Mailing List Archive

On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>
> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>
> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

Because it's experimental and unfinished.

> I will try to load it to see if it works.

You also need rules for it to do anything. No plugin uses it's parsing at
this time.

Try the example rules and report back if it works..

https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html

>On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>>
>> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

On 01.03.23 11:28, Henrik K wrote:
>Because it's experimental and unfinished.

this is the info I was searching for :-)

>> I will try to load it to see if it works.
>
>You also need rules for it to do anything. No plugin uses it's parsing at
>this time.

I see as it's missing from SA rules.

>Try the example rules and report back if it works..
>
>https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html

I'll try to define another set of rules to see if they fit:

header A_SPF_PASS eval:check_authres_result('spf', 'pass')
score A_SPF_PASS 0.001

header A_SPF_FAIL eval:check_authres_result('spf', 'fail')
score A_SPF_FAIL 0.1

header A_SPF_SOFTFAIL eval:check_authres_result('spf', 'softfail')
score A_SPF_SOFTFAIL 0.1

header A_SPF_TEMPFAIL eval:check_authres_result('spf', 'tempfail')
score A_SPF_SOFTFAIL 0.1

header A_DKIM_VERIFIED eval:check_authres_result('dkim', 'pass')
score A_DKIM_VERIFIED 0.1

header A_DKIM_INVALID eval:check_authres_result('dkim', 'fail')
score A_DKIM_INVALID 0.001


However, so far spamassassin --lint produces:

Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

I guess it's missing the headers, when I pasted this your mail with headers:

Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=spamassassin.apache.org
(client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache.
org; receiver=<UNKNOWN>)
Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255

I only got two lines of errors:

Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.




--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

On Wed, Mar 01, 2023 at 10:50:02AM +0100, Matus UHLAR - fantomas wrote:
> > On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
> > > I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
> > >
> > > However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
>
> On 01.03.23 11:28, Henrik K wrote:
> > Because it's experimental and unfinished.
>
> this is the info I was searching for :-)

Apparently any info was removed from UPGRADE too

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918

> However, so far spamassassin --lint produces:
>
> Mar 1 10:40:36.659 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:40:36.661 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:40:36.662 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:40:36.663 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:40:36.666 [19493] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
>
> I guess it's missing the headers, when I pasted this your mail with headers:
>
> Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
> Authentication-Results: fantomas.fantomas.sk;
> dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=B6Wp55NL;
> dkim-atps=neutral
> Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
> authorized) smtp.mailfrom=spamassassin.apache.org
> (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
> envelope-from=users-return-126602-uhlar=fantomas.sk@spamassassin.apache.
> org; receiver=<UNKNOWN>)
> Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255
>
> I only got two lines of errors:
>
> Mar 1 10:47:17.688 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
> Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

Bah, I think it was tested as atleast working without errors. I'll have a
look..

On 01.03.23 11:55, Henrik K wrote:
>Bah, I think it was tested as atleast working without errors. I'll have a
>look..

yes, it's working at least partly:

Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
Authentication-Results: fantomas.fantomas.sk;
dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E;
dkim-atps=neutral
Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
authorized) smtp.mailfrom=spamassassin.apache.org
(client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache.
org; receiver=<UNKNOWN>)
Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255


X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.0 A_SPF_PASS No description available.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Matus UHLAR - fantomas skrev den 2023-03-01 09:56:

> I hope these senders expire their e-mail 1.5 hours after sending...

facebook can do it in 1.5 sekunds :)

> This should be avoidable by using opendkim at SMTP time, and using
> Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules
> aren't rechecked if they are

this plugin is ment to be in core dmarc plugin not as a seperate plugin
imho, that sayed it need config :)

> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes
> available.

+1

> However, I don't see AuthRes plugin mention in .pre files nor in SA
> rules.

+1

> I will try to load it to see if it works.

share config if it does

(lets share trustness)

Henrik K skrev den 2023-03-01 10:28:
> On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes
>> available.
>> However, I don't see AuthRes plugin mention in .pre files nor in SA
>> rules.
> Because it's experimental and unfinished.

logic is aswell

why should spf pluging be enabled to test if arc chain pass spf ?

same problem with dkim imho

aslong forwarders insists on doing dkim sign and leave arc seal and arc
sign :/

>> I will try to load it to see if it works.
> You also need rules for it to do anything. No plugin uses it's parsing
> at
> this time.

its aswell good to define trustness in this senario, this is more or
less bogos :)

> Try the example rules and report back if it works..
> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html

it does not, how should dmarc plugin use this ?

dmarc only works with A-R headers imho, not internal data as in
spamassassin, okay first step first :)

Matus UHLAR - fantomas skrev den 2023-03-01 10:50:
.
> Mar 1 10:47:17.689 [19813] warn: Use of uninitialized value $result
> in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm
> line 302.

spamassassin --version ?

aurhres was in 3.4.6 aswell is why i ask

authres in 4.0.0 does imho not make that error

>Matus UHLAR - fantomas skrev den 2023-03-01 09:56:
>>I hope these senders expire their e-mail 1.5 hours after sending...

