Fwd: Warning from users@httpd.apache.org

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Warning from users@httpd.apache.org

audaciouse
Hello,
I am getting bounce message , what should I do?.
----------------
Thanks


---------- Forwarded message ---------
From: <[hidden email]>
Date: Wed, Sep 25, 2019 at 11:24 AM
Subject: Warning from [hidden email]
To: <mightydreams at the rate of gmail dot com>


Hi! This is the ezmlm program. I'm managing the
[hidden email] mailing list.


Messages to you from the users mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.

If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the users mailing list,
without further notice.


I've kept a list of which messages from the users mailing list have
bounced from your address.

Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send a short message to:
   <[hidden email]>

To receive a subject and author list for the last 100 or so messages,
send a short message to:
   <[hidden email]>

Here are the message numbers:

   118921

--- Enclosed is a copy of the bounce message I received.

Return-Path: <>
Received: (qmail 369 invoked for bounce); 15 Sep 2019 00:02:49 -0000
Date: 15 Sep 2019 00:02:49 -0000
From: [hidden email]
To: [hidden email]
Subject: failure notice

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

Richard


> Date: Friday, October 25, 2019 20:37:49 +0530
> From: Tapas Mishra <[hidden email]>
>
> Hello,
> I am getting bounce message , what should I do?.
> ----------------
> Thanks
>
>
> ---------- Forwarded message ---------
> From: <[hidden email]>
> Date: Wed, Sep 25, 2019 at 11:24 AM
> Subject: Warning from [hidden email]
> To: <mightydreams at the rate of gmail dot com>
>
> Hi! This is the ezmlm program. I'm managing the
> [hidden email] mailing list.
>
> Messages to you from the users mailing list seem to
> have been bouncing. I've attached a copy of the first bounce
> message I received.


This is a list configuration issue over which you have no control.

This list needs to be configured to handle DMARC properly.

Because the list doesn't do DMARC rewriting you may miss list
messages from people sending from p=reject domains, but won't
actually get kicked off the list because these bounce-check messages
will get delivered to you.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

sebb-2-2
On Fri, 25 Oct 2019 at 16:20, Richard
<[hidden email]> wrote:

>
>
>
> > Date: Friday, October 25, 2019 20:37:49 +0530
> > From: Tapas Mishra <[hidden email]>
> >
> > Hello,
> > I am getting bounce message , what should I do?.
> > ----------------
> > Thanks
> >
> >
> > ---------- Forwarded message ---------
> > From: <[hidden email]>
> > Date: Wed, Sep 25, 2019 at 11:24 AM
> > Subject: Warning from [hidden email]
> > To: <mightydreams at the rate of gmail dot com>
> >
> > Hi! This is the ezmlm program. I'm managing the
> > [hidden email] mailing list.
> >
> > Messages to you from the users mailing list seem to
> > have been bouncing. I've attached a copy of the first bounce
> > message I received.
>
>
> This is a list configuration issue over which you have no control.
>
> This list needs to be configured to handle DMARC properly.
>
> Because the list doesn't do DMARC rewriting you may miss list
> messages from people sending from p=reject domains, but won't
> actually get kicked off the list because these bounce-check messages
> will get delivered to you.

Not all bounces are due to DMARC issues.

The receiving mail system may detect another issue, such as SPAM, and
reject the mail.
There are bound to be differences in the rules that different systems
apply, so there will be occasions when the ASF system forwards a mail
which is later rejected by one or more receivers.

There are lots of other reasons why the receiver may bounce the email.

In this case, the email does not appear to have any DMARC headers:
http://mail-archives.apache.org/mod_mbox/httpd-users/201909.mbox/raw/%3cd09ee182-8902-90b8-1081-a8a956ff4818@...%3e

You can ask for a copy of the email to be sent to you by emailing:

[hidden email]

Of course this may fail if the receiver detects a problem again.

