Seems too easy to inbox spoofed domains

[myfirstnameispaul]

It seems too easy to inbox spoofed domains on Mail-in-a-Box, and it is due to no DMARC or SPF checks.

Steps to confirm: Create mail server anywhere that has a valid DKIM record. Send email using any from address (e.g., service@paypal.com) to a known address for a Mail-in-a-Box installation. Email arrives in user's inbox.

Simple way attacker could make use of this: Generate list with bot each time bot discovers: A Mail-in-a-Box mail server An MX record that has a Mail-in-a-Box server NS records of ns1.box.example.com or ns2.box.example.com Compare against lists of email addresses Use in targeted scam campaign

[JoshData]

Right now we take a conservative approach to blocking incoming mail -- we don't want to block people's legitimate mail, even if it's not compliant with DMARC. You are welcome to propose a change that is easy to implement.

[myfirstnameispaul]

Even just SPF checks would be acceptable. It should just send to spam based on SA, IIRC.

What about postfix-policyd-spf-python? I'm not really sure how or where to put it in the project, but I'd be happy to work out a configuration.

[myfirstnameispaul]

@JoshData

Okay, so after a fair amount of digging I gave up and posted to the SA mailing list and was directed to this page recommending the following config be added to /etc/spamassassin/local.cf:

ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns __DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=none;/
askdns __DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1;.*\bp=reject;/

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
score DMARC_REJECT 10
meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
score DMARC_QUAR 5
meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
score DMARC_NONE 0.1
endif # Mail::SpamAssassin::Plugin::AskDNS

I also added SPFSelfValidate True to /etc/opendmarc.conf and installed libmail-spf-perl. If I'm understanding the SA SPF plugin page correctly, this should prevent a second SPF check.

I manually made the changes to my personal server and the only issue is that for domains with p=quarantine, it doesn't assign any score. I could send you a PR for changes to I think just dkim.sh and spamassassin.sh, but it isn't complete since it isn't working (also, I can't test the install script right now).

It still doesn't do anything to check SPF when there is no DMARC, but unfortunately I can't even troubleshoot, let alone write a config.

[myfirstnameispaul]

I have a better local.cf configuration than the previous one based on an answer to my question at Server Fault:

header DMARC_PASS Authentication-Results =~ /mail\.example\.com; dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.1

header DMARC_NONE Authentication-Results =~ /mail\.example\.com; dmarc=none/
describe DMARC_NONE DMARC record not found
score DMARC_NONE 0.1

header DMARC_FAIL_NONE Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=none/
describe DMARC_FAIL_NONE DMARC check failed (p=none)
score DMARC_FAIL_NONE 2.0

header DMARC_FAIL_QUARANTINE Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=quarantine/
describe DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
score DMARC_FAIL_QUARANTINE 5.0

header DMARC_FAIL_REJECT Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
score DMARC_FAIL_REJECT 10.0

However, I'm not sure how to add this to spamassassin.sh such that the correct hostname is written to local.cf.

[myfirstnameispaul]

I've also used the same format to add SPF checks. Note that none of these or the above configuration changes block email, they just assign spam scores.

header SPF_PASS Authentication-Results =~ /mail\.example\.com; spf=pass/
describe SPF_PASS SPF check passed
score SPF_PASS -0.1

header SPF_NONE Authentication-Results =~ /mail\.example\.com; spf=none/
describe SPF_NONE SPF record not found
score SPF_NONE 2.0

header SPF_FAIL Authentication-Results =~ /mail\.example\.com; spf=fail/
describe SPF_FAIL SPF check failed
score SPF_FAIL 5.0

[hija]

What is the current status of this, @myfirstnameispaul? Does your local.cf protects your against spoofed mails? Did you encounter any disadvantages? I think this issue is definitely something to tackle 👍

[myfirstnameispaul]

The only thing that is sort of a problem is that I was under the impression that the sa-learn script would eventually learn which emails I want in my inbox, even though they have misconfigured DMARC, but it doesn't seem to work that way, so they are always sent to spam.

Otherwise, no problems, and I strongly prefer it.

