Re: Fwd: Warning from users@xxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> Date: Sunday, October 27, 2019 12:17:36 +0000
> From: sebb <sebbaz@xxxxxxxxx>
>
>> On Sun, 27 Oct 2019 at 09:32, Richard
>> <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote:
>> 
>> I agree, there are a range of reasons that a receiving host might
>> reject a message. When you add in DMARC - because the headers
>> aren't rewritten - the chances of rejects, and because of that
>> that someone will get kicked off a list, increase dramatically (at
>> least for those of us whose ESPs enforce DMARC).
>> 
>> Indeed, the headers on that message don't include any DMARC
>> references, and that's the problem. The sender's host/domain
>> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
>> 
>>   dig txt _dmarc.helios.jpl.nasa.gov
>> 
>>   ;; ANSWER SECTION:
>>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
>> 
>> which means that messages that purport to be from that host/domain
>> can't be seen to be being sent from "just anywhere". Because the
>> sender's message was (re-)sent from an "apache.org" domain/IP it
>> failed DMARC which got it rejected from DMARC-enforcing ESPs.
>> 
>> For anyone using a DMARC-enforcing ESP (of which gmail is one),
>> it's fairly routine to get kicked off (or threatened with removal
>> from) lists that don't do the necessary rewriting -- which seems
>> to include most (all?) of the "apache.org" hosted lists.
> 
> I see, thanks for the clear explanation.
> 
> I've just checked the DMARC filter, and whilst it removes the DKIM
> signature, it is also supposed to munge the From line to append
> '.INVALID'.
>
> This does not appear to have happened.
>
> The script assumes that the DKIM header comes before the From line;
> maybe that was not the case here.
> 
> I assume the From rewriting is intended to disable the DMARC check
> at the receiving end.
>
> There are several examples of the From munging on the list, e.g.
> 
> http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3
> c158c6a04-ef01-2fce-bf33-aabc673bbae1@xxxxxxxxxxxxxxxxxxxx%3e
> 

The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing
ESP, when it's invoked. I got the message you referenced above, as
well as about 20 others, from this list over the course of the last
~4 months that were munged that way.

The filter is missing enough, however, that I have been threatened
with expulsion from this list at least once over that same period
(plus 5 times from another ".apache.org" hosted one).



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux