lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250327094502.6ae56227@canb.auug.org.au>
Date: Thu, 27 Mar 2025 09:45:02 +1100
From: Stephen Rothwell <sfr@...b.auug.org.au>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Steven Rostedt <rostedt@...dmis.org>, Steven Rostedt
 <rostedt@...nel.org>, Catalin Marinas <catalin.marinas@....com>, Will
 Deacon <will@...nel.org>, linux-arm-kernel@...ts.infradead.org,
 linux-kernel@...r.kernel.org, Konstantin Ryabitsev <mricon@...nel.org>
Subject: Re: [GIT PULL] arm64 updates 6.15-rc1

Hi Linus,

On Wed, 26 Mar 2025 10:25:22 -0700 Linus Torvalds <torvalds@...ux-foundation.org> wrote:
>
> On Wed, 26 Mar 2025 at 10:11, Steven Rostedt <rostedt@...dmis.org> wrote:
> >
> > So it definitely goes through kernel.org.
> >
> > But it has no DKIM headers.  
> 
> Funky.
> 
> There's definitely something strange going on, because your *previous*
> email to me did have the DKIM signature:
> 
>   Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF624C4CEE2...
>   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;[..]
>   [...]
>   Date: Wed, 26 Mar 2025 12:40:25 -0400
>   Subject: Re: [GIT PULL] arm64 updates 6.15-rc1
>   Message-ID: <20250326124025.1966bf8a@...dalf.local.home>
> 
> and gmail was explicitly happy with it:
> 
>   ARC-Authentication-Results: i=1; mx.google.com;
>        dkim=pass [...]
> 
> but then this later one didn't:
> 
>   Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4CDA5C4CEE2...
>   [...]
>   Date: Wed, 26 Mar 2025 13:12:00 -0400
>   Message-ID: <20250326131200.1c86c657@...dalf.local.home>
> 
> and for some reason gmail also didn't actually react to the lack of
> DKIM on that second one and only talks about how spf was fine.
> 
> Konstantin? Can you tell what's going on?

My understanding is this:

for normal SPF checks (i.e. not DMARC's SPF checks) the test is done on
the envelope sender and in Steve's case, goodmis.org DNS SPF record
says that anything from goodmis.org can come from the kernel.org
servers.  DMARC applies the SPF check to the From: header address.

for DKIM checks, the test is against the From: header address.  The
kernel.org servers can only sign emails that have a From header using a
kernel.org email address (or any other domain they have access to the
private DKIM keys for).  So they cannot sign emails that have a From:
header using a goodmis.org email address (presumably).

Presumably the SPF check passing is sufficient for the GMail servers.

DMARC requires that its SPF check or its DKIM check to pass.  (But
goodmis.org has no DMARC DNS record, while kernel.org does)
-- 
Cheers,
Stephen Rothwell

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