[hija]

Okay. Just to make it clear again: The dmarc/spf rules in local.cf give spamassassin a score which lowers (or raises) the overall spamscore? I think it would be okay to implement it. If someone sets a dns record for dmarc / spf, they are responsible for keeping it up to date (thus ensuring that mails get delivered). @JoshData what's you opinion on this one? Would you be fine to accept a pull request for spamassassin with the rules from above by @myfirstnameispaul?

[JoshData]

In principle yes. I haven't had a chance to look at these changes closely, but yes.

[myfirstnameispaul]

@hija Correct, the only effect of the rules is to alter the spam score. Note that from my original config post the other changes are necessary for the rules to work. The only thing I revised is the rules in local.cf.

I think later this week I can implement and share a configuration for ignoring spoofed headers. I've seen this on incoming spam, but the headers seem to be for some other software so MiaB ignores them.

[hija]

Note that from my original config post the other changes are necessary for the rules to work. The only thing I revised is the rules in local.cf.

Alright. And we should not forget to install the additional Perl packages which are required :)

I think later this week I can implement and share a configuration for ignoring spoofed headers.

Sounds great. If I can assist you in any way just hit me up :)

[ddavness]

Bumping this, as in my opinion this spoofing issue should be considered as a major security vulnerability. Relevant testing bed: http://emailspooftest.com/ - four bad emails come through.

[myfirstnameispaul]

I made only one additional configuration change to opendmarc.conf and no issues for the past week:

# Causes the filter to ignore any SPF results in the header of the message.
# This is useful if you want the filter to perfrom SPF checks itself,
# or because you don’t trust the arriving header. The default is "false".

SPFIgnoreResults true

[myfirstnameispaul]

@hija

Just to confirm exactly what I did to my server:

Installed libmail-spf-perl.

Added the following to /etc/opendmarc.conf:

# Causes the filter to ignore any SPF results in the header of the message.
# This is useful if you want the filter to perfrom SPF checks itself,
# or because you don’t trust the arriving header. The default is "false".
SPFIgnoreResults true

# Causes the filter to perform a fallback SPF check itself when it can
# find no SPF results in the message header. If SPFIgnoreResults is also set,
# it never looks for SPF results in headers and always performs the SPF check
# itself when this is set. The default is "false".
SPFSelfValidate true

Added the following to /etc/spamassassin/local.cf:

# Evaluate DMARC Authentication-Results
header DMARC_PASS Authentication-Results =~ /mail\.example\.com; dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.1

header DMARC_NONE Authentication-Results =~ /mail\.example\.com; dmarc=none/
describe DMARC_NONE DMARC record not found
score DMARC_NONE 0.1

header DMARC_FAIL_NONE Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=none/
describe DMARC_FAIL_NONE DMARC check failed (p=none)
score DMARC_FAIL_NONE 2.0

header DMARC_FAIL_QUARANTINE Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=quarantine/
describe DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
score DMARC_FAIL_QUARANTINE 5.0

header DMARC_FAIL_REJECT Authentication-Results =~ /mail\.example\.com; dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
score DMARC_FAIL_REJECT 10.0

# Evaluate SPF Authenticatio-Results
header SPF_PASS Authentication-Results =~ /mail\.example\.com; spf=pass/
describe SPF_PASS SPF check passed
score SPF_PASS -0.1

header SPF_NONE Authentication-Results =~ /mail\.example\.com; spf=none/
describe SPF_NONE SPF record not found
score SPF_NONE 2.0

header SPF_FAIL Authentication-Results =~ /mail\.example\.com; spf=fail/
describe SPF_FAIL SPF check failed
score SPF_FAIL 5.0

I haven't had any negative issues other than when a sender has misconfigured services, it always goes to spam no matter how many times I move the sender to the Inbox (e.g., one forum uses an @yahoo.com email address when sending emails from the forum software, and yahoo.com has p=reject).

When I test, I simply spool up an OpenBSD instance primarily because it is so easy to configure to blast out spoofs using mail and I happen to have an image that also has a valid DKIM key for one of my domains. Just be careful where you are sending spoofs both from and to, because you may find yourself in some trouble for even a single service@paypal.com spoof. Of course, if you have some spare domains, then you could configure their records for testing without such risks.

