Re: [exim-dev] Exim support for OpenDMARC

On 2013-03-17 at 08:41 -0700, Todd Lyons wrote:
> So far no problems. I'm getting close to merging this into master.
> It's protected by EXPERIMENTAL_DMARC so nothing behavior-wise should
> change in the resulting binary unless the builder explicitly
> configures it.

Excellent news.

> Question: Should statistics logging be enabled by default to a default
> statistics file? Downside is that a busy system can end up with a
> large growing file in the exim spool directory and the novice sysadmin
> may not know about it.

No. Provide a chapter in the experimental doc, suited for later
incorporation into the main spec, which walks through setup and notes
what's needed. If the admin has to explicitly run external tools to do
something with the data, then they need to actually sort that out and we
should avoid extra file I/O until explicitly asked for it.

> 2. In the opendmarc milter, by default it does not send forensic
> (failure) reports when an incoming email fails dmarc alignment and the
> domain's dmarc record specifies an email address to send these
> forensic reports. If exim is being built with DMARC and configured
> for DMARC checking, and an incoming email fails alignment, exim will
> send a forensic report. Exim will not send forensic reports if
> "control = dmarc_disable_verify" or "control = dmarc_disable_forensic"
> is set.
>
> Question: Is it better to enable sending only if there is a control
> setting explicitly enabling it? Meaning I would need to invert the
> control setting such as "control = dmarc_enable_forensic"?

Hell yes.

Hint: I have DMARC notifications turned on for spodhuis.org. When I
post to mailing-lists, if the recipient system hasn't whitelisted the
list, I get hit with mails about the failures. These leak data about
recipients of mailing-lists, making them non-private.

If we default to forensics enabled, we'd just have to toggle it and
issue a security advisory as more people wake up to just how easily
DMARC can be abused.

DMARC has a lot of potential; but, for instance, p=reject in a domain
used for email addresses of humans, who post to public mailing-lists, is
not part of the upside and is why I'm lobbying to get the exim.org
mailing-lists to reject those emails rather than pass them onto the
subscribers and have the rejections by the recipient systems
auto-unsubscribe the recipients, because some idiots decided to turn on
p=reject and then send mails to public mailing-lists.

> I still have to do a lot of testing of builds and behavior with and
> without various features enabled:
> EXPERIMENTAL_SPF
> DISABLE_DKIM
> EXPERIMENTAL_DMARC

I've had on my "todo" list "sort out running tests in Amazon", but Nigel
recently suggested Vagrant instead.

Would you be interested in using Vagrant to run OS test images of a
couple of OSes, with Exim built in various ways, pushed in by either
Chef or Ansible?

-Phil