On 01.03.23 13:35, Benny Pedersen wrote:
>facebook can do it in 1.5 sekunds :)

so, if your mail doesn't get delivered within 1.5 seconds and the DKIM
signature expires on the fly, the mail gets dropped from mail server?

>>This should be avoidable by using opendkim at SMTP time, and using
>>Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules
>>aren't rechecked if they are
>
>this plugin is ment to be in core dmarc plugin not as a seperate
>plugin imho, that sayed it need config :)

It should be stable first.

Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already uses
Authentication-Results: header if it exists.

SPF, DKIM and DMARC headers should use results of Authentication-Results:
headers (optionally?) only if they produce positive result.

Forced revalidation should be possible, although I have no idea how to
implement it.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Matus UHLAR - fantomas skrev den 2023-03-01 15:40:

> so, if your mail doesn't get delivered within 1.5 seconds and the DKIM
> signature expires on the fly, the mail gets dropped from mail server?

no, aligned spf pass from facebook, and even on unaligned i do not
reject dkim fails, this is a job for dmarc

>> this plugin is ment to be in core dmarc plugin not as a seperate
>> plugin imho, that sayed it need config :)
> It should be stable first.

+1, it cant be since its only localy trustness first

> Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already
> uses Authentication-Results: header if it exists.

double checking arc spf then ?

i have not checked perlcode yet

> SPF, DKIM and DMARC headers should use results of
> Authentication-Results:
> headers (optionally?) only if they produce positive result.

i only wish arc plugin would be in dmarc core so the extra plugin is not
needed

that fits for how arc using should be

authres is only if you would forward mails to another finaly dmarc
testing

> Forced revalidation should be possible, although I have no idea how to
> implement it.

+1

>On 01.03.23 11:55, Henrik K wrote:
>>Bah, I think it was tested as atleast working without errors. I'll have a
>>look..

On 01.03.23 11:04, Matus UHLAR - fantomas wrote:
>yes, it's working at least partly:
>
>Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
>Authentication-Results: fantomas.fantomas.sk;
> dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E;
> dkim-atps=neutral
>Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF
> authorized) smtp.mailfrom=spamassassin.apache.org
> (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org;
> envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache.
> org; receiver=<UNKNOWN>)
>Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255

Mar 1 16:32:54.213 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dmarc=none (p=none dis=none) header.from=hege.li
Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; dkim=pass (2048-bit key; unprotected) header.d=hege.li header.i=@hege.li header.a=rsa-sha256 header.s=hege2 header.b=sWtnWE1E; dkim-atps=neutral
Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown property for header: a
Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; spf=pass (sender SPF authorized) smtp.mailfrom=spamassassin.apache.org (client-ip=3.227.148.255; helo=mxout1-ec2-va.apache.org; envelope-from=users-return-126604-uhlar=fantomas.sk@spamassassin.apache. org; receiver=<UNKNOWN>)
Mar 1 16:32:54.214 [30815] dbg: authres: parsing Authentication-Results: fantomas.fantomas.sk; arc=none smtp.remote-ip=3.227.148.255
Mar 1 16:32:54.214 [30815] dbg: authres: skipping header, unknown method: arc
Mar 1 16:32:54.214 [30815] dbg: authres: results: dmarc=none spf=pass
Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.
Mar 1 16:32:55.618 [30815] warn: Use of uninitialized value $result in string eq at /usr/share/perl5/Mail/SpamAssassin/Plugin/AuthRes.pm line 302.

after editing headers I see that errors are caused by

1. "header.a=rsa-sha256" and "header.s=hege2" options in
Authentication-Results: for dkim where "a" contains algorithm and "s" the
used selector.