[myfirstnameispaul]

@hija

There is one configuration change that I added which is not in the above configuration.

In /etc/opendkim.conf I have added:

# Add an "Authentication-Results:" header field even to unsigned
# messages from domains with no "signs all" policy. The reported
# DKIM result will be "none" in such cases. Normally unsigned mail
# from non-strict domains does not cause the results header field
# to be added.
AlwaysAddARHeader       true

The intent of adding this is to prevent forgeries of the DKIM Authentication-Results header by always adding a DKIM Authentication-Results header, even when one already exists. However, I have not found an authoritative source that confirms the AlwaysAddARHeader adds a header even when there is one already present. I also have not had any forged DKIM header spam for as long as I have been testing this configuration.

The configuration change has created no undesirable impact on the server that I have observed.

[jvolkenant]

Per the manpage:

From those three directories, SpamAssassin will first read files ending in ".pre" in lexical order and then it will read files ending in ".cf" in lexical
       order (most files begin with two numbers to make the sorting order obvious).

       In other words, it will read init.pre first, then 10_default_prefs.cf before 50_scores.cf and 20_body_tests.cf before 20_head_tests.cf.  Options in later
       files will override earlier files.

It might be cleaner to drop in an additional .cf file instead of having to add a chunk of text to spamassassin.cf

I'd still have to test this.

[jvolkenant]

~Also, your use of /mail\.example\.com, is that a placeholder for spamassassin? Seems an odd variable name.~ (Edit: I see, it should be $PRIMARY_HOSTNAME)

[jvolkenant]

AlwaysAddARHeader does not seem to be in man opendmarc.conf; it may not be implemented in the ubuntu package version

[myfirstnameispaul]

AlwaysAddARHeader is for OpenDKIM. (o;

[jvolkenant]

AlwaysAddARHeader is for OpenDKIM. (o;

Right you are!

Testing the rules above for spamassassin. Maybe its just me, but the variable name SPF_PASS does not work, when I name it SPF_GOOD it works. Maybe SPF_PASS is reserved/used elsewhere?

#SPF_GOOD used for spf=pass
root@m:~# spamassassin < testemail.txt | grep SPF
        HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_GOOD,
        SPF_HELO_NONE,TVD_SPACE_RATIO autolearn=no autolearn_force=no
        * -0.1 SPF_GOOD SPF check passed
        *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
#SPF_PASS used for spf=pass
root@m:~# spamassassin < testemail.txt | grep SPF
        SPF_HELO_NONE,TVD_SPACE_RATIO autolearn=no autolearn_force=no
        *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record

[myfirstnameispaul]

All I can say is that I haven't had that experience. Here is my headers from this GitHub notification:

X-Spam-Status: No, score=-5.6 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
    DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,HTML_IMAGE_ONLY_20,HTML_MESSAGE,
    MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
    RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham
    autolearn_force=no version=3.4.2
X-Spam-Report: 
    * -0.1 DMARC_PASS DMARC check passed
    * -0.1 SPF_PASS SPF check passed
    *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    *  0.7 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of
    *      words
    *  0.0 HTML_MESSAGE BODY: HTML included in message
    * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
    *      author's domain
    * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    *  0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
    *      [192.30.254.199 listed in wl.mailspike.net]
    * -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/,
    *      high trust
    *      [192.30.254.199 listed in list.dnswl.org]
    *  0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
    * -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
    *       manager
    * -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender
X-Spam-Score: -5.6
Received: from out-16.smtp.github.com (out-16.smtp.github.com [192.30.254.199])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.example.net (Postfix) with ESMTPS id E21E15DCC2
    for <username@example.com>; Sat, 12 Sep 2020 14:38:27 -0700 (PDT)
Authentication-Results: mail.example.net; dmarc=pass (p=none dis=none) header.from=github.com
Authentication-Results: mail.example.net; spf=pass smtp.mailfrom=noreply@github.com
Authentication-Results: mail.example.net;
    dkim=pass (1024-bit key; unprotected) header.d=github.com header.i=@github.com header.b="rl8i2d+p";
    dkim-atps=neutral

