lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 7 Jun 2022 22:30:08 +0200
From:   Jan Kara <jack@...e.cz>
To:     Yu Kuai <yukuai3@...wei.com>
Cc:     Jan Kara <jack@...e.cz>, paolo.valente@...aro.org, tj@...nel.org,
        linux-block@...r.kernel.org, cgroups@...r.kernel.org,
        linux-kernel@...r.kernel.org, yi.zhang@...wei.com,
        Jens Axboe <axboe@...nel.dk>
Subject: Re: [PATCH -next v5 0/3] support concurrent sync io for bfq on a
 specail occasion

On Tue 07-06-22 21:06:55, Yu Kuai wrote:
> 在 2022/06/07 19:51, Yu Kuai 写道:
> > 在 2022/06/07 17:54, Jan Kara 写道:
> > > On Tue 07-06-22 11:10:27, Yu Kuai wrote:
> > > > 在 2022/05/23 23:25, Jan Kara 写道:
> > > > > Hum, for me all emails from Huawei I've received even today
> > > > > fail the DKIM
> > > > > check. After some more digging there is interesting
> > > > > inconsistency in DMARC
> > > > > configuration for huawei.com domain. There is DMARC record
> > > > > for huawei.com
> > > > > like:
> > > > > 
> > > > > huawei.com.        600    IN    TXT
> > > > > "v=DMARC1;p=none;rua=mailto:dmarc@....huawei.com"
> > > > > 
> > > > > which means no DKIM is required but _dmarc.huawei.com has:
> > > > > 
> > > > > _dmarc.huawei.com.    600    IN    TXT    "v=DMARC1;p=quarantine;ruf=mailto:dmarc@...wei.com;rua=mailto:dmarc@...wei.com"
> > > > > 
> > > > > 
> > > > > which says that DKIM is required. I guess this inconsistency may be the
> > > > > reason why there are problems with DKIM validation for senders from
> > > > > huawei.com. Yu Kuai, can you perhaps take this to your IT
> > > > > support to fix
> > > > > this? Either make sure huawei.com emails get properly signed
> > > > > with DKIM or
> > > > > remove the 'quarantine' record from _dmarc.huawei.com. Thanks!
> > > > > 
> > > > >                                 Honza
> > > > > 
> > > > Hi, Jan and Jens
> > > > 
> > > > I just got response from our IT support:
> > > > 
> > > > 'fo' is not set in our dmarc configuration(default is 0), which means
> > > > SPF and DKIM verify both failed so that emails will end up in spam.
> > > > 
> > > > It right that DKIM verify is failed because there is no signed key,
> > > > however, our IT support are curious how SPF verify faild.
> > > > 
> > > > Can you guys please take a look at ip address of sender? So our IT
> > > > support can take a look if they miss it from SPF records.
> > > 
> > > So SPF is what makes me receive direct emails from you. For example
> > > on this
> > > email I can see:
> > > 
> > > Received: from frasgout.his.huawei.com (frasgout.his.huawei.com
> > >          [185.176.79.56])
> > >          (using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256
> > > (128/128
> > >          bits))
> > >          (No client certificate requested)
> > >          by smtp-in2.suse.de (Postfix) with ESMTPS id 4LHFjN2L0dzZfj
> > >          for <jack@...e.cz>; Tue,  7 Jun 2022 03:10:32 +0000 (UTC)
> > > ...
> > > Authentication-Results: smtp-in2.suse.de;
> > >          dkim=none;
> > >          dmarc=pass (policy=quarantine) header.from=huawei.com;
> > >          spf=pass (smtp-in2.suse.de: domain of yukuai3@...wei.com
> > > designates
> > >          185.176.79.56 as permitted sender)
> > > smtp.mailfrom=yukuai3@...wei.com
> > > 
> > > So indeed frasgout.his.huawei.com is correct outgoing server which makes
> > > smtp-in2.suse.de believe the email despite missing DKIM signature.
> > > But the
> > > problem starts when you send email to a mailing list. Let me take for
> > > example your email from June 2 with Message-ID
> > > <20220602082129.2805890-1-yukuai3@...wei.com>, subject "[PATCH -next]
> > > mm/filemap: fix that first page is not mark accessed in filemap_read()".