2. unknown "arc" Authentication-Results: header

removing mentioned fields in the first header caused one less error message
and A_DKIM_VERIFIED hit.

removing second header removed error messages completely


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

>Matus UHLAR - fantomas skrev den 2023-03-01 15:40:
>>so, if your mail doesn't get delivered within 1.5 seconds and the DKIM
>>signature expires on the fly, the mail gets dropped from mail server?

On 01.03.23 16:33, Benny Pedersen wrote:
>no, aligned spf pass from facebook, and even on unaligned i do not
>reject dkim fails, this is a job for dmarc

I was asking about outgoing mail being removed from the queue after their
DKIM signature expires.

I would not expect anyone to use DKIM expiration shorter than queue lifetime
of mail.

>>Yes, it should be the core - Mail::SpamAssassin::Plugin::SPF already
>>uses Authentication-Results: header if it exists.
>
>double checking arc spf then ?
>i have not checked perlcode yet

?

>>SPF, DKIM and DMARC headers should use results of
>>Authentication-Results:
>>headers (optionally?) only if they produce positive result.
>
>i only wish arc plugin would be in dmarc core so the extra plugin is
>not needed
>
>that fits for how arc using should be

trusting ARC requires configuring server to trust ARC authority.
So it's a little use usually.

>authres is only if you would forward mails to another finaly dmarc
>testing

authres is great, if you validate mail before you scan for spamminess.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

On Wed, Mar 01, 2023 at 04:46:27PM +0100, Matus UHLAR - fantomas wrote:
>
> 1. "header.a=rsa-sha256" and "header.s=hege2" options in
> Authentication-Results: for dkim where "a" contains algorithm and "s" the
> used selector.
>
> 2. unknown "arc" Authentication-Results: header
>
> removing mentioned fields in the first header caused one less error message
> and A_DKIM_VERIFIED hit.
>
> removing second header removed error messages completely

Fixed these in trunk..

On 3/1/23 14:30, Benny Pedersen wrote:
> Henrik K skrev den 2023-03-01 10:28:
>> On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>>> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
>> Because it's experimental and unfinished.
>
> logic is aswell
>
> why should spf pluging be enabled to test if arc chain pass spf ?
>
> same problem with dkim imho
>
> aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/
>
I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks.
Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin.

Giovanni

>>> I will try to load it to see if it works.
>> You also need rules for it to do anything.  No plugin uses it's parsing at
>> this time.
>
> its aswell good to define trustness in this senario, this is more or less bogos :)
>
>> Try the example rules and report back if it works..
>> https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Plugin_AuthRes.html
>
> it does not, how should dmarc plugin use this ?
>
> dmarc only works with A-R headers imho, not internal data as in spamassassin, okay first step first :)

>>>On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>>>>I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>>>>However, I don't see AuthRes plugin mention in .pre files nor in SA rules.

>>Henrik K skrev den 2023-03-01 10:28:
>>>Because it's experimental and unfinished.

>On 3/1/23 14:30, Benny Pedersen wrote:
>>logic is aswell
>>
>>why should spf pluging be enabled to test if arc chain pass spf ?

>>same problem with dkim imho
>>
>>aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/

On 02.03.23 10:04, giovanni@paclan.it wrote:
>I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks.
>Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin.

Authres plugin should only parse Authentication-Results: headers, not
signatures themselves.

other plugins should be able to use data provided by this plugin.



--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

giovanni@paclan.it skrev den 2023-03-02 10:04:
> On 3/1/23 14:30, Benny Pedersen wrote:
>> Henrik K skrev den 2023-03-01 10:28:
>>> On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas
>>> wrote:
>>>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes
>>>> available.
>>>> However, I don't see AuthRes plugin mention in .pre files nor in SA
>>>> rules.
>>> Because it's experimental and unfinished.
>>
>> logic is aswell
>>
>> why should spf pluging be enabled to test if arc chain pass spf ?
>>
>> same problem with dkim imho
>>
>> aslong forwarders insists on doing dkim sign and leave arc seal and
>> arc sign :/
>>
> I have wip code to check if dkim passes from arc signatures and
> integrate it into DMARC policies checks.

how ?, this code works without authres enabled as i see it

Return-Path: <dovecot-bounces@dovecot.org>
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on
localhost.junc.eu
X-Spam-Level:
X-Spam-Status: No, score=-2.8 required=5.0
tests=ARC_SIGNED,ARC_VALID,AWL,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS,
SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
version=4.0.0
X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%),
extract_message_metadata: 41 (2.4%), tests_pri_-10000: 7 (0.4%),
compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%),
tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000:
1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%),
tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%),
check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%),
check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443
(25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%),
total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%),
rewrite_mail: 0.00 (0.0%)

