1:40pm

On Wed, Nov 08, 2023 at 01:12:20PM +0100, Markus Neteler wrote:

For the record:
I don't like at all that there is no more the [SAC] suffix in the Subject.

Is that anything you can ask your MUA or mail filter (procmail?) to
re-add locally for you ?

--strk;

neteler · November 8, 2023, 1:59pm

On Wed, Nov 8, 2023 at 2:40 PM Sandro Santilli <strk@kbt.io> wrote:

On Wed, Nov 08, 2023 at 01:12:20PM +0100, Markus Neteler wrote:
>
> For the record:
> I don't like at all that there is no more the [SAC] suffix in the Subject.

Is that anything you can ask your MUA or mail filter (procmail?) to
re-add locally for you ?

Here I am using Gmail, so that's not possible I suppose.

Markus

lnicola · November 8, 2023, 2:17pm

On Wed, Nov 8, 2023, at 15:59, Markus Neteler wrote:

On Wed, Nov 8, 2023 at 2:40 PM Sandro Santilli <strk@kbt.io> wrote:

On Wed, Nov 08, 2023 at 01:12:20PM +0100, Markus Neteler wrote:
>
> For the record:
> I don't like at all that there is no more the [SAC] suffix in the Subject.

Is that anything you can ask your MUA or mail filter (procmail?) to
re-add locally for you ?

Here I am using Gmail, so that's not possible I suppose.

Markus

You can still create a filter that applies a label to messages sent to sac@lists.osgeo.org, which seems like a reasonable approximation of the prefix.

Laurentiu

strk · November 8, 2023, 4:18pm

On Wed, Nov 08, 2023 at 04:17:43PM +0200, Laurențiu Nicola via Sac wrote:

On Wed, Nov 8, 2023, at 15:59, Markus Neteler wrote:
> On Wed, Nov 8, 2023 at 2:40 PM Sandro Santilli <strk@kbt.io> wrote:
>> On Wed, Nov 08, 2023 at 01:12:20PM +0100, Markus Neteler wrote:
>> >
>> > For the record:
>> > I don't like at all that there is no more the [SAC] suffix in the Subject.
>>
>> Is that anything you can ask your MUA or mail filter (procmail?) to
>> re-add locally for you ?
>
> Here I am using Gmail, so that's not possible I suppose.

You can still create a filter that applies a label to messages sent to sac@lists.osgeo.org, which seems like a reasonable approximation of the prefix.

As usual, some recipes about filtering in popular MUAs would be nice
to have on the wiki.

Good starting point for that:
https://wiki.osgeo.org/wiki/SAC:Mailing_Lists

--strk;

neteler · November 8, 2023, 4:46pm

On Wed, Nov 8, 2023 at 3:27 PM Laurențiu Nicola <lnicola@dend.ro> wrote:

On Wed, Nov 8, 2023, at 15:59, Markus Neteler wrote:
> On Wed, Nov 8, 2023 at 2:40 PM Sandro Santilli <strk@kbt.io> wrote:
>> On Wed, Nov 08, 2023 at 01:12:20PM +0100, Markus Neteler wrote:
>> >
>> > For the record:
>> > I don't like at all that there is no more the [SAC] suffix in the Subject.
>>
>> Is that anything you can ask your MUA or mail filter (procmail?) to
>> re-add locally for you ?
>
> Here I am using Gmail, so that's not possible I suppose.
>
> Markus

You can still create a filter that applies a label to messages sent to sac@lists.osgeo.org, which seems like a reasonable approximation of the prefix.

In case the changes shall be rolled out OSGeo-wide:

Importantly, these changes should not be silently implemented but
announced beforehand.

My 0.02 cents,
Markus

neteler · November 9, 2023, 10:35am

On Wed, Nov 8, 2023 at 1:43 PM Greg Troxel <gdt@lexort.com> wrote:

This is not really related to dealing with DMARC, but I noticed
something in your message.

Here are the headers in the messaeg, minus a couple added by my system
(spam filtering scores) omitted to reduce noise.

  - Your message has a From: of neteler@osgeo.org.
  - it was actually sent via google.
    * google did not include your client's IP address (that's great)
    * google has an X-Google-DKIM-Signature instead of DKIM-Signature
      (This is bizarre but not news to me)
    * google's faux DKIM header is from 1e100.net
      (also odd but not news)
  - osgeo.org applied a dkim signature from osgeo.org to the list
    message

Would changing anything in this regard help?
https://wiki.osgeo.org/wiki/SAC:Message_Submission_Agent

I wonder how to make use of this new SAC MUA service with Gmail (which
many will use) rather than Thunderbird.

Markus

gdt · November 9, 2023, 8:58pm

Markus Neteler <neteler@osgeo.org> writes:

On Wed, Nov 8, 2023 at 1:43 PM Greg Troxel <gdt@lexort.com> wrote:

This is not really related to dealing with DMARC, but I noticed
something in your message.

Here are the headers in the messaeg, minus a couple added by my system
(spam filtering scores) omitted to reduce noise.

  - Your message has a From: of neteler@osgeo.org.
  - it was actually sent via google.
    * google did not include your client's IP address (that's great)
    * google has an X-Google-DKIM-Signature instead of DKIM-Signature
      (This is bizarre but not news to me)
    * google's faux DKIM header is from 1e100.net
      (also odd but not news)
  - osgeo.org applied a dkim signature from osgeo.org to the list
    message

Would changing anything in this regard help?
https://wiki.osgeo.org/wiki/SAC:Message_Submission_Agent

Yes, the right thing to do is to send all mail with From: of osgeo
through osgeo's outgoing server.

I wonder how to make use of this new SAC MUA service with Gmail (which
many will use) rather than Thunderbird.

gmail is a mail server, not a generic mail client. In addition, it has
a webmail interface that is, as far as I know, bound to that service.

People will need to use some kind of "Mail User Agent" configured to the
osgeo MSA.

It is somewhat surprising to me that gmail doesn't publish a DMARC
record and people can still inject messages elsewhere with a From: of
gmail. You can't do this with yahoo.com, for example, and have them be
delivered. So there is no ability to send @yahoo.com mail with gmail.
Basically one can no longer choose to use "gmail for all mail", unless
all of your outgoing mail has your gmail address in it.

strk · November 13, 2023, 1:59pm

On Thu, Nov 09, 2023 at 03:58:05PM -0500, Greg Troxel wrote:

People will need to use some kind of "Mail User Agent" configured to the
osgeo MSA.

I know nextcloud has a webmail application, maybe we could install
that for users, but I don't know if it can be pre-configured.

--strk;

gdt · November 13, 2023, 11:47pm

Sandro Santilli <strk@kbt.io> writes:

On Thu, Nov 09, 2023 at 03:58:05PM -0500, Greg Troxel wrote:

People will need to use some kind of "Mail User Agent" configured to the
osgeo MSA.

I know nextcloud has a webmail application, maybe we could install
that for users, but I don't know if it can be pre-configured.

I have no idea, but typically with webmail you put in username and
password, just like you would in a regular client.