You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Merijn van den Kroonenberg <me...@web2all.nl> on 2017/05/05 09:37:08 UTC
DKIM_VALID EnvelopeFrom
Hi,
I want to test in SA if the Envelope From domain is DKIM_VALID.
I do some processing of SA maillogs and they contain the EnvelopeFrom
address (and not the From address) and I would like to know if they are
DKIM_VALID.
Till now I have been using DKIM_VALID_AU, but this information is no good if
HEADER_FROM_DIFFERENT_DOMAINS is hit (difference between From and
EnvelopeFrom).
Is there a way to make a DKIM_VALID_EF rule in SA? Or is the only way
modifying/extending the DKIM Plugin?
Cheers,
Merijn
Re: DKIM_VALID EnvelopeFrom
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>>>> On Fri, 5 May 2017, David Jones wrote:
>>>>>> I think I would have to write a simple SA plugin to compare the
>>>>>> envelope-from with the DKIM signature domain to see if they matched
>>>>>> then I could use a meta rule to glue all of this together.
>>From: Matus UHLAR - fantomas <uh...@fantomas.sk>
>>agreed but there's still one thing I don't understand:
>
>>If a mail is DKIM-signed, it means that it's authenticated, including
>>headers like From:.
On 05.05.17 22:34, David Jones wrote:
>Authentication and authorization are very different things.
I should probably have said "authentic" - the content was not modified
between signer and receiver.
>>what's the point of checking if SPF and DKIM domains match?
>>This way authentic (but forwarded, e.g. through mailing lists) mail will get
>>"caught" but what's the poit of it?
>
>DKIM signing only does authentication to prevent tampering with the
>body and headers. It doesn't have to do with authorization that like
>SPF does. Both authentication and authorization are needed to prove
>an email is from who it claims to be and not altered.
actually, if the mail contains DKIM-signed headers and body, it has not been
altered.
It may have been forwarded trough another account or mailing list, but the
DKIM-verified content is still unmodified(1).
Even having broken SPF doesn't mean much in this case (although it should
invalidate whitelist_auth).
but I still don't get the point:
What is a problem when DKIM-verified is forwarded through different domain
(without alteration)?
>Of course a compromised mail account can send both an authorized
>and authenticated email with malicious content. You don't want to
>whitelist_auth domains with real user accounts that can be compromised.
any account can be compromised - you'd have to avoid whitelisting at all.
(1) if DKIM key gets compromised, the whole discussion is irelevant, so I
don't take this into account.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
>From: Matus UHLAR - fantomas <uh...@fantomas.sk>
>>>> On Fri, 5 May 2017, David Jones wrote:
>>>>
>>>>> I think I would have to write a simple SA plugin to compare the
>>>>> envelope-from with the DKIM signature domain to see if they matched
>>>>> then I could use a meta rule to glue all of this together.
>>>John Hardin skrev den 2017-05-05 21:45:
>>>> Or file a bug to get it implemented in the base DKIM plugin. I suspect
>>>> extending that would be easier (and neater in the long run) than a
>>>> parallel plugin for just that one DKIM check.
>>>From: Benny Pedersen <me...@junc.eu>
>>>http://search.cpan.org/dist/Mail-DMARC/
>>
>>>who will make the missing sa plugin to it ?
>On 05.05.17 20:22, David Jones wrote:
>>I just filed a bug per John's recommendation but I think it
>>would be best to put that logic into a DMARC plugin since
>>this is getting into what DMARC does.
>agreed but there's still one thing I don't understand:
>If a mail is DKIM-signed, it means that it's authenticated, including
>headers like From:.
Authentication and authorization are very different things.
>what's the point of checking if SPF and DKIM domains match?
>This way authentic (but forwarded, e.g. through mailing lists) mail will get
>"caught" but what's the poit of it?
DKIM signing only does authentication to prevent tampering with the
body and headers. It doesn't have to do with authorization that like
SPF does. Both authentication and authorization are needed to prove
an email is from who it claims to be and not altered.