> > > There the mailing list server forwards the email so we have:
> > > 
> > > Received: from smtp-in2.suse.de ([192.168.254.78])
> > >          (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
> > > bits))
> > >          by dovecot-director2.suse.de with LMTPS
> > >          id 8MC5NfVvmGIPLwAApTUePA
> > >          (envelope-from <linux-fsdevel-owner@...r.kernel.org>)
> > >          for <jack@...p.suse.de>; Thu, 02 Jun 2022 08:08:21 +0000
> > > Received: from out1.vger.email (out1.vger.email
> > > [IPv6:2620:137:e000::1:20])
> > >          by smtp-in2.suse.de (Postfix) with ESMTP id 4LDJYK5bf0zZg5
> > >          for <jack@...e.cz>; Thu,  2 Jun 2022 08:08:21 +0000 (UTC)
> > > Received: (majordomo@...r.kernel.org) by vger.kernel.org via listexpand
> > >          id S232063AbiFBIIM (ORCPT <rfc822;jack@...e.cz>);
> > >          Thu, 2 Jun 2022 04:08:12 -0400
> > > Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56178 "EHLO
> > >          lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
> > >          vger.kernel.org
> > >          with ESMTP id S232062AbiFBIIL (ORCPT
> > >          <rfc822;linux-fsdevel@...r.kernel.org>);
> > >          Thu, 2 Jun 2022 04:08:11 -0400
> > > Received: from szxga02-in.huawei.com (szxga02-in.huawei.com
> > > [45.249.212.188])
> > >          by lindbergh.monkeyblade.net (Postfix) with ESMTPS id
> > >          75DDB25FE;
> > >          Thu,  2 Jun 2022 01:08:08 -0700 (PDT)
> > > 
> > > and thus smtp-in2.suse.de complains:
> > > 
> > > Authentication-Results: smtp-in2.suse.de;
> > >          dkim=none;
> > >          dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM"
> > >          header.from=huawei.com (policy=quarantine);
> > >          spf=pass (smtp-in2.suse.de: domain of
> > >          linux-fsdevel-owner@...r.kernel.org designates
> > > 2620:137:e000::1:20 as
> > >          permitted sender)
> > > smtp.mailfrom=linux-fsdevel-owner@...r.kernel.org
> > > 
> > > Because now we've got email with "From" header from huawei.com
> > > domain from
> > > a vger mail server which was forwarding it. So SPF has no chance to match
> > > (in fact SPF did pass for the Return-Path header which points to
> > > vger.kernel.org but DMARC defines that if "From" and "Return-Path" do not
> > > match, additional validation is needed - this is the "SPF not aligned
> > > (relaxed)" message above). And missing DKIM (the additional validation
> > > method) sends the email to spam.
> > 
> > Thanks a lot for your analysis, afaics, in order to fix the
> > problem, either your mail server change the configuration to set
> > alignment mode to "relaxed" instead of "strict", or our mail server
> > add correct DKIM signature for emails.
> > 
> > I'll contact with our IT support and try to add DKIM signature.
> > 
> > Thanks,
> > Kuai
> 
> Hi, Jan
> 
> Our IT support is worried that add DKIM signature will degrade
> performance, may I ask that how is your mail server configuation? policy
> is quarantine or none, and dkim signature is supportted or not.

The DMARC policy (relaxed / quarantine) is not configured on the side of
the receiving mail server but on huawei.com side. As I wrote above it is
this DMARC record in DNS of huawei.com domain that makes receiving mail
servers refuse the email without DKIM signature (if SPF does not match):

_dmarc.huawei.com.    600    IN    TXT    "v=DMARC1;p=quarantine;ruf=mailto:dmarc@...wei.com;rua=mailto:dmarc@...wei.com"

So if your IT admins do not want to introduce DKIM signatures on outgoing
email, they should set policy to 'p=none' in the DMARC DNS record to tell
that fact to receiving mail servers.

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