tickets #113342
openARC support for openSUSE MTAs
0%
Description
Hi,
I keep receiving massive amounts of mails from opensuse lists into my
spam folder.
Most common example are coming from suse.com addresses who are sending
via Microsoft (the non-MS ones work fine typically).
The main issue is the DMARC policy (quarantine) set by suse.com
resulting in the following bad indicators in rspamd:
Authentication-Results: ds9.rosenauer.org;
dkim=fail ("body hash did not verify") header.d=suse.com
header.s=selector1 header.b=BJsiC77W;
arc=reject ("signature check failed: fail, {[1] =
sig:microsoft.com:reject}");
dmarc=fail reason="SPF not aligned (relaxed)" header.from=suse.com
(policy=quarantine);
DMARC_POLICY_QUARANTINE(1.50)[suse.com : SPF not aligned
(relaxed),quarantine];
R_DKIM_REJECT(1.00)[suse.com:s=selector1];
ARC_REJECT(1.00)[signature check failed: fail, {[1] =
sig:microsoft.com:reject}];
That DMARC is failing totally is not a surprise given the fact that
opensuse mailinglists change the envelope from and does modifications to
the body somehow.
Changing the ml behavior is not trivial I assume but I'm wondering if it
would help if opensuse MX or mailing list MTA would support ARC and
provide valid ARC signatures in such mails?
Would that be an option?
Thanks,
Wolfgang
Updated by pjessen over 2 years ago
- Private changed from Yes to No
I keep receiving massive amounts of mails from opensuse lists into my
spam folder.
Unable to reproduce :-)
IOW, I don't see any massive amounts of mail from opensuse lists being marked as spam. I might have a rule that whitelists based on SPF though.
That DMARC is failing totally is not a surprise given the fact that
opensuse mailinglists change the envelope from and does modifications to
the body somehow.
Hmm, the envelope from
has to change when we resend from mailman, and the envelope is also not included in the DKIM signature (@ suse.com). Two, I am pretty certain we keep the mail body pristine, it was one of the things we changed very early on, stop adding list instructions to the mail.
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references;
Updated by wrosenauer over 2 years ago
pjessen wrote:
I keep receiving massive amounts of mails from opensuse lists into my
spam folder.Unable to reproduce :-)
IOW, I don't see any massive amounts of mail from opensuse lists being marked as spam. I might have a rule that whitelists based on SPF though.That DMARC is failing totally is not a surprise given the fact that
opensuse mailinglists change the envelope from and does modifications to
the body somehow.Hmm, the envelope
from
has to change when we resend from mailman, and the envelope is also not included in the DKIM signature (@ suse.com).
That is what makes SPF unaligned and has nothing to do with DKIM.
Two, I am pretty certain we keep the mail body pristine, it was one of the things we changed very early on, stop adding list instructions to the mail.
So someone breaks it for sure.
According to the header mx2.infra.opensuse.org still sees it valid:
X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on
mx2.infra.opensuse.org
X-Spam-Level:
X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,NICE_REPLY_A,RCVD_IN_MSPIKE_H2,T_SCC_BODY_TEXT_LINE
autolearn=disabled version=3.4.5
but my rspamd and dkimverify say it's failing verification.
But all that being said:
Any comment about ARC?
Updated by pjessen over 2 years ago
- Category set to Email
That is what makes SPF unaligned and has nothing to do with DKIM.
I don't understand why there should why be an SPF issue. Mails sent from mailman3 have a something@lists.o.o envelope, mails are relayed via anna and elsa, and the SPF for lists.o.o corresponds.
So someone breaks it for sure.
According to the header mx2.infra.opensuse.org still sees it valid:
Then it is happening after the mail has left our systems, but that leaves only your own ds9.rosenauer.org
?
Any comment about ARC?
Not really, I don't know anything about it :-)
In principle it certainly is possible, but in practice it seems like a bit of guesswork.
Updated by wrosenauer over 2 years ago
pjessen wrote:
That is what makes SPF unaligned and has nothing to do with DKIM.
I don't understand why there should why be an SPF issue. Mails sent from mailman3 have a something@lists.o.o envelope, mails are relayed via anna and elsa, and the SPF for lists.o.o corresponds.
Please lookup what DMARC does and what "alignment" means. SPF does not fail in itself. The DMARC SPF alignment check fails.
So someone breaks it for sure.
According to the header mx2.infra.opensuse.org still sees it valid:Then it is happening after the mail has left our systems, but that leaves only your own
ds9.rosenauer.org
?