Of course a compromised mail account can send both an authorized
and authenticated email with malicious content. You don't want to
whitelist_auth domains with real user accounts that can be compromised.
Re: DKIM_VALID EnvelopeFrom
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>> On Fri, 5 May 2017, David Jones wrote:
>>>
>>>> I think I would have to write a simple SA plugin to compare the
>>>> envelope-from with the DKIM signature domain to see if they matched
>>>> then I could use a meta rule to glue all of this together.
>>John Hardin skrev den 2017-05-05 21:45:
>>> Or file a bug to get it implemented in the base DKIM plugin. I suspect
>>> extending that would be easier (and neater in the long run) than a
>>> parallel plugin for just that one DKIM check.
>>From: Benny Pedersen <me...@junc.eu>
>>http://search.cpan.org/dist/Mail-DMARC/
>
>>who will make the missing sa plugin to it ?
On 05.05.17 20:22, David Jones wrote:
>I just filed a bug per John's recommendation but I think it
>would be best to put that logic into a DMARC plugin since
>this is getting into what DMARC does.
agreed but there's still one thing I don't understand:
If a mail is DKIM-signed, it means that it's authenticated, including
headers like From:.
what's the point of checking if SPF and DKIM domains match?
This way authentic (but forwarded, e.g. through mailing lists) mail will get
"caught" but what's the poit of it?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
>From: Benny Pedersen <me...@junc.eu>
>John Hardin skrev den 2017-05-05 21:45:
>> On Fri, 5 May 2017, David Jones wrote:
>>
>>> I think I would have to write a simple SA plugin to compare the
>>> envelope-from with the DKIM signature domain to see if they matched
>>> then I could use a meta rule to glue all of this together.
>>
>> Or file a bug to get it implemented in the base DKIM plugin. I suspect
>> extending that would be easier (and neater in the long run) than a
>> parallel plugin for just that one DKIM check.
>http://search.cpan.org/dist/Mail-DMARC/
>who will make the missing sa plugin to it ?
I just filed a bug per John's recommendation but I think it
would be best to put that logic into a DMARC plugin since
this is getting into what DMARC does.
Dave
Re: DKIM_VALID EnvelopeFrom
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2017-05-05 21:45:
> On Fri, 5 May 2017, David Jones wrote:
>
>> I think I would have to write a simple SA plugin to compare the
>> envelope-from with the DKIM signature domain to see if they matched
>> then I could use a meta rule to glue all of this together.
>
> Or file a bug to get it implemented in the base DKIM plugin. I suspect
> extending that would be easier (and neater in the long run) than a
> parallel plugin for just that one DKIM check.
http://search.cpan.org/dist/Mail-DMARC/
who will make the missing sa plugin to it ?
Re: DKIM_VALID EnvelopeFrom
Posted by John Hardin <jh...@impsec.org>.
On Fri, 5 May 2017, David Jones wrote:
> I think I would have to write a simple SA plugin to compare the
> envelope-from with the DKIM signature domain to see if they matched then
> I could use a meta rule to glue all of this together.
Or file a bug to get it implemented in the base DKIM plugin. I suspect
extending that would be easier (and neater in the long run) than a
parallel plugin for just that one DKIM check.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We should endeavour to teach our children to be gun-proof
rather than trying to design our guns to be child-proof
-----------------------------------------------------------------------
3 days until the 72nd anniversary of VE day
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: RW <rw...@googlemail.com>
>On Sat, 6 May 2017 13:28:30 +0000
>David Jones wrote:
> From what I can tell, the
>> whitelist_from_dkim only works on DKIM_VALID_AU hits which means the
>> DKIM signature domain aligns with the header-from. Based on my
>> analysis of my email, if email has passed through my Postfix
>> postscreen scrutiny based on the envelope- from and hits
>> DKIM_VALID_AU _with a good unsubscribe_, then that domain is fine to
>> whitelist_auth.
>If you mean that you only whitelist mail with
> header-from-domain == envelope-from-domain,
That's not what I said. I think I was pretty clear that I only add
system-generated email envelope-from domains. If they happen
to hit DKIM_VALID_AU used by whitelist_from_dkim, then that is OK
since these are system-generated emails. I am not adding gmail.com
or yahoo.com to whitelist_auth which would be very bad.
