[BALUG-Admin] BALUG-Talk and SPF/DKIM

Rick Moen rick@linuxmafia.com
Fri Aug 18 05:49:07 PDT 2017 

[adding balug-admin]

Quoting Glen Martin (glen@glen-martin.com):

> I expect the alterations are the insertion of a list footer in the
> message text. I expect similar insertion in the Subject header to be
> problematic as well, though this DMARC didn't complain of that.

My understanding is that the sending domain's DKIM policy (portion of
DMARC) declares which headers and text portions are attested by
cryptographic signing.  Failing the DKIM aspect of DMARC means the
forwarder host (in this case the MLM host) has altered or inserted into
one of the signed areas of the message, and not stripped the DKIM
headers.  (Some listadmins strip such headers as a way of avoiding the
perception of DMARC failure upon retransmission.  I'm not sure this is
wise.  Seems like there might be adverse consequences.)

> Here's a header from one of my own messages to the list, having come
> back to me through the list and evaluated using my own inbound
> testers (opendmarc and opendkim). The two "Authentication-results:"
> headers are the problem. For help understanding the headers, I'll
> point out that my primary domain on this MX is locutory.org, hence
> that name in the headers.

Downthread in that offlist conversation with Michael, I notice you said:

 However, glen-martin.com publishes authorized sending hosts (in SPF), 
 and temp.balug.org (or any other balug.org) isn't on that list. Strike 1.

To the best of my understanding, MLM retransmission of messages to
subscribers is _not_ going to violate any sender's SPF policy, because
the retransmitted message to each subscriber bears a new, different envelope 
citing the MLM's domain.  Hence, on that retransmission, the relevant
SPF record that would be consulted upon arrival at the subscriber's MTA
is not the poster's domain but rather the MLM's (balug.org's).

The example test mail to balug-talk whose full headers you sent to
Michael had, as received by you as subscriber:

  Received-SPF: pass (glen-martin.com: 50.196.148.122 is authorized to
  use 'glen@glen-martin.com' in 'mfrom' identity (mechanism 'ip4:50.196.148.122'
  matched) (glen-martin.com: 50.196.148.122 is authorized to use
  'glen@glen-martin.com' in 'mfrom' identity (mechanism
  'ip4:50.196.148.122' matched)))

If I'm reading that right, temp.balug.org's (IP 198.144.194.238's) MTA
software inserted that when it received your original posting, and
temp.balug.org considered all to be well at that point, as
50.196.148.122 was one of the declared authorised senders in your
domain's SPF RR.

temp.balug.org then turned around and retransmitted a fresh copy to each 
balug-talk subscriber including, of course, you.  It bore a totally new
SMTP envelope, for which the envelope sender was:

   Return-Path: <balug-talk-bounces@temp.balug.org>

So, your receiving MTA, getting the subscriber copy, would have sought
to vet transmitting MTA IP 198.144.194.238 (temp.balug.org) against the
SPF RR not of _your_ domain (for that copy), but rather of domain
balug.org.  

People get really confused about SPF and mailing list, I notice,
forgetting that the MLM's forward is a separate message with a different
SMTP envelope (from a different domain).


Let's look at the balug.org SPF RR:

:r! dig -t txt balug.org +short
[null return value]

Well, Michael, time to put an SPF RR in the balug.org DNS.  
This one works for my domain:

:r! dig -t txt linuxmafia.com +short
"v=spf1 a mx -all"

Any questions, please just ask.  It says 'use version 1 of SPF protocol,
consider the received mail legitimate if it arrives from an IP
corresponding with the linuxmafia.com A or MX RR, and please hardfail 
as a forgery any message purporting to come from linuxmafia.com arriving
from any _other_ IP.'


> Authentication-Results: mail2.locutory.org (amavisd-new);
> 	dkim=fail (1024-bit key) reason="fail (body has been altered)"
> 	header.d=glen-martin.com

Well, could you please compare the message body as you sent it with the
message body as you received it in the retransmitted subscriber copy,
and tell us what you signed that got changed?

What I'm saying is that it's unclear on this end what is the scope of
your domain's DKIM cryptographic scrutiny.  OK, the 'body has been
altered', but what specifically does that mean?  Is your domain's DKIM
policy so twitchy that Mailman merely adding a Mailman footer breaks it?
Does Mailman adding List-Id, List-Subscribe, List-Help, and
List-Unsubscribe headers break it?  You define and control that DKIM
policy for your domain, so perhaps you can tell us.

> Balug is also inserting headers/footers into Subject and Body, so the DKIM
> checksum fails (message is modified). Strike 2.

You cannot expect Mailman mailing lists to _not_ add additional SMTP
headers, add a footer, and insert a Subject header tag (like
'[BALUG-Talk]'), so it seems to me your DKIM policy ought _not_ to be set to
fail if such things are changed by standards-compliant forwarders such as
MLMs.  Those are things that mailing lists _must_ do in some cases, and
traditionally do for excellent reasons (like adding a footer) in others.

If you expect mailing lists to not do normal mailing list things, then I
submit that IMO your domain's DKIM policy is broken and urgently needs
revision.

More information about the BALUG-Admin mailing list