[jvolkenant]

Seems to be working with your .conf changes above. I did however put the spamassassin rules into a different .cf file and restarted spampd (which may not be needed as I think it just spawns spamassassin process when it gets a mail)

root@m:~# cat gen_spamassassin_conf.sh
#!/bin/bash
. /etc/mailinabox.conf
parsedprimaryhostname="${PRIMARY_HOSTNAME//./\\.}"

cat << EOF > /etc/spamassassin/custom.cf
# Evaluate DMARC Authentication-Results
header DMARC_PASS Authentication-Results =~ /$parsedprimaryhostname; dmarc=pass/
describe DMARC_PASS DMARC check passed
score DMARC_PASS -0.1

header DMARC_NONE Authentication-Results =~ /$parsedprimaryhostname; dmarc=none/
describe DMARC_NONE DMARC record not found
score DMARC_NONE 0.1

header DMARC_FAIL_NONE Authentication-Results =~ /$parsedprimaryhostname; dmarc=fail \(p=none/
describe DMARC_FAIL_NONE DMARC check failed (p=none)
score DMARC_FAIL_NONE 2.0

header DMARC_FAIL_QUARANTINE Authentication-Results =~ /$parsedprimaryhostname; dmarc=fail \(p=quarantine/
describe DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
score DMARC_FAIL_QUARANTINE 5.0

header DMARC_FAIL_REJECT Authentication-Results =~ /$parsedprimaryhostname; dmarc=fail \(p=reject/
describe DMARC_FAIL_REJECT DMARC check failed (p=reject)
score DMARC_FAIL_REJECT 10.0

# Evaluate SPF Authentication-Results
header SPF_PASS Authentication-Results =~ /$parsedprimaryhostname; spf=pass/
describe SPF_PASS SPF check passed
score SPF_PASS -0.1

header SPF_NONE Authentication-Results =~ /$parsedprimaryhostname; spf=none/
describe SPF_NONE SPF record not found
score SPF_NONE 2.0

header SPF_FAIL Authentication-Results =~ /$parsedprimaryhostname; spf=fail/
describe SPF_FAIL SPF check failed
score SPF_FAIL 5.0
EOF

[jvolkenant]

I've been running myfirstnameispaul changes above and they have been working fine so far. I have not had reports from users of mail not being accepted that they were expecting.

[ValdikSS]

@myfirstnameispaul, could you please prepare a pull request with your changes?

[myfirstnameispaul]

@ValdikSS If I did that, it would be incomplete because I'm not sure how to edit the configuration scripts. I got hung up trying to figure out how to get Perl to put in the correct domain.

Not so good at scriptinging.

[ValdikSS]

@JoshData, kindly asking you to help @myfirstnameispaul implementing proper DMARC check.

[ValdikSS]

@myfirstnameispaul should it be better to use a module like https://github.com/bigio/spamassassin-dmarc ? For full DMARC compliance you should also generate and send DMARC reports.

[ValdikSS]

Please also test the case where (unauthorized) external mail server relays DKIM signed email, as in mail list. These letters should not fail even if SPF will fail. I'm not sure whether SPFIgnoreResults true and SPFSelfValidate true work properly in this case.

[ValdikSS]

@JoshData, is there any reason you prefer to use SpamAssassin Authentication-Results filtering instead of just enabling OpenDMARC failures with RejectFailures true? This will reject messages only on hard failure (when there's DMARC record on the domain with p=reject). With this option enabled, I have only a single email from http://emailspooftest.com/ in inbox (number 3, SPF test) compared to all 5 without the option.

[jvolkenant]

ValdikSS, you may have missed some of the discussion above.

Right now we take a conservative approach to blocking incoming mail -- we don't want to block people's legitimate mail, even if it's not compliant with DMARC. You are welcome to propose a change that is easy to implement.

[Synchro]

we don't want to block people's legitimate mail, even if it's not compliant with DMARC

Surely email that's not compliant with DMARC is not legitimate mail? The control for not rejecting it should be to change the DMARC policy, not allow forged messages in by default. It's like saying you'll let spam in because you just might want something they're offering.

