Re: [exim-dev] DMARC and libopendmarc

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: exim-dev
Subject: Re: [exim-dev] DMARC and libopendmarc
On Fri, Sep 28, 2012 at 3:39 PM, Todd Lyons <tlyons@???> wrote:
>
> For the longer term, I have begun this work. I put together the start
> of DMARC support built in to exim, protected by feature name
> EXPERIMENTAL_DMARC. It is not yet in a modular format like DKIM is
> implemented in separate dkim.{h,c} files. For ease of testing
> purposes, I'm doing it all inline in src/receive.c.


Well, it's working, how about that!

> What I have so far is visible in my staging area at
> http://git.exim.org/users/tlyons/exim.git/shortlog/refs/heads/master_opendmarc.
> A comprehensive diff can be obtained with:
> git diff c41c0f1a1c^..HEAD


It's progressed quite a bit since last week. I welcome code reviews
to make sure I'm not doing anything dangerous. Look at the whole diff
because there are some unsafe things midstream, but it should be fixed
up by the final commit.

> Recap: It's not modular, there are no global knobs yet, there are no
> ACL control functions, and there is no ACL or router/transport
> feedback variables.
> With positive results, I'll see about modularizing it and adding knobs
> and controls and feedback variables.


I'm ready to do this part, but I need help with it. Is there any
documentation about how to design these code segments to implement the
desired feature? (modeled very heavily after dkim functionality)

1. I need to add a new control, such as:
control = dmarc_disable_verify
2. I need to add a modifier, such as:
dmarc_status = *
where the possible values for * are accept, none, reject,
quarantine, error (others?)
3. I need to add a few string variables that will return status of a
check, such as:
dmarc_verify_status, dmarc_verify_reason, dmarc_domain,
dmarc_authentication_record

I think I can handle #3 with no issues, but I'm not confident in my
ability to do #1 or #2 yet.


With the current inline code, this is an example segment of logs for
messages that have DMARC records (in most cases)

2012-10-04 19:33:31 1TJrAm-00046a-7j DMARC results:
spf_domain=sellernotifications.amazon.com dmarc_domain=amazon.com
spf_align=yes dkim_align=yes enforcement='Accept'
2012-10-04 19:33:32 1TJrAo-00046z-Gk DMARC results:
spf_domain=postmaster.twitter.com dmarc_domain=postmaster.twitter.com
spf_align=yes dkim_align=yes enforcement='Accept'
2012-10-04 19:37:10 1TJrEK-0004bM-DN DMARC results:
spf_domain=bounce.secureserver.net dmarc_domain=me.com spf_align=no
dkim_align=no enforcement='None, Accept'
2012-10-04 19:37:58 1TJrF6-0004iO-Pn failure to store spf for DMARC:
Function called with nothing to parse
2012-10-04 19:38:02 1TJrFB-0004ix-Ee failure to store spf for DMARC:
Function called with nothing to parse
2012-10-04 19:38:34 1TJrFh-0004nz-4u DMARC results:
spf_domain=bounce.linkedin.com dmarc_domain=linkedin.com spf_align=yes
dkim_align=yes enforcement='Accept'
2012-10-04 19:38:39 1TJrFi-0004o5-HS DMARC results:
spf_domain=news.retailtrafficmag.com
dmarc_domain=news.retailtrafficmag.com spf_align=no dkim_align=no
enforcement='No DMARC record'
2012-10-04 19:40:41 1TJrHj-00054x-Ee DMARC results:
spf_domain=alerts.Chase.com dmarc_domain=alerts.Chase.com
spf_align=yes dkim_align=yes enforcement='Accept'
2012-10-04 19:40:41 1TJrHj-00054z-F2 DMARC results:
spf_domain=alerts.Chase.com dmarc_domain=alerts.Chase.com
spf_align=yes dkim_align=yes enforcement='Accept'
2012-10-04 19:43:35 1TJrKY-0005Nz-2t DMARC results:
spf_domain=bounce.linkedin.com dmarc_domain=linkedin.com spf_align=yes
dkim_align=yes enforcement='Accept'
2012-10-04 19:44:09 1TJrL3-0005V5-Jv DMARC results: spf_domain=adp.com
dmarc_domain=adp.com spf_align=yes dkim_align=no enforcement='Accept'

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine