[exim] Exim, DMARC and Resent-From:

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Sander Smeenk
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: [exim] Exim, DMARC and Resent-From:
Hi there lovely gentlepeople,

For years now i've been running with a custom Exim binary that has SPF,
DKIM and DMARC support compiled in. I actually reject messages based on
failing SPF + failing DKIM /and/ a DMARC policy that states 'reject'.
This has worked fine for years. Other than the occasional broken DNS for
domains: no issue.

Up until recently, when a corner case was found: it *seems* like Exim's
DMARC code(?) deduces the wrong dmarc_domain for certain messages and this
seems related to a Resent-From: header.

As far as i know, DMARC-checks should *only* consider the 'From:'-header
domain during policy checking. Perhaps the search for "From:" is too
broad and also finds the Resent-From: instead of /^From:\s/? I don't
know yet.

These lines trigger a log message of the DMARC check with -d+all:

| acl_check_data:
|    warn
|        dmarc_status = accept : none : off



## Example 1
Given these (relevant?) headers from the message:

| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Resent-From: <announce@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>


Results in these logs:

| processing "warn" (./e4-test.conf 432)
| check dmarc_status = accept : none : off
|  ╭considering: $sender_address_domain
|  ├──expanding: $sender_address_domain
|  ╰─────result: simplelists.com
|             ╰──(tainted)
| DMARC using SPF sender domain = simplelists.com
| DMARC adding DKIM sender domain = simplelists.com
| DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com
| DNS lookup of _dmarc.nl-ix.net (TXT) succeeded
| DMARC record found for nl-ix.net
| LOG: MAIN
|   DMARC results: spf_domain=simplelists.com dmarc_domain=nl-ix.net spf_align=no dkim_align=no enforcement='Reject'


Where did that 'dmarc_domain=nl-ix.net' come from?


## Example 2
Since nl-ix.net as a domain appears in loads of other places in this message
i substituted it by my personal domain in just the Resent-From header.
So, same message, headers have Resent-From changed to 'ssmeenk@???':

| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Resent-From: <ssmeenk@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>


Results in this log message:

| processing "warn" (./e4-test.conf 432)
| check dmarc_status = accept : none : off
|  ╭considering: $sender_address_domain
|  ├──expanding: $sender_address_domain
|  ╰─────result: simplelists.com
|             ╰──(tainted)
| DMARC using SPF sender domain = simplelists.com
| DMARC adding DKIM sender domain = simplelists.com
| DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com
| DNS lookup of _dmarc.freshdot.net (TXT) succeeded
| DMARC record found for freshdot.net
| LOG: MAIN
|   DMARC results: spf_domain=simplelists.com dmarc_domain=freshdot.net spf_align=no dkim_align=no enforcement='Reject'


Now it shows dmarc_domain=freshdot.net.
Weird, 'eh? Should still be 'dmarc_domain=simplelists.com' IMO.


## Example 3
Strangely enough, when i remove the Resent-From header entirely, with
this specific test message, the DMARC code logs 'no From: header'???

| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>


| 15:55:37 25276 processing "warn" (./e4-test.conf 432)
| 15:55:37 25276 check dmarc_status = accept : none : off
| 15:55:37 25276 DMARC: no From: header
| 15:55:37 25276 none in "accept : none : off"? yes (matched "none")


But there really is a 'From:'-header in the message!

When i have a more clear and privacy-friendly example to share, i will.
Any input is welcome for now!


Thanks in bundles!
-Sander.
--
| Schrödingers cat walks into a bar and doesn't.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/