>then why have you been emphasizing that you only add
>envelope-from-domains to whitelist_auth. It's technically true,
>but deeply misleading.
I didn't mean to be misleading which is why I tried to explain it in great
detail in the last email. Here is a perfect example of an email that hit
both USER_IN_SPF_WHITELIST and USER_IN_DKIM_WHITELIST because
I have a "whitelist_auth *.jcpenney.com" which I only cared about matching
on the SPF record. It just happened to have good DKIM alignment:
Authentication-Results: smtp.ena.net; dmarc=pass (p=reject dis=none) header.from=e.jcpenney.com
Authentication-Results: smtp.ena.net; spf=pass smtp.mailfrom=JCPenney@e.jcpenney.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=jcpenney; d=e.jcpenney.com;
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=jcpenney; d=e.jcpenney.com;
Received: by omp.e.jcpenney.com id h1jssi1625o9 for <so...@example.com>; Fri, 5 May 2017 15:16:41 -0700 (envelope-from <JC...@e.jcpenney.com>)
X-CSA-Complaints: whitelist-complaints@eco.de
Date: Fri, 5 May 2017 15:16:41 -0700
To: someone@example.com
From: "JCPenney" <JC...@e.jcpenney.com>
Reply-To: "JCPenney" <no...@e.jcpenney.com>
Above is perfect DMARC alignment of both SPF and DKIM. Note
the "p=reject" in the _dmarc.e.jcpenney.com providing both
authorization and authentication of the sender. This tells me that
the sender knows how to send mass emails properly or at least they
are using a service that is sending emails properly.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Sat, 6 May 2017 13:28:30 +0000
David Jones wrote:
From what I can tell, the
> whitelist_from_dkim only works on DKIM_VALID_AU hits which means the
> DKIM signature domain aligns with the header-from. Based on my
> analysis of my email, if email has passed through my Postfix
> postscreen scrutiny based on the envelope- from and hits
> DKIM_VALID_AU _with a good unsubscribe_, then that domain is fine to
> whitelist_auth.
If you mean that you only whitelist mail with
header-from-domain == envelope-from-domain,
then why have you been emphasizing that you only add
envelope-from-domains to whitelist_auth. It's technically true,
but deeply misleading.
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: RW <rw...@googlemail.com>
>On Fri, 5 May 2017 22:49:43 +0000
>David Jones wrote:
>> From: RW <rw...@googlemail.com>
>>
>> >On Fri, 5 May 2017 19:56:27 +0000
>> >David Jones wrote:
>>
>> >> >I don't seen why anyone one would want a form of whitelisting
>> >> >where a DKIM pass on a trusted domain would be ignored if there's
>> >> >no SPF pass.
>> >>
>> >> Correct.
>>
>> >I don't know why you write "correct" and then go on to write
>> >something contrary.
>>
>> It's not a contradiction. See below.
>If you think it isn't you have read it correctly.
>> >>This is why I only add envelope-from domains to my
>> >> whitelist_auth list that is currently 2,595 entries.
>>
>>
>> >That's not a good idea. When you don't feel you can just put a
>> >"header from" domain into whitelist_auth, you should use one or
>> >both of whitelist_from_dkim and whitelist_from_spf instead.
>>
>> Both of those are effectively the same when you carefully add only
>> envelope-from domains with specific patterns.
>There are only two possibilities either the header and envelope domains
>are the same in which case it makes no difference, or they are not,
>in which case you are giving up on DKIM and relying only on SPF.
I understand the difference in whitelist_from_dkim and whitelist_from_spf.
When I did some analysis on scoring and the envelope-from and header-from,
some patterns jumped out. Since my Postfix postscreen does heavy checking
on the envelope-from with DNS and RBL checks, what gets through to SA is
going to be either whitelisted major providers like Google, Yahoo, Microsoft,
etc. or senders with good reputation.