>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

Richard


> Date: Saturday, October 26, 2019 13:16:36 +0100
> From: sebb <[hidden email]>
>
> On Fri, 25 Oct 2019 at 16:20, Richard
> <[hidden email]> wrote:
>>
>> > Date: Friday, October 25, 2019 20:37:49 +0530
>> > From: Tapas Mishra <[hidden email]>
>> >
>> > Hello,
>> > I am getting bounce message , what should I do?.
>> > ----------------
>> > Thanks
>> >
>> >
>> > ---------- Forwarded message ---------
>> > From: <[hidden email]>
>> > Date: Wed, Sep 25, 2019 at 11:24 AM
>> > Subject: Warning from [hidden email]
>> > To: <mightydreams at the rate of gmail dot com>
>> >
>> > Hi! This is the ezmlm program. I'm managing the
>> > [hidden email] mailing list.
>> >
>> > Messages to you from the users mailing list seem to
>> > have been bouncing. I've attached a copy of the first bounce
>> > message I received.
>>
>>
>> This is a list configuration issue over which you have no control.
>>
>> This list needs to be configured to handle DMARC properly.
>>
>> Because the list doesn't do DMARC rewriting you may miss list
>> messages from people sending from p=reject domains, but won't
>> actually get kicked off the list because these bounce-check
>> messages will get delivered to you.
>
> Not all bounces are due to DMARC issues.
>
> The receiving mail system may detect another issue, such as SPAM,
> and reject the mail.
>
> There are bound to be differences in the rules that different
> systems apply, so there will be occasions when the ASF system
> forwards a mail which is later rejected by one or more receivers.
>
> There are lots of other reasons why the receiver may bounce the
> email.
>
> In this case, the email does not appear to have any DMARC headers:
> http://mail-archives.apache.org/mod_mbox/httpd-users/201909.mbox/ra
> w/%[hidden email]%3e
>
> You can ask for a copy of the email to be sent to you by emailing:
>
> [hidden email]
>
> Of course this may fail if the receiver detects a problem again.
>

I agree, there are a range of reasons that a receiving host might
reject a message. When you add in DMARC - because the headers aren't
rewritten - the chances of rejects, and because of that that someone
will get kicked off a list, increase dramatically (at least for those
of us whose ESPs enforce DMARC).

Indeed, the headers on that message don't include any DMARC
references, and that's the problem. The sender's host/domain
(helios.jpl.nasa.gov) has DMARC set to "p=reject":

  dig txt _dmarc.helios.jpl.nasa.gov

  ;; ANSWER SECTION:
  _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;

which means that messages that purport to be from that host/domain
can't be seen to be being sent from "just anywhere". Because the
sender's message was (re-)sent from an "apache.org" domain/IP it
failed DMARC which got it rejected from DMARC-enforcing ESPs.

For anyone using a DMARC-enforcing ESP (of which gmail is one), it's
fairly routine to get kicked off (or threatened with removal from)
lists that don't do the necessary rewriting -- which seems to include
most (all?) of the "apache.org" hosted lists.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

sebb-2-2
On Sun, 27 Oct 2019 at 09:32, Richard
<[hidden email]> wrote:

>
>
>
> > Date: Saturday, October 26, 2019 13:16:36 +0100
> > From: sebb <[hidden email]>
> >
> > On Fri, 25 Oct 2019 at 16:20, Richard
> > <[hidden email]> wrote:
> >>
> >> > Date: Friday, October 25, 2019 20:37:49 +0530
> >> > From: Tapas Mishra <[hidden email]>
> >> >
> >> > Hello,
> >> > I am getting bounce message , what should I do?.
> >> > ----------------
> >> > Thanks
> >> >
> >> >
> >> > ---------- Forwarded message ---------
> >> > From: <[hidden email]>
> >> > Date: Wed, Sep 25, 2019 at 11:24 AM
> >> > Subject: Warning from [hidden email]
> >> > To: <mightydreams at the rate of gmail dot com>
> >> >
> >> > Hi! This is the ezmlm program. I'm managing the
> >> > [hidden email] mailing list.
> >> >
> >> > Messages to you from the users mailing list seem to
> >> > have been bouncing. I've attached a copy of the first bounce
> >> > message I received.
> >>
> >>
> >> This is a list configuration issue over which you have no control.
> >>
> >> This list needs to be configured to handle DMARC properly.
> >>
> >> Because the list doesn't do DMARC rewriting you may miss list
> >> messages from people sending from p=reject domains, but won't
> >> actually get kicked off the list because these bounce-check
> >> messages will get delivered to you.
> >
> > Not all bounces are due to DMARC issues.
> >
> > The receiving mail system may detect another issue, such as SPAM,
> > and reject the mail.
> >
> > There are bound to be differences in the rules that different
> > systems apply, so there will be occasions when the ASF system
> > forwards a mail which is later rejected by one or more receivers.
> >
> > There are lots of other reasons why the receiver may bounce the
> > email.
> >
> > In this case, the email does not appear to have any DMARC headers:
> > http://mail-archives.apache.org/mod_mbox/httpd-users/201909.mbox/ra
> > w/%[hidden email]%3e
> >
> > You can ask for a copy of the email to be sent to you by emailing:
> >
> > [hidden email]
> >
> > Of course this may fail if the receiver detects a problem again.
> >
>
> I agree, there are a range of reasons that a receiving host might
> reject a message. When you add in DMARC - because the headers aren't
> rewritten - the chances of rejects, and because of that that someone
> will get kicked off a list, increase dramatically (at least for those
> of us whose ESPs enforce DMARC).
>
> Indeed, the headers on that message don't include any DMARC
> references, and that's the problem. The sender's host/domain
> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
>
>   dig txt _dmarc.helios.jpl.nasa.gov
>
>   ;; ANSWER SECTION:
>   _dmarc.helios.jpl.nasa.gov. 569       IN      TXT     "v=DMARC1; p=reject;
>
> which means that messages that purport to be from that host/domain
> can't be seen to be being sent from "just anywhere". Because the
> sender's message was (re-)sent from an "apache.org" domain/IP it
> failed DMARC which got it rejected from DMARC-enforcing ESPs.
>
> For anyone using a DMARC-enforcing ESP (of which gmail is one), it's
> fairly routine to get kicked off (or threatened with removal from)
> lists that don't do the necessary rewriting -- which seems to include
> most (all?) of the "apache.org" hosted lists.

