configuration error in lists.isc.org

Casey Deccio casey at deccio.net
Fri Aug 7 15:07:00 UTC 2015 

On Fri, Aug 7, 2015 at 2:57 AM, Reindl Harald <h.reindl at thelounge.net>
wrote:

>
> Am 07.08.2015 um 01:25 schrieb Heiko Richter:
>
>> So ISC: please fix your list servers, let them rewrite the From headers!
>>
>
> please try to understand the topic before blaming!
> http://wiki.list.org/DEV/DMARC
>
> * SPF is about envelopes and *never* from-headers
> * the envelope is @lists.isc.org
>
>
...but DMARC is about mapping the domain in the "From" header to the domain
authenticated in SPF or DKIM.  From RFC7489:

"Identifier Alignment:  When the domain in the RFC5322.From address
      matches a domain validated by SPF or DKIM (or both), it has
      Identifier Alignment."

and

"DMARC authenticates use of the RFC5322.From domain by requiring that
   it match (be aligned with) an Authenticated Identifier."

See also:
https://dmarc.org/wiki/FAQ#What_is_the_difference_between_the_.22Mail_From.22_and_.22From_Header.22.2C_aren.27t_they_the_same.3F
where it states:

"DMARC protects the domain name of the RFC5322:From field against spoofing."

Here are the headers from one message sent to this list:

spf=pass (google.com: best guess record for domain of
bind-users-bounces at lists.isc.org designates 2001:4f8:0:2::23 as permitted
sender) smtp.mail=bind-users-bounces at lists.isc.org;
       dmarc=fail (p=REJECT dis=NONE) header.from=heikorichter.name

SPF passes, but DMARC fails because the domain in the "From" header (
heikorichter.name) doesn't match the domain authenticated for SPF (
lists.isc.org).  And the REJECT policy makes the handling of this more
severe by a receiving MTA that implements DMARC.

The link referenced above:
http://wiki.list.org/DEV/DMARC
indicates that mailman (v 2.1.18 and greater) has a setting
(dmarc_moderation_action) to munge the From header when the sender's DMARC
policy is set to REJECT or QUARANTINE, but leave it in tact otherwise.

This is among the recommended solutions in:
https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150807/f32dc3b8/attachment.html>

More information about the bind-users mailing list