Content analysis details: (-2.8 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[94.237.105.223 listed in wl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at
https://www.dnswl.org/,
medium trust
[94.237.105.223 listed in list.dnswl.org]
-0.1 SPF_PASS SPF: sender matches SPF record
-0.1 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 ARC_SIGNED Message has a ARC signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 ARC_VALID Message has a valid ARC signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 RELAYCOUNTRY_GREY Relayed through at some point
1.5 RELAYCOUNTRY_BAD Relayed through at some point
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
domains are different
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
-2.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
-0.1 DMARC_PASS DMARC pass policy
0.0 AWL AWL: From: address is in the auto
welcome-list

> Authres plugin is needed to parse Arc signatures and pass the results
> to DMARC plugin.

yes the magic can be done in dmarc where it belongs

authres is imho only for trusted arc signers, not for testing ARC_VALID
or ARC_SIGNED

confirm it ?, the rules for authres does not work for me, but it seem it
does for others ?, why ?

On 3/2/23 11:50, Matus UHLAR - fantomas wrote:
>>>> On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>>>>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>>>>> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
>
>>> Henrik K skrev den 2023-03-01 10:28:
>>>> Because it's experimental and unfinished.
>
>> On 3/1/23 14:30, Benny Pedersen wrote:
>>> logic is aswell
>>>
>>> why should spf pluging be enabled to test if arc chain pass spf ?
>
>>> same problem with dkim imho
>>>
>>> aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/
>
> On 02.03.23 10:04, giovanni@paclan.it wrote:
>> I have wip code to check if dkim passes from arc signatures and integrate it into DMARC policies checks.
>> Authres plugin is needed to parse Arc signatures and pass the results to DMARC plugin.
>
> Authres plugin should only parse Authentication-Results: headers, not signatures themselves.
>
I mean ARC-Authentication-Results headers, signatures are checked by DKIM.pm.

> other plugins should be able to use data provided by this plugin.
>
this is still WIP code.

On 3/2/23 12:49, Benny Pedersen wrote:
> giovanni@paclan.it skrev den 2023-03-02 10:04:
>> On 3/1/23 14:30, Benny Pedersen wrote:
>>> Henrik K skrev den 2023-03-01 10:28:
>>>> On Wed, Mar 01, 2023 at 09:56:56AM +0100, Matus UHLAR - fantomas wrote:
>>>>> I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
>>>>> However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
>>>> Because it's experimental and unfinished.
>>>
>>> logic is aswell
>>>
>>> why should spf pluging be enabled to test if arc chain pass spf ?
>>>
>>> same problem with dkim imho
>>>
>>> aslong forwarders insists on doing dkim sign and leave arc seal and arc sign :/
>>>
>> I have wip code to check if dkim passes from arc signatures and
>> integrate it into DMARC policies checks.
>
> how ?, this code works without authres enabled as i see it
>
if DKIM fails but ARC passes DMARC policy could be overriden, this part doesn't work.
In your case DMARC would pass even without ARC because DKIM is valid.