[ValdikSS]

@jvolkenant, RejectFailures true will reject only mails with DMARC p=reject record and won't reject mails from domains with missing or p=none or p=quarantine record. Only if you explicitly configured to reject emails from your domain, it will reject it. I consider this quite conservative.

[JoshData]

It's nice in theory. The question is whether in practice rejecting mail is a net positive or net negative for Mail-in-a-Box users, and this is a question that requires data to answer.

Based on my saved mail, I received three (legitimate) emails in 2019 (two from Etsy, one from authorize.net (VISA)) that had

Authentication-Results: ...; dmarc=fail (p=reject...

If I hadn't receive these emails, it wouldn't have been the end of the world, but it would have caused confusion.

I didn't receive any emails in 2020 so far that match this pattern. So maybe senders have gotten better at complying with DMARC properly.

I'd love to hear from others. I ran

grep -r "Authentication-Results: {my box hostname}; dmarc=" | grep -v "dmarc=pass"|grep -v "dmarc=none"|grep -v p=none

in

/home/user-data/mail/mailboxes/{my domain}/{my username}/.{my folder where I store saved emails}/cur

[Synchro]

That's a good thing to look at! In a mailbox of 26,500 messages, I have 116 matches, but none since April 2019. stackoverflow.email used to fail a lot it seems!

In another account I can see that the UK tax office hit this in May this year (sent via messagelabs, who should know better!)

[ValdikSS]

As far as I know, many (most?) major email services drop emails with p=reject, so it's safe to assume that email delivery with DMARC problems is a big problem and the sender should not expect the message to be received into inbox, if at all, worldwide.

To make things clear: I'm by no means an expert in email, and you probably know the situation better than me, but I got confused that MiaB, despite having all common (SPF, DKIM, DMARC) and new technologies (TLSA, SSHFP, MTA-STS) does not validate SPF or DKIM and receives even very naively spoofed email into inbox.

[myfirstnameispaul]

Gmail sends DMARC p=reject failures to spam folder and includes this warning:

I belong to a tech forum that sends forum responses (including signups) using an @yahoo.com address, and I believe it is intentional, if annoying.

Maybe enable RUA, hadn't thought about it too much. Can't see what harm it would do? (RUF can be a DDoS vector.)

I did not make the decision on using OpenDMARC. My goal was to find the easiest way with an existing installation.

DKIM is already enabled to be checked and failures weigh heavily against the spam score. However, most spammers pass DKIM checks.

[yodax]

From 2019 onward I have 200 emails that are either reject or quarantine. From 18 unique hosts. Primevideo sent a couple of messages. Some other specific Dutch sites too. This is from 20k emails.

I wouldn't mind them going to spam.

[ValdikSS]

@myfirstnameispaul

Gmail sends DMARC p=reject failures to spam folder and includes this warning:

Probably not in all cases. I quite frequently receive delivery reports when someone send spam from my domain with p=reject, as follows:

Action: failed
Status: 5.7.26
Remote-MTA: dns;ASPMX.L.GOOGLE.COM (64.233.162.27)
Diagnostic-Code: smtp;550 5.7.26 Unauthenticated email from valdikss.org.ru is not accepted due to domain's DMARC policy. Please contact the administrator of valdikss.org.ru domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. u8si95202lji.395 - gsmtp
X-PowerMTA-BounceCategory: policy-related

[myfirstnameispaul]

@ValdikSS

That looks like the standard email I have always received from Google. I don't think it reflects how the mail is handled on the user side.

[ValdikSS]

What do you mean? This is email bounce for the spoofed email from my domain. Gmail rejected this email completely, that's why I receive the bounce.

[myfirstnameispaul]

So, when you looked in the Gmail spam folder, the email was not there?

I have recieved many of those email from Google over the years and Google still delivers the mail to the Gmail spam folder, now with the message I attached in the above comment.