I add certain envelope-from patterns that are not from domains with
user mailboxes that can be compromised. This generally means I am
only adding system-generated email domains that have a valid unsubscribe
process. If these system-generated email domains happen to align with
DKIM that is OK. From what I can tell, the whitelist_from_dkim only
works on DKIM_VALID_AU hits which means the DKIM signature domain
aligns with the header-from. Based on my analysis of my email, if email
has passed through my Postfix postscreen scrutiny based on the envelope-
from and hits DKIM_VALID_AU _with a good unsubscribe_, then that
domain is fine to whitelist_auth.
As a general rule of thumb, I am not adding any "primary" domains
like "example.com". If I see system-generated emails from "*.example.com"
that consistently score very low then I check them for certain rule hits
indicating very good reputation or check for a valid unsubscribe link, then
I add a "whitelist_auth *.example.com" entry. Now if someone registers
the examp1e.com domain and tries to send an identical email to phish,
then it has to get past many reputation checks to get to SA where content
checks will catch it. I can train the examp1e.com emails as spam and BAYES
will score high to block it while the real example.com goes through fine.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 22:49:43 +0000
David Jones wrote:
> From: RW <rw...@googlemail.com>
>
> >On Fri, 5 May 2017 19:56:27 +0000
> >David Jones wrote:
>
> >> >I don't seen why anyone one would want a form of whitelisting
> >> >where a DKIM pass on a trusted domain would be ignored if there's
> >> >no SPF pass.
> >>
> >> Correct.
>
> >I don't know why you write "correct" and then go on to write
> >something contrary.
>
> It's not a contradiction. See below.
If you think it isn't you have read it correctly.
> >>This is why I only add envelope-from domains to my
> >> whitelist_auth list that is currently 2,595 entries.
>
>
> >That's not a good idea. When you don't feel you can just put a
> >"header from" domain into whitelist_auth, you should use one or
> >both of whitelist_from_dkim and whitelist_from_spf instead.
>
> Both of those are effectively the same when you carefully add only
> envelope-from domains with specific patterns.
There are only two possibilities either the header and envelope domains
are the same in which case it makes no difference, or they are not,
in which case you are giving up on DKIM and relying only on SPF.
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: RW <rw...@googlemail.com>
>On Fri, 5 May 2017 19:56:27 +0000
>David Jones wrote:
>> >I don't seen why anyone one would want a form of whitelisting where a
>> >DKIM pass on a trusted domain would be ignored if there's no SPF
>> >pass.
>>
>> Correct.
>I don't know why you write "correct" and then go on to write something
>contrary.
It's not a contradiction. See below.
>>This is why I only add envelope-from domains to my
>> whitelist_auth list that is currently 2,595 entries.
>That's not a good idea. When you don't feel you can just put a "header
>from" domain into whitelist_auth, you should use one or both of
>whitelist_from_dkim and whitelist_from_spf instead.
Both of those are effectively the same when you carefully add only
envelope-from domains with specific patterns. If they passed DKIM
signing for these entries I am adding then the domain owner has lost
control of their DNS and some bad guys are adding DKIM records which
would be highly unlikely. I don't think bad guys are going to setup perfect
DKIM on a highjacked DNS server/hosting. I guess it's possible if some
DKIM private keys got loose and spammers start using them.
I have been doing this for a couple of years now and it works very well
in my environment. I have had to remove 1 or 2 entries over the past
few years based on compromised accounts which showed me not to
whitelist_auth certain domains.
Dave
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Sat, 6 May 2017 00:32:22 +0200
Reindl Harald wrote:
> Am 06.05.2017 um 00:15 schrieb RW:
> >> This is why I only add envelope-from domains to my
> >> whitelist_auth list that is currently 2,595 entries.
> >
> >
> > That's not a good idea. When you don't feel you can just put a
> > "header from" domain into whitelist_auth, you should use one or
> > both of whitelist_from_dkim and whitelist_from_spf instead
>
> whitelist_auth *IS* one or both
whitelist_auth is not the same as using just whitelist_from_dkim and
it's not the same as using separate whitelist_from_dkim and
whitelist_from_spf entries when the "envelope from" domain is different
to the "header from" domain in the email you wish to whitelist.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 19:56:27 +0000
David Jones wrote:
> >Alignment of the two from address is needed in DMARC so that SPF can
> >match on the same domain that the MUA displays (if it even does). It
> >doesn't do anything for DKIM.
