Why do so many dovecot list mails fail dmarc?
Im trying to get my head around this problem that too many valid emails from the mailing list fail dmarc. Why when other mailing list don't seem to have the same problem? I see today it says "signature verification failed", but why? Is there a problem with protonmail's dkim key? Is the dovecot list altering the message body? Is something wrong on my server's end?
The example today was an email from @protonmail.ch, and the headers were:
Return-Path: dovecot-bounces@dovecot.org
Delivered-To: dovecot@ptld.com
Received: from smtp.ptld.com
by host.ptld.com with LMTP
id +SjBLQqiFmFSbgIAjbxwTg
(envelope-from dovecot-bounces@dovecot.org)
for dovecot@ptld.com; Fri, 13 Aug 2021 12:47:06 -0400
Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159])
by smtp.ptld.com (Postfix) with ESMTPS id 4GmTx61z3fz4l3g2
for dovecot@ptld.com; Fri, 13 Aug 2021 12:47:06 -0400 (EDT)
Authentication-Results: smtp.ptld.com; dmarc=fail (p=quarantine
dis=none) header.from=protonmail.ch
Authentication-Results: smtp.ptld.com; spf=pass
smtp.mailfrom=dovecot.org
Authentication-Results: smtp.ptld.com;
dkim=fail reason="signature verification failed" (1024-bit key;
secure) header.d=protonmail.ch header.i=@protonmail.ch
header.a=rsa-sha256 header.s=protonmail header.b=ivRoCAz3
Received: from talvi.dovecot.org (localhost.localdomain [127.0.0.1])
by talvi.dovecot.org (Postfix) with ESMTP id 3862D32297F;
Fri, 13 Aug 2021 19:46:41 +0300 (EEST)
X-Original-To: dovecot@dovecot.org
Delivered-To: dovecot@dovecot.org
Received: from mail-41113.protonmail.ch (mail-41113.protonmail.ch
[185.70.41.113])
by talvi.dovecot.org (Postfix) with ESMTPS id 07C532E9ADB
for dovecot@dovecot.org; Fri, 13 Aug 2021 19:46:37 +0300 (EEST)
Date: Fri, 13 Aug 2021 16:46:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch;
s=protonmail; t=1628873196;
bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y
hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk
BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM=
To: Aki Tuomi aki.tuomi@open-xchange.com
From: Laura Smith n5d9xq3ti233xiyif2vp@protonmail.ch
Subject: Re: Undefined symbols (macOS Big Sur Intel) during compiling,
update
Message-ID:
tQIPhn9Wc9ZCxjWv-REC0bXuE3RgBI1H69xIL0TOnDj-kWvhZXEF7ZR6BevaNCeu8AG9Ypvd7gsnbMEZFAAIkvGmNM3y3UealzoYw9HZSCg=@protonmail.ch
In-Reply-To:
180775367.20741.1628870488641@appsuite-dev-gw1.open-xchange.com
References:
CH2PR06MB6453C343867ECBFD79B73853BCF19@CH2PR06MB6453.namprd06.prod.outlook.com
CH2PR06MB6453D734B09C7D6D2D807787BCFA9@CH2PR06MB6453.namprd06.prod.outlook.com
180775367.20741.1628870488641@appsuite-dev-gw1.open-xchange.com
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.2 required=10.0
tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM
shortcircuit=no
autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
mailout.protonmail.ch
ARC-Seal: i=1; s=arc; d=dovecot.org; t=1628873197; a=rsa-sha256;
cv=none;
b=nuVCke6mta+nYIMyYvb2qRkTUyHSfKXEpp2vTds/ioq0kV4fyIL9oEON09yOoYcrQwci6D
/EBrkZQI6nBjz592m7oslCjeNTcprIJr5QqLY6mJwW7mu+tp4rSEppIyD+r+9dbICExfFO
p3j43c/m0J2acYc5pzZyJM7gLx/RBj2GURAUrP0JaX+y7moB/XQNPIJir2rE/jjNwojKCX