> Return-Path: <dovecot-bounces@dovecot.org>
> X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on localhost.junc.eu
> X-Spam-Level:
> X-Spam-Status: No, score=-2.8 required=5.0 tests=ARC_SIGNED,ARC_VALID,AWL,
>     DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,
>     HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
>     RCVD_IN_MSPIKE_H2,RELAYCOUNTRY_BAD,RELAYCOUNTRY_GREY,SPF_HELO_PASS,
>     SPF_PASS,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
>     version=4.0.0
> X-Spam-Timing: total 1713 ms - parse: 1.94 (0.1%), b_tie_ro: 4.4 (0.3%),
>     extract_message_metadata: 41 (2.4%), tests_pri_-10000: 7 (0.4%),
>     compile_gen: 292 (17.1%), get_uri_detail_list: 3.4 (0.2%),
>     tests_pri_-2000: 2.0 (0.1%), compile_eval: 27 (1.6%), tests_pri_-1000:
>     1.77 (0.1%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900: 1.29 (0.1%),
>     tests_pri_-100: 892 (52.1%), dkim_load_modules: 34 (2.0%),
>     check_dkim_signature: 540 (31.5%), poll_dns_idle: 827 (48.3%),
>     check_spf: 64 (3.7%), tests_pri_-90: 1.41 (0.1%), tests_pri_0: 443
>     (25.9%), tests_pri_500: 2.1 (0.1%), tests_pri_1000: 12 (0.7%),
>     total_awl: 10 (0.6%), check_awl: 1.95 (0.1%), update_awl: 1.92 (0.1%),
>     rewrite_mail: 0.00 (0.0%)
>
> Content analysis details:   (-2.8 points, 5.0 required)
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
> -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
>                             [94.237.105.223 listed in wl.mailspike.net]
> -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
>                             medium trust
>                             [94.237.105.223 listed in list.dnswl.org]
> -0.1 SPF_PASS               SPF: sender matches SPF record
> -0.1 SPF_HELO_PASS          SPF: HELO matches SPF record
>  0.0 ARC_SIGNED             Message has a ARC signature
>  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
>  0.0 ARC_VALID              Message has a valid ARC signature
> -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's
>                             domain
> -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
>  0.1 RELAYCOUNTRY_GREY      Relayed through at some point
>  1.5 RELAYCOUNTRY_BAD       Relayed through at some point
>  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
>                             domains are different
>  0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
> -2.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
>                             manager
> -0.1 DMARC_PASS             DMARC pass policy
>  0.0 AWL                    AWL: From: address is in the auto welcome-list
>
>> Authres plugin is needed to parse Arc signatures and pass the results
>> to DMARC plugin.
>
> yes the magic can be done in dmarc where it belongs
>
> authres is imho only for trusted arc signers, not for testing ARC_VALID or ARC_SIGNED
>
> confirm it ?, the rules for authres does not work for me, but it seem it does for others ?, why ?

Matus UHLAR - fantomas skrev den 2023-03-02 11:50:

> Authres plugin should only parse Authentication-Results: headers, not
> signatures themselves.
>
> other plugins should be able to use data provided by this plugin.

+1 funny you provided an eval that worked ? :)

have you seen ARC_VALID or ARC_SIGNED yet ?

imho dmarc in spamassassin is already doing things right, but authres
should maybe just be dokumented when to use it

it already used in perlcode in dmarc, without any eval calls

previous mail i posted is without authres enabled

giovanni@paclan.it skrev den 2023-03-02 12:53:

>> how ?, this code works without authres enabled as i see it

> if DKIM fails but ARC passes DMARC policy could be overriden, this
> part doesn't work.

ah okay got it

eval should not be done in dkim but moved to authres so, and results
metadata used in dmarc plugin

> In your case DMARC would pass even without ARC because DKIM is valid.

currect, there is just many corner cases yet to test

your spamassassin channel for rules does btw not lint, please see why
when only check.pm is loaded

and that rule that does not lint is already tested in spamassassin core
rules, so that code is just tested one more time without any new results
:/

>Matus UHLAR - fantomas skrev den 2023-03-02 11:50:
>>Authres plugin should only parse Authentication-Results: headers, not
>>signatures themselves.
>>
>>other plugins should be able to use data provided by this plugin.

On 02.03.23 12:55, Benny Pedersen wrote:
>+1 funny you provided an eval that worked ? :)
>
>have you seen ARC_VALID or ARC_SIGNED yet ?

many. I just still don't think we should trust ARC headers by default
(someone has signes headers, but that does not mean that someone is
trustful).

if ARC signer is trusted and the signature is correct, the status can be
extracted from ARC-Authentication-Results:

Further modules can use that to e.g. allowlist sender even if the DKIM
fails

Authentication-Results: fantomas.fantomas.sk; arc=pass smtp.remote-ip=52.100.19.99 arc.chain=microsoft.com
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=pern.onmicrosoft.com; dmarc=pass action=none
header.from=gcwus.edu.pk; dkim=pass header.d=gcwus.edu.pk; arc=none


Here, if I trust "fantomas.fantomas.sk" authentication header (configurable
in AuthRes) and I trust signer microsoft.com, I will believe that the
message passed DMARC and SPF for pern.onmicrosoft.com.

However, if there was other random ARC signer, faking positive results of
spf/dkim/dmarc results, we should not believe the ARC signature

... and this message can still be spam (it is).


>imho dmarc in spamassassin is already doing things right, but authres
>should maybe just be dokumented when to use it

it's the DKIM module that validates ARC headers in SA.
While the functionality is similar to DKIM,

>it already used in perlcode in dmarc, without any eval calls
>
>previous mail i posted is without authres enabled

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.