>
> Did you read that returnpath.com link above about DMARC passing if
> SPF or DKIM passes and are aligned? They know what they are doing
> and I have seen this to be true in my own inbound mail based on
> OpenDMARC headers.
I don't doubt that *they* know what they are doing. That article gives
reasons to have both on outgoing mail, but has no argument at all in
favour of requiring both to verify incoming mail.
> >I don't seen why anyone one would want a form of whitelisting where a
> >DKIM pass on a trusted domain would be ignored if there's no SPF
> >pass.
>
> Correct.
I don't know why you write "correct" and then go on to write something
contrary.
>This is why I only add envelope-from domains to my
> whitelist_auth list that is currently 2,595 entries.
That's not a good idea. When you don't feel you can just put a "header
from" domain into whitelist_auth, you should use one or both of
whitelist_from_dkim and whitelist_from_spf instead.
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: RW <rw...@googlemail.com>
>On Fri, 5 May 2017 17:45:37 +0000
>David Jones wrote:
>> From: RW <rw...@googlemail.com>
>>
>> >On Fri, 5 May 2017 14:51:32 +0000
>> >David Jones wrote:
>>
>> >> >I know. I do not want to validate the envelope from with DKIM. I
>> >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN
>> >> >used in the envelopefrom.
>> >>
>> >> >So the only thing I want with the envelop from is to extract the
>> >> >domain and test if the mail was DKIM signed (and valid) by that
>> >> >domain.
>> >>
>> >> >This tells me the envelope from is not some random spoofed
>> >> >address, but actually controlled by someone who handled the
>> >> >e-mail before it arrived at our mta.
>> >>
>> >> This actually would be a very useful rule/logic to add to SA:
>> >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
>>
>> >So what would be the point in running a separate DKIM test against
>> >the envelope if you are looking for alignment.
>>
>> I don't think this would be a separate DKIM test necessarily. It
>> should be a combination of SPF_PASS + DKIM_VALID_AU + the
>> envelope-from matches the DKIM-signed domain. This is basically
>> perfect DMARC alignment where the domain has "p=reject" and DMARC
>> would pass meaning the domain was not spoofed.
>Alignment of the two from address is needed in DMARC so that SPF can
>match on the same domain that the MUA displays (if it even does). It
>doesn't do anything for DKIM.
Did you read that returnpath.com link above about DMARC passing if
SPF or DKIM passes and are aligned? They know what they are doing
and I have seen this to be true in my own inbound mail based on
OpenDMARC headers.
>I don't seen why anyone one would want a form of whitelisting where a
>DKIM pass on a trusted domain would be ignored if there's no SPF
>pass.
Correct. This is why I only add envelope-from domains to my
whitelist_auth list that is currently 2,595 entries.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 17:45:37 +0000
David Jones wrote:
> From: RW <rw...@googlemail.com>
>
> >On Fri, 5 May 2017 14:51:32 +0000
> >David Jones wrote:
>
> >> >I know. I do not want to validate the envelope from with DKIM. I
> >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN
> >> >used in the envelopefrom.
> >>
> >> >So the only thing I want with the envelop from is to extract the
> >> >domain and test if the mail was DKIM signed (and valid) by that
> >> >domain.
> >>
> >> >This tells me the envelope from is not some random spoofed
> >> >address, but actually controlled by someone who handled the
> >> >e-mail before it arrived at our mta.
> >>
> >> This actually would be a very useful rule/logic to add to SA:
> >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
>
> >So what would be the point in running a separate DKIM test against
> >the envelope if you are looking for alignment.
>
> I don't think this would be a separate DKIM test necessarily. It
> should be a combination of SPF_PASS + DKIM_VALID_AU + the
> envelope-from matches the DKIM-signed domain. This is basically
> perfect DMARC alignment where the domain has "p=reject" and DMARC
> would pass meaning the domain was not spoofed.