[ValdikSS]

@myfirstnameispaul, I don't know whether this email was delivered to spam or not — some spammer sent it from my domain name, not me. But the server reply implies it was rejected. There won't be a bounce if it has been delivered, even to spam folder.

[ValdikSS]

@JoshData, this issue requires careful consideration and implementation. With all due respect to you and the mail-in-a-box project, a mail server that does not check SPF/DKIM/DMARC for incoming messages does not meet the requirements of the modern world.

There are three problems at the moment:

1. Lack of SPF check
2. Lack of DMARC verification
3. Possibility of spoofing the sender of the mail, not only from third-party domains, but also domains served by mail-in-a-box itself

I in the post https://github.com/mail-in-a-box/mailinabox/issues/1755#issuecomment-706944871 suggested setting OpenDMARC RejectFailures true. This solves problem 2 and 3 (since MiaB configures DMARC): OpenDMARC will reject messages with p=reject DMARC policy, and messages withp=quarantine will go to the milter-hold queue (requires interface management of quarantine letters, which is not currently implemented in MiaB. Probably could be configured to put mails into spam instead.). Setting up OpenDMARC only does not solve problem 1 (SPF check) because it only handles DMARC. If a letter came from a domain without a DMARC record, but with an incorrect SPF, then OpenDMARC will not discard it and will not tag it. In addition, OpenDMARC supports the creation of Failure Reports - technical letters that will be sent to the owner of the domain, on whose behalf letters are sent with the the sender spoofing.

Pull-request #1836 solves problem 1, 2, and 3, but instead of rejecting emails with p=reject it puts them in spam. Also, this pull-request does not handle DMARC Failure Reports in any way.

In my opinion, the best solution would be a combination of OpenDMARC settings for DMARC handling and rules from #1836 for SPF.

Perhaps, as an alternative, it is worth looking at ready-made solutions for postfix / spamassassin, such as https://github.com/bigio/spamassassin-dmarc

Please take this seriously. Correct SPF/DKIM/DMARC handling and spoofing protection is an important, if not essential, part of mail configuration, which MiaB currently lacks. For comparison, the iRedMail project does not receive a single letter from the emailspooftest.com service, and also does not permit in-domain email spoofing.

[myfirstnameispaul]

There exists many problems in the mail world, and it is hard to solve all of them from the MiaB project.

For example, I subscribed to a mailing list and I would like to receive those mails. The person sending the mailing list doesn't know anything about any of this, so he uses Mailchimp to manage all the mail stuffs. Apparently, Mailchimp is perfectly content to send messages from any email address the user puts in, because this newsletter I signed up for is being sent using a gmail.com email address and is properly assigned all the negative scores it deserves.

I have seen the same issue with WordPress sites and forums. I think some people in the tech world do it on purpose to keep out the rabble, while others don't understand why emails aren't arriving.

So I am fine with the policy of accepting all mail and just declaring as spam when appropriate.

[ValdikSS]

…is being sent using a gmail.com email address and is properly assigned all the negative scores it deserves

To be precise, OpenDMARC's RejectFailures true won't reject or quarantine these messages as gmail has p=none policy.

$ dig +short txt _dmarc.gmail.com
"v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"

However I totally understand your concern. I would like to hear major contributors' opinion.

[myfirstnameispaul]

@ValdikSS I reported this issue, so I will comment as I desire.

Daemoforums.org uses a yahoo.com email address for all notifications from the forum.

[ValdikSS]

I reported this issue, so I will comment as I desire.

Is that a reply to I would like to hear major contributors' opinion.? I meant that the final decision comes from major contributors, that's why I want to hear their opinion as well.

[JoshData]

does not meet the requirements of the modern world

I have zero patience for people who think that my time (and the time of other people trying to make this project better) revolves around meeting other people's requirements. While I appreciate constructive feedback, remarks that features are "essential" are dismissive of all of the existing members in our community and are out of line. @ValdikSS: Please take some time off from this issue before commenting further. (If this were about a more serious security concern like being an open relay or a critical vulnerability it would be different. Spoofing is an unsolved problem in the modern world and the proposals here would not fix it.)

I think folks are in agreement that #1836 is ready to be merged, so I plan to do that.