I see, thanks for the clear explanation.

I've just checked the DMARC filter, and whilst it removes the DKIM
signature, it is also supposed to munge the From line to append
'.INVALID'.
This does not appear to have happened.
The script assumes that the DKIM header comes before the From line;
maybe that was not the case here.

I assume the From rewriting is intended to disable the DMARC check at
the receiving end.
There are several examples of the From munging on the list, e.g.

http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3c158c6a04-ef01-2fce-bf33-aabc673bbae1@...%3e

>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

Richard


> Date: Sunday, October 27, 2019 12:17:36 +0000
> From: sebb <[hidden email]>
>
>> On Sun, 27 Oct 2019 at 09:32, Richard
>> <[hidden email]> wrote:
>>
>> I agree, there are a range of reasons that a receiving host might
>> reject a message. When you add in DMARC - because the headers
>> aren't rewritten - the chances of rejects, and because of that
>> that someone will get kicked off a list, increase dramatically (at
>> least for those of us whose ESPs enforce DMARC).
>>
>> Indeed, the headers on that message don't include any DMARC
>> references, and that's the problem. The sender's host/domain
>> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
>>
>>   dig txt _dmarc.helios.jpl.nasa.gov
>>
>>   ;; ANSWER SECTION:
>>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
>>
>> which means that messages that purport to be from that host/domain
>> can't be seen to be being sent from "just anywhere". Because the
>> sender's message was (re-)sent from an "apache.org" domain/IP it
>> failed DMARC which got it rejected from DMARC-enforcing ESPs.
>>
>> For anyone using a DMARC-enforcing ESP (of which gmail is one),
>> it's fairly routine to get kicked off (or threatened with removal
>> from) lists that don't do the necessary rewriting -- which seems
>> to include most (all?) of the "apache.org" hosted lists.
>
> I see, thanks for the clear explanation.
>
> I've just checked the DMARC filter, and whilst it removes the DKIM
> signature, it is also supposed to munge the From line to append
> '.INVALID'.
>
> This does not appear to have happened.
>
> The script assumes that the DKIM header comes before the From line;
> maybe that was not the case here.
>
> I assume the From rewriting is intended to disable the DMARC check
> at the receiving end.
>
> There are several examples of the From munging on the list, e.g.
>
> <a href="http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3">http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3
> [hidden email]%3e
>

The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing
ESP, when it's invoked. I got the message you referenced above, as
well as about 20 others, from this list over the course of the last
~4 months that were munged that way.

The filter is missing enough, however, that I have been threatened
with expulsion from this list at least once over that same period
(plus 5 times from another ".apache.org" hosted one).



