Why do so many dovecot list mails fail dmarc?
Im trying to get my head around this problem that too many valid emails from the mailing list fail dmarc. Why when other mailing list don't seem to have the same problem? I see today it says "signature verification failed", but why? Is there a problem with protonmail's dkim key? Is the dovecot list altering the message body? Is something wrong on my server's end?
The example today was an email from @protonmail.ch, and the headers were:
Return-Path: <dovecot-bounces@dovecot.org> Delivered-To: dovecot@ptld.com Received: from smtp.ptld.com by host.ptld.com with LMTP id +SjBLQqiFmFSbgIAjbxwTg (envelope-from <dovecot-bounces@dovecot.org>) for <dovecot@ptld.com>; Fri, 13 Aug 2021 12:47:06 -0400 Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159]) by smtp.ptld.com (Postfix) with ESMTPS id 4GmTx61z3fz4l3g2 for <dovecot@ptld.com>; Fri, 13 Aug 2021 12:47:06 -0400 (EDT) Authentication-Results: smtp.ptld.com; dmarc=fail (p=quarantine dis=none) header.from=protonmail.ch Authentication-Results: smtp.ptld.com; spf=pass smtp.mailfrom=dovecot.org Authentication-Results: smtp.ptld.com; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=protonmail.ch header.i=@protonmail.ch header.a=rsa-sha256 header.s=protonmail header.b=ivRoCAz3 Received: from talvi.dovecot.org (localhost.localdomain [127.0.0.1]) by talvi.dovecot.org (Postfix) with ESMTP id 3862D32297F; Fri, 13 Aug 2021 19:46:41 +0300 (EEST) X-Original-To: dovecot@dovecot.org Delivered-To: dovecot@dovecot.org Received: from mail-41113.protonmail.ch (mail-41113.protonmail.ch [185.70.41.113]) by talvi.dovecot.org (Postfix) with ESMTPS id 07C532E9ADB for <dovecot@dovecot.org>; Fri, 13 Aug 2021 19:46:37 +0300 (EEST) Date: Fri, 13 Aug 2021 16:46:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM= To: Aki Tuomi <aki.tuomi@open-xchange.com> From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> Subject: Re: Undefined symbols (macOS Big Sur Intel) during compiling, update Message-ID: <tQIPhn9Wc9ZCxjWv-REC0bXuE3RgBI1H69xIL0TOnDj-kWvhZXEF7ZR6BevaNCeu8AG9Ypvd7gsnbMEZFAAIkvGmNM3y3UealzoYw9HZSCg=@protonmail.ch> In-Reply-To: <180775367.20741.1628870488641@appsuite-dev-gw1.open-xchange.com> References: <CH2PR06MB6453C343867ECBFD79B73853BCF19@CH2PR06MB6453.namprd06.prod.outlook.com> <CH2PR06MB6453D734B09C7D6D2D807787BCFA9@CH2PR06MB6453.namprd06.prod.outlook.com> <180775367.20741.1628870488641@appsuite-dev-gw1.open-xchange.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch ARC-Seal: i=1; s=arc; d=dovecot.org; t=1628873197; a=rsa-sha256; cv=none; b=nuVCke6mta+nYIMyYvb2qRkTUyHSfKXEpp2vTds/ioq0kV4fyIL9oEON09yOoYcrQwci6D /EBrkZQI6nBjz592m7oslCjeNTcprIJr5QqLY6mJwW7mu+tp4rSEppIyD+r+9dbICExfFO p3j43c/m0J2acYc5pzZyJM7gLx/RBj2GURAUrP0JaX+y7moB/XQNPIJir2rE/jjNwojKCX keLRjlzOn7N4dLZxnKHgevDu6tH6gb0OzLPJO7W2IloMxdLZ/ab0PPZOj/M+BaYqnfa1Hs T4EvKhSwDjLyhjUQh7QTkmYm/FryVnIxEawEM+huOW9djJe7pIijuNFTqOR4Xg== ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=protonmail.ch header.s=protonmail header.b=ivRoCAz3; spf=pass (talvi.dovecot.org: domain of n5d9xq3ti233xiyif2vp@protonmail.ch designates 185.70.41.113 as permitted sender) smtp.mailfrom=n5d9xq3ti233xiyif2vp@protonmail.ch ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dovecot.org; s=arc; t=1628873197; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; b=EYR3Jyq5jrpho8glpLHD60ehlmLaGqrfdZepsfTTJtkjb0AkScBiUB0JX5hGbeyQCdeFvF zr0g/tfST7KEANMdZ0GK+rmwwSZC7LuKzszXWP+Pi5kBxsDPPU4BUivUkP3abCnGIixXfq LrEe+/bDrbMkM01wO8sJ0mZccYwURDMTJc7gFjcdSye+3FfKPZAvT9OG2aD2yQhtIVwpbv +Hg7P5v5Et/muT1E8NHZRBGOPhv4OZ/A2TcOLpafXejddNj2pRtVo8NlFzzT2PBn+KV49M nhI4ZDGk43l66nud7wMGDNdUcqYQl6CBQww+kC4ewfNbTy5D27wQwFzpVWGfFQ== Cc: "dovecot@dovecot.org" <dovecot@dovecot.org>, Beosdoc <beosdoc@hotmail.com> X-BeenThere: dovecot@dovecot.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Dovecot Mailing List <dovecot.dovecot.org> List-Unsubscribe: <https://dovecot.org/mailman/options/dovecot>, <mailto:dovecot-request@dovecot.org?subject=unsubscribe> List-Archive: <https://dovecot.org/pipermail/dovecot/> List-Post: <mailto:dovecot@dovecot.org> List-Help: <mailto:dovecot-request@dovecot.org?subject=help> List-Subscribe: <https://dovecot.org/mailman/listinfo/dovecot>, <mailto:dovecot-request@dovecot.org?subject=subscribe> Reply-To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> Errors-To: dovecot-bounces@dovecot.org Sender: "dovecot" <dovecot-bounces@dovecot.org>
On 2021 Aug 13, at 11:11, dovecot@ptld.com wrote:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
This seems overly restrictive for a mailing list, I think, and I do not know why Reply-to and From are both listed twice. However, it is not where the failure is.
Authentication-Results: smtp.ptld.com; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=protonmail.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM=
That signature is from smtp.ptld.com and it is that signature that is failing, I believe.
-- Hi, I'm Gary Cooper, but not the Gary Cooper that's dead.
Reply-to and From are both listed twice
This is called "oversigning" and means that a null variant of Reply-To: and From: are signed too, preventing adding additional headers of Reply-To: And From:.
This is particular important for headers that are permitted to be in a email multiple times, as an attacker could add headers into a signed mail without failing signature, if the headers are not "oversigned".
With oversigning (twice header listing):
Signed: Reply-To: me@somebody.com
In email: Reply-To: me@somebody.com Reply-To: attacker@suspicious.com
Would fail signature.
Without oversigning (header only listed once):
Signed: Reply-To: me@somebody.com
In email: Reply-To: me@somebody.com Reply-To: attacker@suspicious.com
Would pass signature.
On 14.08.21 20:37, @lbutlr wrote:
On 2021 Aug 13, at 11:11, dovecot@ptld.com wrote:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
[...] I do not know why Reply-to and From are both listed twice.
(That's Reply-To: (the address(es) to which to send replies) and *In-*Reply-To: (the Message-ID of the mail that *this* e-mail replies to), FWIW.)
Regards,
Jochen Bern Systemingenieur
Binect GmbH
participants (4)
-
@lbutlr
-
dovecot@ptld.com
-
Jochen Bern
-
Sebastian