Alignment of the two from address is needed in DMARC so that SPF can
match on the same domain that the MUA displays (if it even does). It
doesn't do anything for DKIM.
I don't seen why anyone one would want a form of whitelisting where a
DKIM pass on a trusted domain would be ignored if there's no SPF
pass.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 19:51:23 +0100
RW wrote:
Sorry, that was sent by accident.
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 17:45:37 +0000
David Jones wrote:
> From: RW <rw...@googlemail.com>
>
> >On Fri, 5 May 2017 14:51:32 +0000
> >David Jones wrote:
>
> >> >I know. I do not want to validate the envelope from with DKIM. I
> >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN
> >> >used in the envelopefrom.
> >>
> >> >So the only thing I want with the envelop from is to extract the
> >> >domain and test if the mail was DKIM signed (and valid) by that
> >> >domain.
> >>
> >> >This tells me the envelope from is not some random spoofed
> >> >address, but actually controlled by someone who handled the
> >> >e-mail before it arrived at our mta.
> >>
> >> This actually would be a very useful rule/logic to add to SA:
> >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
>
> >So what would be the point in running a separate DKIM test against
> >the envelope if you are looking for alignment.
>
> I don't think this would be a separate DKIM test necessarily. It
> should be a combination of SPF_PASS + DKIM_VALID_AU + the
> envelope-from matches the DKIM-signed domain. This is basically
> perfect DMARC alignment where the domain has "p=reject" and DMARC
> would pass meaning the domain was not spoofed.
>
> >> When both align, it should be a very good candidate for
> >> whitelist_auth based on the sender domain reputation.
>
> >If it passes DKIM and the domain has a good reputation then what
> >difference would alignment make.
>
> Proper security in any context checks both authorization and
> authentication. This is SPF and DKIM respectively in the email
> filtering context. Spammers can get control of a compromised account
> and send a valid DKIM-signed email through that email server that
> would pass SPF with an envelope-from of example.com and DKIM
> signature of example.net (or some domain they had DNS control of like
> paypa1.com). If it passed DKIM_VALID_AU then the visible From:
> address in the recipient's mail client would show example.net or
> paypa1.com.
>
> Would I trust example.com or example.net in the above scenario? Which
> would be added to whitelist_auth? The authorized email was from
> example.com but the authenticated email was from example.net. The
> DMARC standard says that either SPF or DKIM has to pass for a DMARC
> pass based on that link above. The point of that link is to align
> both for best delivery results.
>
> I am just saying that it would be nice if SA had a rule that hit when
> both matched which is perfect DMARC alignment. Today I am able to
> get close to this using OpenDMARC to add headers then with custom
> rules to add DMARC_NONE, DMARC_PASS, or DMARC_FAIL. I think I would
> have to write a simple SA plugin to compare the envelope-from with
> the DKIM signature domain to see if they matched then I could use a
> meta rule to glue all of this together.
>
> Dave
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: RW <rw...@googlemail.com>
>On Fri, 5 May 2017 14:51:32 +0000
>David Jones wrote:
>> >I know. I do not want to validate the envelope from with DKIM. I
>> >just want to know if the mail was DKIM-VALID signed by the DOMAIN
>> >used in the envelopefrom.
>>
>> >So the only thing I want with the envelop from is to extract the
>> >domain and test if the mail was DKIM signed (and valid) by that
>> >domain.
>>
>> >This tells me the envelope from is not some random spoofed address,
>> >but actually controlled by someone who handled the e-mail before it
>> >arrived at our mta.
>>
>> This actually would be a very useful rule/logic to add to SA:
>> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
>So what would be the point in running a separate DKIM test against the
>envelope if you are looking for alignment.
I don't think this would be a separate DKIM test necessarily. It should be a
combination of SPF_PASS + DKIM_VALID_AU + the envelope-from matches
the DKIM-signed domain. This is basically perfect DMARC alignment where
the domain has "p=reject" and DMARC would pass meaning the domain was
not spoofed.