keLRjlzOn7N4dLZxnKHgevDu6tH6gb0OzLPJO7W2IloMxdLZ/ab0PPZOj/M+BaYqnfa1Hs
T4EvKhSwDjLyhjUQh7QTkmYm/FryVnIxEawEM+huOW9djJe7pIijuNFTqOR4Xg==
ARC-Authentication-Results: i=1; talvi.dovecot.org;
dkim=pass header.d=protonmail.ch header.s=protonmail
header.b=ivRoCAz3;
spf=pass (talvi.dovecot.org: domain of
n5d9xq3ti233xiyif2vp@protonmail.ch
designates 185.70.41.113 as permitted sender)
smtp.mailfrom=n5d9xq3ti233xiyif2vp@protonmail.ch
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=dovecot.org;
s=arc; t=1628873197;
h=from:from:reply-to:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=;
b=EYR3Jyq5jrpho8glpLHD60ehlmLaGqrfdZepsfTTJtkjb0AkScBiUB0JX5hGbeyQCdeFvF
zr0g/tfST7KEANMdZ0GK+rmwwSZC7LuKzszXWP+Pi5kBxsDPPU4BUivUkP3abCnGIixXfq
LrEe+/bDrbMkM01wO8sJ0mZccYwURDMTJc7gFjcdSye+3FfKPZAvT9OG2aD2yQhtIVwpbv
+Hg7P5v5Et/muT1E8NHZRBGOPhv4OZ/A2TcOLpafXejddNj2pRtVo8NlFzzT2PBn+KV49M
nhI4ZDGk43l66nud7wMGDNdUcqYQl6CBQww+kC4ewfNbTy5D27wQwFzpVWGfFQ==
Cc: "dovecot@dovecot.org" dovecot@dovecot.org, Beosdoc
beosdoc@hotmail.com
X-BeenThere: dovecot@dovecot.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Dovecot Mailing List
On 2021 Aug 13, at 11:11, dovecot@ptld.com wrote:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
This seems overly restrictive for a mailing list, I think, and I do not know why Reply-to and From are both listed twice. However, it is not where the failure is.
Authentication-Results: smtp.ptld.com; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=protonmail.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=ivRoCAz3tXqh7Rk7Orxq6sdNGdIZ8eir4AX6OGxorOOza+XFOLQfBBIp4LfFEFV0y hV6b8z8gLmkZaEquwTyh+/Hx3lfpxts6Jvh1zpdL7YvahS2kOjSt0XikXulVgwvvxk BNmFxlLWwyVETRpgm5qsQHsNDjYb8HuYID4r1AXM=
That signature is from smtp.ptld.com and it is that signature that is failing, I believe.
-- Hi, I'm Gary Cooper, but not the Gary Cooper that's dead.
Reply-to and From are both listed twice
This is called "oversigning" and means that a null variant of Reply-To: and From: are signed too, preventing adding additional headers of Reply-To: And From:.
This is particular important for headers that are permitted to be in a email multiple times, as an attacker could add headers into a signed mail without failing signature, if the headers are not "oversigned".
With oversigning (twice header listing):
Signed: Reply-To: me@somebody.com
In email: Reply-To: me@somebody.com Reply-To: attacker@suspicious.com
Would fail signature.
Without oversigning (header only listed once):
Signed: Reply-To: me@somebody.com
In email: Reply-To: me@somebody.com Reply-To: attacker@suspicious.com
Would pass signature.
On 14.08.21 20:37, @lbutlr wrote:
On 2021 Aug 13, at 11:11, dovecot@ptld.com wrote:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=protonmail; t=1628873196; bh=HCYF6+sDiqNN6f9T2srf/HEjnr5eJacuoNxBWXk1XJA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
[...] I do not know why Reply-to and From are both listed twice.
(That's Reply-To: (the address(es) to which to send replies) and *In-*Reply-To: (the Message-ID of the mail that *this* e-mail replies to), FWIW.)
Regards,
Jochen Bern Systemingenieur
Binect GmbH
participants (4)
-
@lbutlr
-
dovecot@ptld.com
-
Jochen Bern
-
Sebastian