lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9a51c7b1-ba6c-0a56-85cf-5e602b9c6ec2@huawei.com>
Date:   Tue, 7 Jun 2022 19:51:20 +0800
From:   Yu Kuai <yukuai3@...wei.com>
To:     Jan Kara <jack@...e.cz>
CC:     <paolo.valente@...aro.org>, <tj@...nel.org>,
        <linux-block@...r.kernel.org>, <cgroups@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com>,
        Jens Axboe <axboe@...nel.dk>
Subject: Re: [PATCH -next v5 0/3] support concurrent sync io for bfq on a
 specail occasion

在 2022/06/07 17:54, Jan Kara 写道:
> On Tue 07-06-22 11:10:27, Yu Kuai wrote:
>> 在 2022/05/23 23:25, Jan Kara 写道:
>>> Hum, for me all emails from Huawei I've received even today fail the DKIM
>>> check. After some more digging there is interesting inconsistency in DMARC
>>> configuration for huawei.com domain. There is DMARC record for huawei.com
>>> like:
>>>
>>> huawei.com.		600	IN	TXT	"v=DMARC1;p=none;rua=mailto:dmarc@....huawei.com"
>>>
>>> which means no DKIM is required but _dmarc.huawei.com has:
>>>
>>> _dmarc.huawei.com.	600	IN	TXT	"v=DMARC1;p=quarantine;ruf=mailto:dmarc@...wei.com;rua=mailto:dmarc@...wei.com"
>>>
>>> which says that DKIM is required. I guess this inconsistency may be the
>>> reason why there are problems with DKIM validation for senders from
>>> huawei.com. Yu Kuai, can you perhaps take this to your IT support to fix
>>> this? Either make sure huawei.com emails get properly signed with DKIM or
>>> remove the 'quarantine' record from _dmarc.huawei.com. Thanks!
>>>
>>> 								Honza
>>>
>> Hi, Jan and Jens
>>
>> I just got response from our IT support:
>>
>> 'fo' is not set in our dmarc configuration(default is 0), which means
>> SPF and DKIM verify both failed so that emails will end up in spam.
>>
>> It right that DKIM verify is failed because there is no signed key,
>> however, our IT support are curious how SPF verify faild.
>>
>> Can you guys please take a look at ip address of sender? So our IT
>> support can take a look if they miss it from SPF records.
> 
> So SPF is what makes me receive direct emails from you. For example on this
> email I can see:
> 
> Received: from frasgout.his.huawei.com (frasgout.his.huawei.com
>          [185.176.79.56])
>          (using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128
>          bits))
>          (No client certificate requested)
>          by smtp-in2.suse.de (Postfix) with ESMTPS id 4LHFjN2L0dzZfj
>          for <jack@...e.cz>; Tue,  7 Jun 2022 03:10:32 +0000 (UTC)
> ...
> Authentication-Results: smtp-in2.suse.de;
>          dkim=none;
>          dmarc=pass (policy=quarantine) header.from=huawei.com;
>          spf=pass (smtp-in2.suse.de: domain of yukuai3@...wei.com designates
>          185.176.79.56 as permitted sender) smtp.mailfrom=yukuai3@...wei.com
> 
> So indeed frasgout.his.huawei.com is correct outgoing server which makes
> smtp-in2.suse.de believe the email despite missing DKIM signature. But the
> problem starts when you send email to a mailing list. Let me take for
> example your email from June 2 with Message-ID
> <20220602082129.2805890-1-yukuai3@...wei.com>, subject "[PATCH -next]
> mm/filemap: fix that first page is not mark accessed in filemap_read()".
> There the mailing list server forwards the email so we have:
> 
> Received: from smtp-in2.suse.de ([192.168.254.78])
>          (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
>          by dovecot-director2.suse.de with LMTPS
>          id 8MC5NfVvmGIPLwAApTUePA
>          (envelope-from <linux-fsdevel-owner@...r.kernel.org>)
>          for <jack@...p.suse.de>; Thu, 02 Jun 2022 08:08:21 +0000
> Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
>          by smtp-in2.suse.de (Postfix) with ESMTP id 4LDJYK5bf0zZg5
>          for <jack@...e.cz>; Thu,  2 Jun 2022 08:08:21 +0000 (UTC)
> Received: (majordomo@...r.kernel.org) by vger.kernel.org via listexpand
>          id S232063AbiFBIIM (ORCPT <rfc822;jack@...e.cz>);
>          Thu, 2 Jun 2022 04:08:12 -0400
> Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56178 "EHLO
>          lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
>          vger.kernel.org
>          with ESMTP id S232062AbiFBIIL (ORCPT
>          <rfc822;linux-fsdevel@...r.kernel.org>);
>          Thu, 2 Jun 2022 04:08:11 -0400
> Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
>          by lindbergh.monkeyblade.net (Postfix) with ESMTPS id
>          75DDB25FE;
>          Thu,  2 Jun 2022 01:08:08 -0700 (PDT)
> 
> and thus smtp-in2.suse.de complains:
> 
> Authentication-Results: smtp-in2.suse.de;
>          dkim=none;
>          dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM"
>          header.from=huawei.com (policy=quarantine);
>          spf=pass (smtp-in2.suse.de: domain of
>          linux-fsdevel-owner@...r.kernel.org designates 2620:137:e000::1:20 as
>          permitted sender) smtp.mailfrom=linux-fsdevel-owner@...r.kernel.org
> 
> Because now we've got email with "From" header from huawei.com domain from
> a vger mail server which was forwarding it. So SPF has no chance to match
> (in fact SPF did pass for the Return-Path header which points to
> vger.kernel.org but DMARC defines that if "From" and "Return-Path" do not
> match, additional validation is needed - this is the "SPF not aligned
> (relaxed)" message above). And missing DKIM (the additional validation
> method) sends the email to spam.

Thanks a lot for your analysis, afaics, in order to fix the
problem, either your mail server change the configuration to set
alignment mode to "relaxed" instead of "strict", or our mail server
add correct DKIM signature for emails.

I'll contact with our IT support and try to add DKIM signature.

Thanks,
Kuai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