>> When both align, it should be a very good candidate for whitelist_auth
>> based on the sender domain reputation.
>If it passes DKIM and the domain has a good reputation then what
>difference would alignment make.
Proper security in any context checks both authorization and authentication.
This is SPF and DKIM respectively in the email filtering context. Spammers
can get control of a compromised account and send a valid DKIM-signed email
through that email server that would pass SPF with an envelope-from of
example.com and DKIM signature of example.net (or some domain they had
DNS control of like paypa1.com). If it passed DKIM_VALID_AU then the visible
From: address in the recipient's mail client would show example.net or
paypa1.com.
Would I trust example.com or example.net in the above scenario? Which
would be added to whitelist_auth? The authorized email was from
example.com but the authenticated email was from example.net. The
DMARC standard says that either SPF or DKIM has to pass for a DMARC
pass based on that link above. The point of that link is to align both for
best delivery results.
I am just saying that it would be nice if SA had a rule that hit when both
matched which is perfect DMARC alignment. Today I am able to get close
to this using OpenDMARC to add headers then with custom rules to add
DMARC_NONE, DMARC_PASS, or DMARC_FAIL. I think I would have to
write a simple SA plugin to compare the envelope-from with the DKIM
signature domain to see if they matched then I could use a meta rule
to glue all of this together.
Dave
Re: DKIM_VALID EnvelopeFrom
Posted by RW <rw...@googlemail.com>.
On Fri, 5 May 2017 14:51:32 +0000
David Jones wrote:
> >I know. I do not want to validate the envelope from with DKIM. I
> >just want to know if the mail was DKIM-VALID signed by the DOMAIN
> >used in the envelopefrom.
>
> >So the only thing I want with the envelop from is to extract the
> >domain and test if the mail was DKIM signed (and valid) by that
> >domain.
>
> >This tells me the envelope from is not some random spoofed address,
> >but actually controlled by someone who handled the e-mail before it
> >arrived at our mta.
>
> This actually would be a very useful rule/logic to add to SA:
> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
So what would be the point in running a separate DKIM test against the
envelope if you are looking for alignment.
> When both align, it should be a very good candidate for whitelist_auth
> based on the sender domain reputation.
If it passes DKIM and the domain has a good reputation then what
difference would alignment make.
Re: DKIM_VALID EnvelopeFrom
Posted by David Jones <dj...@ena.com>.
From: Merijn van den Kroonenberg <me...@web2all.nl>
>> On 05.05.17 11:37, Merijn van den Kroonenberg wrote:
>>>I want to test in SA if the Envelope From domain is DKIM_VALID.
>>
>> the envelope from can't be DKIM-VALID. DKIM validated message content,
>> including some of its headers, not envelope from address.
>I know. I do not want to validate the envelope from with DKIM. I just want
>to know if the mail was DKIM-VALID signed by the DOMAIN used in the
>envelopefrom.
>So the only thing I want with the envelop from is to extract the domain
>and test if the mail was DKIM signed (and valid) by that domain.
>This tells me the envelope from is not some random spoofed address, but
>actually controlled by someone who handled the e-mail before it arrived at
>our mta.
This actually would be a very useful rule/logic to add to SA:
https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/
When both align, it should be a very good candidate for whitelist_auth
based on the sender domain reputation.
Dave
Re: DKIM_VALID EnvelopeFrom
Posted by Ian Zimmerman <it...@primate.net>.
On 2017-05-05 16:00, Merijn van den Kroonenberg wrote:
> So the only thing I want with the envelop from is to extract the
> domain and test if the mail was DKIM signed (and valid) by that
> domain.
>
> This tells me the envelope from is not some random spoofed address,
> but actually controlled by someone who handled the e-mail before it
> arrived at our mta.
Yes, this is a valid thing to do.
I do this check completely in the MTA (Exim). Even if for some reason
you reallly need to do it in SA, the easiest way to get the envelope
sender in SA is have the MTA insert a header, such as X-Envelope-From.
Exim can do that and I'm guessing other major MTAs such as Postfix can
too.
