Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6)
; Fri, 23 Nov 2018 14:34:45 -0500 Authentication-Results: dkim.winserver.com;
dkim=fail (DKIM_SELECTOR_DNS_PERM_FAILURE) header.d=tnabbs.org header.s=turbo-smtp header.i=tnabbs.org;
Received: from nbjjceehccci.turbo-smtp.net ([22.214.171.124])
by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP
id 1998621441.45468.3888; Fri, 23 Nov 2018 14:34:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=tnabbs.org; s=turbo-smtp; x=1543606484; h=DomainKey-Signature:
8O+XK+6hOBze1yTRYGzyJTuUjCCSUHF+KUZ2lCO35URd/4zLx1o/d73zFJbF8= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
h=Received:Received:X-TurboSMTP-Tracking:From:To:References:In-Reply-To:Subject :Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:T hread-Index:Content-Language;
Received: (qmail 22189 invoked from network); 23 Nov 2018 19:34:23 -0000 Received:
From: "Antonio Rico" <email@example.com
References: <000001d481ee$00e95c00$02bc1400$@org> <5BF6A96F.firstname.lastname@example.org
Subject: RE: [WINServer] dmarc
Date: Fri, 23 Nov 2018 14:34:05 -0500
Content-Type: text/plain; charset="utf-8"
X-Mailer: Microsoft Office Outlook 12.0
Will this open up the possibilities of mail bombs and mass email floods, if the
header conversion is not done securely?
] On Behalf Of Hector Santos
Sent: Friday, November 23, 2018 10:26 AM
To: winserver list
Subject: Re: [WINServer] dmarc
Let me help clarify a few things about DKIM, ADSP/ATPS and now DMARC.
For over 12+ years, I've been working on DKIM with the IETF standards working groups. In 2006, I wrote a proposal called DSAP (DKIM Signature Authorization Protocol). It had the basic ideas of what ADSP/ATPS and DMARC now has, including a reporting concepts. I just felt that with the proof of concept already established, "reporting"
was become redundant and even abused. So I didn't go deep into reporting in DSAP as DMARC eventually did.
In 2011, we released the first version of wcDKIM that included ADSP and ATPS support. ADSP addressed the 1st party signature authorization and ATPS addressed the 3rd party signature authorization. This all predated DMARC which came when the it was discovered (by me) that ADSP could do damage to a list system if the list didn't support something list ATPS to address 3rd party list
domains. But it was decided that ATPS didn't scale. So because of
the LIST problem, ADSP was abandoned by the IETF. Ironically, the same people who abandoned ADSP, replaced it DMARC without fixing the 3rd party list domain problem. This was because DMARC was done outside the IETF by companies, who like me, believed in the DKIM Author Domain Signature Policy model that ADSP offered. It just didn't have Reporting, so DMARC replaced it and redundant reporting began. I know that if published a restrictive domain, its going to help reduce SPAM because receivers will reject the bad ones. I don't need a report telling me that you rejected a spam!!!
From the very beginning, DKIM Author Domain Signature Policy (ADSP) concepts were very powerful. Using the email's From: address domain,
you can publish a ADSP or DMARC DNS record to declare to the world, who can sign your mail.
For the 1st party signature, the logic was simple:
From: "Joe User" <email@example.com
This is 1st party because the signer domain "d=" is the same as the author from
domain. If it was this:
From: "Joe User" <firstname.lastname@example.org
Then this is an example of a 3rd party signature and this is where DKIM ADSP and DMARC broke down. Both ADSP and DMARC gives you permission to reject this message because the domains are not aligned
(don't match). If you lookup the yahoo.com DMARC DNS record:
"v=DMARC1; p=reject; pct=100; rua=mailto:email@example.com
It has a p=reject policy that says is the domains don't match, you may reject this.
So what happen recently to us on this list and developers list, is what also has been happening to all LIST systems related to DMARC posted messages.
If you used a domain, like yahoo.com, for list subscriptions, when you posted a
message to the list, WcListServer turned around and begins to distribute to all the members of the list. When the member SMTP receiver rejected the message
because it was a DMARC 3rd party signature, then wcListServe would make the member INACTIVE because wcSMTP could not send it out.
This was a major problem and had to be addressed.
So for the next AUP, we have a new SMTPFILTER-LISTCHECKER.WCX that comes with wcListServer that will check if the poster has a restricted DMARC or ADSP domain and disallow the post into the list. This will help protect the members
of the list.
But it is also desirable for people to use their Yahoo.com account for a list.
So its possible in the future version of wcListServer to offer more user options:
1) Allow User to subscribe to a list in READ-ONLY mode, not posting,
2) Allow User to subscribe to a digest list because the From is always the list domain,
3) Offer a Rewrite of the From address so its a 1st party signature before it is distributed.
1 and 2 are easy. #3 is more questionable because it has been a long time taboo
to never change the From: field. Except for a digest, this is never done, until DMARC and the need for list systems to resolve the distribution problem described above.
So with #3, the 1st party validated email from a member that is going to post to a list:
From: "Joe User" <firstname.lastname@example.org
A future option will allow WCLS to do "Rewriting" of from address to something like the following when the distribution begins:
From: "Joe User" <email@example.com
X-Original-From: "Joe User" <firstname.lastname@example.org
The above is NOT a standard -- it is a KLUDGE and how its done is still in question. Overall, it is not desirable to do a rewrite and the systems that I know already do a rewrite, make a secured 1st message into an unprotected 3rd party signature message. It changes the from but it signs mail with a 3rd party
domain which brings us
back to the original problem. What I want to do is create consistent
DKIM signing rules for list systems that keeps the mail in a 1st party signature -- the from dmarc.winserver.com is the same as the signature d=dmarc.winserver.com domain.
Anyway, it is still all new and in the future versions of Wildcat!. We
will be addressing all this and then some. The next pending 454.6
release will address some things but not all, like we really needed to provide a SMTPFILTER-LISTCHECKER.WCX for people using WcListServer.
The wcListServer html-subscribe.wcx also now checks for restricted domains, so you can't subscribe to a list if you have a restricted domain. This part will eventually change with the #1 and #2 and #3 options above.
I know this is all seems complex, but that is what Wildcat! has always offered over the years with many of the complex ideas -- a simplified, sound, integrated system that offers you solutions right out of the
box. We will do that with WCDKIM as well.
Hector, Engineering & Technical Support
Santronics Software, Inc.
(Online AUP Help)
On 11/22/2018 8:04 AM, Hector Santos wrote:
The next AUP will include the new SMTPFILTER-LISTCHECKER distributed
with Wildcat! List Server. This checker is for controlling the list
email going into your mailing list on your wcListServe setup/system.
If you are not using wcListServer, then you don't need this.
On 11/21/2018 6:00 PM, Antonio Rico wrote:
Will the updated script to allow email that is blocked due to dmarc be
included in this AUP?
To unsubscribe, send e-mail to email@example.com
UNSUBSCRIBE WINServer in the message body on a line by itself.
To contact the list admin, e-mail ListAdmin@winserver.com
--- Platinum Xpress/Win/WINServer v3.1
* Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)