How come? mx2.infra.opensuse.org is what receives the mail. Afterwards it still goes through mailman. anna does not add any verification headers.
Updated by pjessen over 2 years ago
wrosenauer wrote:
So someone breaks it for sure.
According to the header mx2.infra.opensuse.org still sees it valid:Then it is happening after the mail has left our systems, but that leaves only your own
ds9.rosenauer.org
?How come? mx2.infra.opensuse.org is what receives the mail. Afterwards it still goes through mailman. anna does not add any verification headers.
Ah, I thought you were talking about the tail end of the process, i.e. delivery to opensuse members.
For list mail, this is the process :
sender -> mx[12].opensuse.org -> lists.opensuse.org (mm3) -> anna/elsa -> recipient
, optionally sometimes -> mx[12].opensuse.org -> recipient
mx12 and anna/elsa are definitely only relays and do not touch the body. mailman3 re-distributes, but also should not be touching the body.
Updated by pjessen over 2 years ago
Please lookup what DMARC does and what "alignment" means. SPF does not fail in itself. The DMARC SPF alignment check fails.
Okay, so it's about the non-mandatory From: header and the envelope from. Well, if that is an issue, it has surely always been an issue.
Mails redistributed by mailman will always have :
Envelope (Return-Path) = listname-bounces@lists.o.o and From: <whatever@some.domain>.
I wonder if the suse.com DMARC policy was recently changed?
Updated by pjessen over 2 years ago
Before I go away on summer hols, let me add one or two short remarks -
a) because I don't experience the issue described myself, and because no one else has reported any similar issue, I am reluctant to point to our setup and say we have a problem we need to fix.
b) I'm guessing your rspamd setup is a bit more strict than most, which is perhaps why you are seeing this issue.
c) Seeing as only list mails are affected, maybe a simple whitelisting of lists.opensuse.org
would suffice ?
Having said all that, if anyone fancies working on $SUBJ, I have no issue with that.
Updated by wrosenauer over 2 years ago
pjessen wrote:
a) because I don't experience the issue described myself, and because no one else has reported any similar issue, I am reluctant to point to our setup and say we have a problem we need to fix.
b) I'm guessing your rspamd setup is a bit more strict than most, which is perhaps why you are seeing this issue.
If you are using rspamd than I'm happy to check why you are not facing issues.
The main thing which has an impact on the spam classification is that I have the following actions defined for DMARC failure:
quarantine = "add_header";
reject = "add_header";
Incorporating DMARC into a spamfilter policy is certainly not too strict.
c) Seeing as only list mails are affected, maybe a simple whitelisting of
lists.opensuse.org
would suffice ?
Sure only list mails are affected since they are modifying the mail sufficiently to break DMARC.
Possibly. But everything you said on a) I could repeat here for myself.
Please note that I'm asking if ARC could be implemented. This in itself is a very useful and recommended extension and not at all just for me.
Updated by pjessen over 2 years ago
- Category changed from Email to Wishlist
wrosenauer wrote:
pjessen wrote:
a) because I don't experience the issue described myself, and because no one else has reported any similar issue, I am reluctant to point to our setup and say we have a problem we need to fix.
b) I'm guessing your rspamd setup is a bit more strict than most, which is perhaps why you are seeing this issue.If you are using rspamd than I'm happy to check why you are not facing issues.
Thanks for the offer :-) but no, I'm not. (and opensuse are not).
The main thing which has an impact on the spam classification is that I have the following actions defined for DMARC failure:
quarantine = "add_header";
reject = "add_header";Incorporating DMARC into a spamfilter policy is certainly not too strict.
Agree, but how high you score violations could be. In the case of SPF-validated mails from lists.opensuse.org, I think an exception ought to be made.
c) Seeing as only list mails are affected, maybe a simple whitelisting of
lists.opensuse.org
would suffice ?Sure only list mails are affected since they are modifying the mail sufficiently to break DMARC.
They have to, or least I don't see any way around it. The envelope-from has to be set to point back to mailman, whereas we don't touch the From:-header. That is how it has always been.
Possibly. But everything you said on a) I could repeat here for myself.
Please note that I'm asking if ARC could be implemented. This in itself is a very useful and recommended extension and not at all just for me.
My general answer remains - it could be implemented, but as I don't see much gain from it, for myself it has low priority. I have put it on the wishlist.
Updated by pjessen over 2 years ago
- Related to tickets #116938: sending o.o mails to gmail account not possible added