--
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html
Re: DKIM_VALID EnvelopeFrom
Posted by Merijn van den Kroonenberg <me...@web2all.nl>.
> On 05.05.17 11:37, Merijn van den Kroonenberg wrote:
>>I want to test in SA if the Envelope From domain is DKIM_VALID.
>
> the envelope from can't be DKIM-VALID. DKIM validated message content,
> including some of its headers, not envelope from address.
I know. I do not want to validate the envelope from with DKIM. I just want
to know if the mail was DKIM-VALID signed by the DOMAIN used in the
envelopefrom.
So the only thing I want with the envelop from is to extract the domain
and test if the mail was DKIM signed (and valid) by that domain.
This tells me the envelope from is not some random spoofed address, but
actually controlled by someone who handled the e-mail before it arrived at
our mta.
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
>
Re: DKIM_VALID EnvelopeFrom
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 05.05.17 11:37, Merijn van den Kroonenberg wrote:
>I want to test in SA if the Envelope From domain is DKIM_VALID.
the envelope from can't be DKIM-VALID. DKIM validated message content,
including some of its headers, not envelope from address.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: DKIM_VALID EnvelopeFrom
Posted by Merijn van den Kroonenberg <me...@web2all.nl>.
> Merijn van den Kroonenberg skrev den 2017-05-05 11:37:
>
>> I want to test in SA if the Envelope From domain is DKIM_VALID.
>
> you basicly ask how to use sender-id :(
No, I am not interested in sender-id, which is based on SPF.
I merely want to know if the mail is DKIM signed and valid for a specific
domain, namely the domain from the enevelope sender.
>
>> I do some processing of SA maillogs and they contain the EnvelopeFrom
>> address (and not the From address) and I would like to know if they
>> are DKIM_VALID.
>
> envelopefrom is not part of dkim
Okay, maybe I didn't write it very clearly. I am interested in the
*domain* of the EnvelopeFrom. And DKIM is about signing by a domain, so
the mail *could* be DKIM signed by the domain from the envelopefrom. I
just want to test if it is true.
So basically I want to do eval:check_dkim_valid($envelope_from_domain)
>
>> Till now I have been using DKIM_VALID_AU, but this information is no
>> good if HEADER_FROM_DIFFERENT_DOMAINS is hit (difference between From
>> and EnvelopeFrom).
>
> this is not dkim related, dkim pass is no good ?, how can i post to you
> on maillist with envelopefrom with my dkim domain, you need to
> understand that enveopefrom changes on each mta stage, that should not
> break dkim, but some says it breaks spf, it does not, it will just be
> another spf domain
I am not sure what you mean, but I guess you are thinking of a too complex
situation. I am not interested in situations which are not DKIM signed by
the envelopefrom domain, just the ones who are.
>
>> Is there a way to make a DKIM_VALID_EF rule in SA? Or is the only way
>> modifying/extending the DKIM Plugin?
>
> not without a custom plugin, but its still not dkim
Re: DKIM_VALID EnvelopeFrom
Posted by Benny Pedersen <me...@junc.eu>.
Merijn van den Kroonenberg skrev den 2017-05-05 11:37:
> I want to test in SA if the Envelope From domain is DKIM_VALID.
you basicly ask how to use sender-id :(
> I do some processing of SA maillogs and they contain the EnvelopeFrom
> address (and not the From address) and I would like to know if they
> are DKIM_VALID.
envelopefrom is not part of dkim
> Till now I have been using DKIM_VALID_AU, but this information is no
> good if HEADER_FROM_DIFFERENT_DOMAINS is hit (difference between From
> and EnvelopeFrom).
this is not dkim related, dkim pass is no good ?, how can i post to you
on maillist with envelopefrom with my dkim domain, you need to
understand that enveopefrom changes on each mta stage, that should not
break dkim, but some says it breaks spf, it does not, it will just be
another spf domain
> Is there a way to make a DKIM_VALID_EF rule in SA? Or is the only way
> modifying/extending the DKIM Plugin?
not without a custom plugin, but its still not dkim