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

sebb-2-2
On Sun, 27 Oct 2019 at 14:21, Richard
<[hidden email]> wrote:

>
>
>
> > Date: Sunday, October 27, 2019 12:17:36 +0000
> > From: sebb <[hidden email]>
> >
> >> On Sun, 27 Oct 2019 at 09:32, Richard
> >> <[hidden email]> wrote:
> >>
> >> I agree, there are a range of reasons that a receiving host might
> >> reject a message. When you add in DMARC - because the headers
> >> aren't rewritten - the chances of rejects, and because of that
> >> that someone will get kicked off a list, increase dramatically (at
> >> least for those of us whose ESPs enforce DMARC).
> >>
> >> Indeed, the headers on that message don't include any DMARC
> >> references, and that's the problem. The sender's host/domain
> >> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
> >>
> >>   dig txt _dmarc.helios.jpl.nasa.gov
> >>
> >>   ;; ANSWER SECTION:
> >>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
> >>
> >> which means that messages that purport to be from that host/domain
> >> can't be seen to be being sent from "just anywhere". Because the
> >> sender's message was (re-)sent from an "apache.org" domain/IP it
> >> failed DMARC which got it rejected from DMARC-enforcing ESPs.
> >>
> >> For anyone using a DMARC-enforcing ESP (of which gmail is one),
> >> it's fairly routine to get kicked off (or threatened with removal
> >> from) lists that don't do the necessary rewriting -- which seems
> >> to include most (all?) of the "apache.org" hosted lists.
> >
> > I see, thanks for the clear explanation.
> >
> > I've just checked the DMARC filter, and whilst it removes the DKIM
> > signature, it is also supposed to munge the From line to append
> > '.INVALID'.
> >
> > This does not appear to have happened.
> >
> > The script assumes that the DKIM header comes before the From line;
> > maybe that was not the case here.
> >
> > I assume the From rewriting is intended to disable the DMARC check
> > at the receiving end.
> >
> > There are several examples of the From munging on the list, e.g.
> >
> > <a href="http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3">http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3
> > [hidden email]%3e
> >
>
> The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing
> ESP, when it's invoked. I got the message you referenced above, as
> well as about 20 others, from this list over the course of the last
> ~4 months that were munged that way.

Good to know.

> The filter is missing enough, however, that I have been threatened
> with expulsion from this list at least once over that same period
> (plus 5 times from another ".apache.org" hosted one).

It does look like the filter does not always work correctly.

It would be useful to know which messages and lists are involved.
Note that about half apache.org lists use the dmarc filter; the others do not.

I have raised https://issues.apache.org/jira/browse/INFRA-19347.

If you could add any relevant details to the issue, that would be great.

>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

sebb-2-2
On Mon, 28 Oct 2019 at 09:19, sebb <[hidden email]> wrote:

>
> On Sun, 27 Oct 2019 at 14:21, Richard
> <[hidden email]> wrote:
> >
> >
> >
> > > Date: Sunday, October 27, 2019 12:17:36 +0000
> > > From: sebb <[hidden email]>
> > >
> > >> On Sun, 27 Oct 2019 at 09:32, Richard
> > >> <[hidden email]> wrote:
> > >>
> > >> I agree, there are a range of reasons that a receiving host might
> > >> reject a message. When you add in DMARC - because the headers
> > >> aren't rewritten - the chances of rejects, and because of that
> > >> that someone will get kicked off a list, increase dramatically (at
> > >> least for those of us whose ESPs enforce DMARC).
> > >>
> > >> Indeed, the headers on that message don't include any DMARC
> > >> references, and that's the problem. The sender's host/domain
> > >> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
> > >>
> > >>   dig txt _dmarc.helios.jpl.nasa.gov
> > >>
> > >>   ;; ANSWER SECTION:
> > >>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
> > >>
> > >> which means that messages that purport to be from that host/domain
> > >> can't be seen to be being sent from "just anywhere". Because the
> > >> sender's message was (re-)sent from an "apache.org" domain/IP it
> > >> failed DMARC which got it rejected from DMARC-enforcing ESPs.
> > >>
> > >> For anyone using a DMARC-enforcing ESP (of which gmail is one),
> > >> it's fairly routine to get kicked off (or threatened with removal
> > >> from) lists that don't do the necessary rewriting -- which seems
> > >> to include most (all?) of the "apache.org" hosted lists.
> > >
> > > I see, thanks for the clear explanation.
> > >
> > > I've just checked the DMARC filter, and whilst it removes the DKIM
> > > signature, it is also supposed to munge the From line to append
> > > '.INVALID'.
> > >
> > > This does not appear to have happened.
> > >
> > > The script assumes that the DKIM header comes before the From line;
> > > maybe that was not the case here.
> > >
> > > I assume the From rewriting is intended to disable the DMARC check
> > > at the receiving end.
> > >
> > > There are several examples of the From munging on the list, e.g.
> > >
> > > <a href="http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3">http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3
> > > [hidden email]%3e
> > >
> >
> > The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing
> > ESP, when it's invoked. I got the message you referenced above, as
> > well as about 20 others, from this list over the course of the last
> > ~4 months that were munged that way.
>
> Good to know.
>
> > The filter is missing enough, however, that I have been threatened
> > with expulsion from this list at least once over that same period
> > (plus 5 times from another ".apache.org" hosted one).
>
> It does look like the filter does not always work correctly.
>
> It would be useful to know which messages and lists are involved.
> Note that about half apache.org lists use the dmarc filter; the others do not.
>
> I have raised https://issues.apache.org/jira/browse/INFRA-19347.
>
> If you could add any relevant details to the issue, that would be great.

