Hi there lovely gentlepeople,
For years now i've been running with a custom Exim binary that has SPF,
DKIM and DMARC support compiled in. I actually reject messages based on
failing SPF + failing DKIM /and/ a DMARC policy that states 'reject'.
This has worked fine for years. Other than the occasional broken DNS for
domains: no issue.
Up until recently, when a corner case was found: it *seems* like Exim's
DMARC code(?) deduces the wrong dmarc_domain for certain messages and this
seems related to a Resent-From: header.
As far as i know, DMARC-checks should *only* consider the 'From:'-header
domain during policy checking. Perhaps the search for "From:" is too
broad and also finds the Resent-From: instead of /^From:\s/? I don't
know yet.
These lines trigger a log message of the DMARC check with -d+all:
| acl_check_data:
| warn
| dmarc_status = accept : none : off
## Example 1
Given these (relevant?) headers from the message:
| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Resent-From: <announce@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>
Results in these logs:
| processing "warn" (./e4-test.conf 432)
| check dmarc_status = accept : none : off
| ╭considering: $sender_address_domain
| ├──expanding: $sender_address_domain
| ╰─────result: simplelists.com
| ╰──(tainted)
| DMARC using SPF sender domain = simplelists.com
| DMARC adding DKIM sender domain = simplelists.com
| DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com
| DNS lookup of _dmarc.nl-ix.net (TXT) succeeded
| DMARC record found for nl-ix.net
| LOG: MAIN
| DMARC results: spf_domain=simplelists.com dmarc_domain=nl-ix.net spf_align=no dkim_align=no enforcement='Reject'
Where did that 'dmarc_domain=nl-ix.net' come from?
## Example 2
Since nl-ix.net as a domain appears in loads of other places in this message
i substituted it by my personal domain in just the Resent-From header.
So, same message, headers have Resent-From changed to 'ssmeenk@???':
| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Resent-From: <ssmeenk@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>
Results in this log message:
| processing "warn" (./e4-test.conf 432)
| check dmarc_status = accept : none : off
| ╭considering: $sender_address_domain
| ├──expanding: $sender_address_domain
| ╰─────result: simplelists.com
| ╰──(tainted)
| DMARC using SPF sender domain = simplelists.com
| DMARC adding DKIM sender domain = simplelists.com
| DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com
| DNS lookup of _dmarc.freshdot.net (TXT) succeeded
| DMARC record found for freshdot.net
| LOG: MAIN
| DMARC results: spf_domain=simplelists.com dmarc_domain=freshdot.net spf_align=no dkim_align=no enforcement='Reject'
Now it shows dmarc_domain=freshdot.net.
Weird, 'eh? Should still be 'dmarc_domain=simplelists.com' IMO.
## Example 3
Strangely enough, when i remove the Resent-From header entirely, with
this specific test message, the DMARC code logs 'no From: header'???
| Return-path: <owner-test2+ssmeenk=freshdot.net@???>
| Sender: test2@???
| From: "user at somedomain (via test2 list)" <test2@???>
| 15:55:37 25276 processing "warn" (./e4-test.conf 432)
| 15:55:37 25276 check dmarc_status = accept : none : off
| 15:55:37 25276 DMARC: no From: header
| 15:55:37 25276 none in "accept : none : off"? yes (matched "none")
But there really is a 'From:'-header in the message!
When i have a more clear and privacy-friendly example to share, i will.
Any input is welcome for now!
Thanks in bundles!
-Sander.
--
| Schrödingers cat walks into a bar and doesn't.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/