[OT] Re: configuration error in lists.isc.org

Fri Aug 7 15:23:22 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas:
>>> On Aug 6, 2015, at 4:25 PM, Heiko Richter
>>> <email at heikorichter.name <mailto:email at heikorichter.name>>
>>> wrote:
>>>> Whenever I post something to the list (I'm not using SMTP,
>>>> I'm using a usenet server to post to
>>>> comp.protocols.dns.bind), my postmaster address receives
>>>> DMARC notifications from list members that have employed this
>>>> wonderful protocol on their servers, telling me my message
>>>> had been rejected for violating my SPF policy.
>>>> 
>>>> My SPF record doesn't include lists.ist.org 
>>>> <http://lists.ist.org/>, of course and it never will.
>>>> Furthermore it ends with "-all" so all my messages to the
>>>> list are being rejected by list members who have spf aware
>>>> servers.
> 
> SPF must only check envelope address, not header From: address - it
> was never designed to do the latter.

Correction:
- ------------
All implementations of SPF always check 2 addresses:
  - Envelope-From address
  - From address

SPF will fail whenever the client is not authorized to send for either
the Envelope-From address or the From address. So while the list
server changes the envelope from address, SPF will still fail as the
client is not authorized for the From address.

> 
> On 07.08.15 02:54, Heiko Richter wrote:
>> Just found another solution, that will help with any DMARC-aware 
>> server that knows Sender-ID. I just published: heikorichter.name.
>> 60      IN      TXT     "spf2.0/pra ?all"
>> 
>> This will force DMARC to check only the envelope sender, which
>> is changed by lists.isc.org as /dev/rob0 pointed out earlier....
> 
> How did your SenderID record look before?

Before I only had SPF and no Sender ID.

Before the change:
heikorichter.name. 60 IN TXT "v=spf1 include:heikorichter.org -all"
heikorichter.org. 60 IN TXT "v=spf1 mx -all"

After the change:
heikorichter.name. 60 IN TXT "spf2.0/pra ?all"
heikorichter.name. 60 IN TXT "v=spf1 include:heikorichter.org -all"
heikorichter.org. 60 IN TXT "v=spf1 mx -all"

The "spf2.0/pra ?all" is SenderID, where "pra" forces the DMARC server
to check only the Envelope-Sender against "v=spf1 mx -all". If you
don't set that, SPF will always check both Envelope-From and Header-From.

> 
> Note that it's the SenderID specification that is horribly broken
> (btw, just because of mailing lists) and further any protocol that
> uses it (does DMARC?)
> 
> Blaming the ISC mailserver for not changing header address is
> blaming it for doing something (all?) list servers did years before
> microsoft came with the braindead SenderID specification that broke
> this behaviour.
> 

You seem to mix up SenderID and SPF. SPF is the thing that is broken
as it always checks Envelope- and Header-From. Sender-ID is a way (the
only way) to tell SPF it should just check one of them.

After publishing the SenderID record the DMARC bounces stopped as the
servers just check the Envelope-From now. Before SenderID the only way
had been to live with the DMARC bounces or the make the list servers
change the Header-From. But with SenderID there's a working alternative.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJVxM1pAAoJECKEz6pWghImbvoP/ji9zItzVuUmuyMEHVtRJmLy
JIZzF3l3KbZtl2J3KCRdMeik7Dc0oOmn/gzbdmmnSwUCfKAjz/qeLihpYYaYEP21
ogM4P6kPE9aWGYIJs143ZpI2/jzK/cvjijxe0VnsfqsvbvXZ2KCbmGMta3trzVBz
YtC6aQVmhyPAOaGylEePyhrjUl4vwPqibPVcpYneXgKg0FCysGMjsM3qQmhOLsnW
5vjt9uTKVbSen4TIK8bbwp0D4H+25WepD8mg141G7O1bd+mkgCCfP+L4C6Iiow4+
8kFUtjCr82Iyb1d7bzIzisQr0YNgorFBW+b71nHa9IAW4ARJiCQ/aXzwY7facJFj
7Z0A4Y9Y0Nb5kEi8Gj3kJ/bHFkugWIoiDyZ+dYipARNEAurWnrA6OWM6n3QNb1Jh
GTovUh7LF2Upbk8Hs8B/OR18gMXl6Pciiyd7qN2lKB7T3o5+ePZAGpuH31bSmJxo
tKiAs7BIqz8iFw3jwuyVjch8FJciN0gBgoHHWxsFCBYWFXBeQO0BrOVlISX4blT/
Mb6zFvkozMy3rMS+PzO2I6+JiN081wy2l64UdDSPv18gbdjkRNn2LmfYAvRqLEq0
gHrWRcnDrbFT19t9ppGGsBpNwefGzVODy8KguRGEDcm0TcO1/cvds/svQWu7tbAf
PNsqZQ+e0n4LxYuMWb8x
=g9kt
-----END PGP SIGNATURE-----