FTR: the email from helios.jpl.nasa.gov does not have an
Authentication-Results: header in it.
AFAICT all the other emails with DKIM-Sigs or munged From: headers
(i.e. they originally had a DKIM header) have an
Authentication-Results header from one of the spamd MTAs.

Since the email was definitely seen by spamd3-us-west.apache.org this
is a bit odd.
Also the X-Spam-Status header does not mention any DKIM tests.

This suggests to me that the original email probably did not have a
DKIM signature in it.

> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

Richard


> Date: Tuesday, October 29, 2019 22:03:58 +0000
> From: sebb <[hidden email]>
>
> On Mon, 28 Oct 2019 at 09:19, sebb <[hidden email]> wrote:
>>
>> On Sun, 27 Oct 2019 at 14:21, Richard
>> <[hidden email]> wrote:
>> >
>> >
>> >
>> > > Date: Sunday, October 27, 2019 12:17:36 +0000
>> > > From: sebb <[hidden email]>
>> > >
>> > >> On Sun, 27 Oct 2019 at 09:32, Richard
>> > >> <[hidden email]> wrote:
>> > >>
>> > >> I agree, there are a range of reasons that a receiving host
>> > >> might reject a message. When you add in DMARC - because the
>> > >> headers aren't rewritten - the chances of rejects, and
>> > >> because of that that someone will get kicked off a list,
>> > >> increase dramatically (at least for those of us whose ESPs
>> > >> enforce DMARC).
>> > >>
>> > >> Indeed, the headers on that message don't include any DMARC
>> > >> references, and that's the problem. The sender's host/domain
>> > >> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
>> > >>
>> > >>   dig txt _dmarc.helios.jpl.nasa.gov
>> > >>
>> > >>   ;; ANSWER SECTION:
>> > >>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
>> > >>
>> > >> which means that messages that purport to be from that
>> > >> host/domain can't be seen to be being sent from "just
>> > >> anywhere". Because the sender's message was (re-)sent from an
>> > >> "apache.org" domain/IP it failed DMARC which got it rejected
>> > >> from DMARC-enforcing ESPs.
>> > >>
>> > >> For anyone using a DMARC-enforcing ESP (of which gmail is
>> > >> one), it's fairly routine to get kicked off (or threatened
>> > >> with removal from) lists that don't do the necessary
>> > >> rewriting -- which seems to include most (all?) of the
>> > >> "apache.org" hosted lists.
>> > >
>> > > I see, thanks for the clear explanation.
>> > >
>> > > I've just checked the DMARC filter, and whilst it removes the
>> > > DKIM signature, it is also supposed to munge the From line to
>> > > append '.INVALID'.
>> > >
>> > > This does not appear to have happened.
>> > >
>> > > The script assumes that the DKIM header comes before the From
>> > > line; maybe that was not the case here.
>> > >
>> > > I assume the From rewriting is intended to disable the DMARC
>> > > check at the receiving end.
>> > >
>> > > There are several examples of the From munging on the list,
>> > > e.g.
>> > >
>> > > http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mb
>> > > ox/%3
>> > > [hidden email]%3e
>> > >
>> >
>> > The '.INVALID' "From" rewrite works, at least with my
>> > DMARC-enforcing ESP, when it's invoked. I got the message you
>> > referenced above, as well as about 20 others, from this list
>> > over the course of the last ~4 months that were munged that way.
>>
>> Good to know.
>>
>> > The filter is missing enough, however, that I have been
>> > threatened with expulsion from this list at least once over that
>> > same period (plus 5 times from another ".apache.org" hosted one).
>>
>> It does look like the filter does not always work correctly.
>>
>> It would be useful to know which messages and lists are involved.
>> Note that about half apache.org lists use the dmarc filter; the
>> others do not.
>>
>> I have raised https://issues.apache.org/jira/browse/INFRA-19347.
>>
>> If you could add any relevant details to the issue, that would be
>> great.
>
> FTR: the email from helios.jpl.nasa.gov does not have an
> Authentication-Results: header in it.
> AFAICT all the other emails with DKIM-Sigs or munged From: headers
> (i.e. they originally had a DKIM header) have an
> Authentication-Results header from one of the spamd MTAs.
>
> Since the email was definitely seen by spamd3-us-west.apache.org
> this is a bit odd.
> Also the X-Spam-Status header does not mention any DKIM tests.
>
> This suggests to me that the original email probably did not have a
> DKIM signature in it.
>

The intent of DMARC is to give domain owners a way to keep people
from spoofing their domain. People who are spoofing an address aren't
likely to sign or otherwise add markers to the message headers
(except to try to get their spoofing through) so I don't believe that
you can count on anything within the message header (including the
lack of a DKIM signature) as definitive that DMARC is or isn't set on
the From: host/domain. I think that the only real test is to do a DNS
query to look up the DMARC settings on the RFC5322 From address:

   <https://tools.ietf.org/html/rfc7489>

   1. Domain Owners publish policy assertions about domains
      via the DNS.

   2. Receivers compare the RFC5322.From address in the mail
      to the SPF and DKIM results, if present, and the DMARC
      policy in DNS.

You might want to look at the document at:

<https://gitlab.com/mailman/mailman/blob/master/src/mailman/rules/docs/dmarc-mitigation.rst>

to see the way Mailman appears to be handling this.




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Warning from users@httpd.apache.org

sebb-2-2
In reply to this post by sebb-2-2
Top-posting

FTR, DMARC handling has now been updated.
The filter no longer removes DKIM headers (it renames them if necessary).

Also the DKIM and From headers are handled independently.
This should avoid problems previously caused if there were two DKIM
Sigs or the Sig appeared after the From header.

If you see any problems going forward, please raise a JIRA with the details.
Thanks!

On Tue, 29 Oct 2019 at 22:03, sebb <[hidden email]> wrote:

>
> On Mon, 28 Oct 2019 at 09:19, sebb <[hidden email]> wrote:
> >
> > On Sun, 27 Oct 2019 at 14:21, Richard
> > <[hidden email]> wrote:
> > >
> > >
> > >
> > > > Date: Sunday, October 27, 2019 12:17:36 +0000
> > > > From: sebb <[hidden email]>
> > > >
> > > >> On Sun, 27 Oct 2019 at 09:32, Richard
> > > >> <[hidden email]> wrote:
> > > >>
> > > >> I agree, there are a range of reasons that a receiving host might
> > > >> reject a message. When you add in DMARC - because the headers
> > > >> aren't rewritten - the chances of rejects, and because of that
> > > >> that someone will get kicked off a list, increase dramatically (at
> > > >> least for those of us whose ESPs enforce DMARC).
> > > >>
> > > >> Indeed, the headers on that message don't include any DMARC
> > > >> references, and that's the problem. The sender's host/domain
> > > >> (helios.jpl.nasa.gov) has DMARC set to "p=reject":
> > > >>
> > > >>   dig txt _dmarc.helios.jpl.nasa.gov
> > > >>
> > > >>   ;; ANSWER SECTION:
> > > >>   _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject;
> > > >>
> > > >> which means that messages that purport to be from that host/domain
> > > >> can't be seen to be being sent from "just anywhere". Because the
> > > >> sender's message was (re-)sent from an "apache.org" domain/IP it
> > > >> failed DMARC which got it rejected from DMARC-enforcing ESPs.
> > > >>
> > > >> For anyone using a DMARC-enforcing ESP (of which gmail is one),
> > > >> it's fairly routine to get kicked off (or threatened with removal
> > > >> from) lists that don't do the necessary rewriting -- which seems
> > > >> to include most (all?) of the "apache.org" hosted lists.
> > > >
> > > > I see, thanks for the clear explanation.
> > > >
> > > > I've just checked the DMARC filter, and whilst it removes the DKIM
> > > > signature, it is also supposed to munge the From line to append
> > > > '.INVALID'.
> > > >
> > > > This does not appear to have happened.
> > > >
> > > > The script assumes that the DKIM header comes before the From line;
> > > > maybe that was not the case here.
> > > >
> > > > I assume the From rewriting is intended to disable the DMARC check
> > > > at the receiving end.
> > > >
> > > > There are several examples of the From munging on the list, e.g.
> > > >
> > > > <a href="http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3">http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3
> > > > [hidden email]%3e
> > > >
> > >
> > > The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing
> > > ESP, when it's invoked. I got the message you referenced above, as
> > > well as about 20 others, from this list over the course of the last
> > > ~4 months that were munged that way.
> >
> > Good to know.
> >
> > > The filter is missing enough, however, that I have been threatened
> > > with expulsion from this list at least once over that same period
> > > (plus 5 times from another ".apache.org" hosted one).
> >
> > It does look like the filter does not always work correctly.
> >
> > It would be useful to know which messages and lists are involved.
> > Note that about half apache.org lists use the dmarc filter; the others do not.
> >
> > I have raised https://issues.apache.org/jira/browse/INFRA-19347.
> >
> > If you could add any relevant details to the issue, that would be great.
>
> FTR: the email from helios.jpl.nasa.gov does not have an
> Authentication-Results: header in it.
> AFAICT all the other emails with DKIM-Sigs or munged From: headers
> (i.e. they originally had a DKIM header) have an
> Authentication-Results header from one of the spamd MTAs.
>
> Since the email was definitely seen by spamd3-us-west.apache.org this
> is a bit odd.
> Also the X-Spam-Status header does not mention any DKIM tests.
>
> This suggests to me that the original email probably did not have a
> DKIM signature in it.
>
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Rewrite from IP:Port to specific path

Daniel Armando Rodriguez
In reply to this post by audaciouse
Hi,

I'm dealing with a particular need about give access to requests made from specific IP:Port to a certain URL and nothing more.

This is what I got so far, I'm in doubt if would work

RewriteEngine On
RewriteCond %{REMOTE_ADDR}%{REMOTE_PORT} ^1\.2\.3\.4:8022$
RewriteRule .* /aplicacion.php?a=12.34&b=modulo||110000003 [R=302,L]
Reply | Threaded
Open this post in threaded view
|

Re: Rewrite from IP:Port to specific path

Eric Covener
On Mon, Sep 28, 2020 at 5:34 PM Daniel Armando Rodriguez
<[hidden email]> wrote:
>
> Hi,
>
> I'm dealing with a particular need about give access to requests made from specific IP:Port to a certain URL and nothing more.
>
> This is what I got so far, I'm in doubt if would work
>
> RewriteEngine On
> RewriteCond %{REMOTE_ADDR}%{REMOTE_PORT} ^1\.2\.3\.4:8022$

need ":" separator in the first arg between the vars to match the regex

> RewriteRule .* /aplicacion.php?a=12.34&b=modulo||110000003 [R=302,L]

this will probably loop, you need a condition that stops it from redirecting.



--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Rewrite from IP:Port to specific path

Daniel Armando Rodriguez


El lun., 28 de sep. de 2020 a la(s) 19:11, Eric Covener ([hidden email]) escribió:
On Mon, Sep 28, 2020 at 5:34 PM Daniel Armando Rodriguez
<[hidden email]> wrote:
>
> Hi,
>
> I'm dealing with a particular need about give access to requests made from specific IP:Port to a certain URL and nothing more.
>
> This is what I got so far, I'm in doubt if would work
>
> RewriteEngine On
> RewriteCond %{REMOTE_ADDR}%{REMOTE_PORT} ^1\.2\.3\.4:8022$

need ":" separator in the first arg between the vars to match the regex

Thanks, didn't see that
 
> RewriteRule .* /aplicacion.php?a=12.34&b=modulo||110000003 [R=302,L]

this will probably loop, you need a condition that stops it from redirecting.

Well the intention is redirect all inbound traffic to a particular URL