Mailing List Archive

DMARC and ARC in the default configuration?
Hello,

it's a few days to 2019 and the default, non-experimental configuration
options for Exim are still w/o SPF, DMARC or ARC (can of worms if I ever
saw one) for that matter.

Given that this ML is clearly run by an Exim build that has all of these
enabled, the question is, why?

DKIM is in there, but of very limited utility by itself at this point in
time.

No DMARC to be had via SpamAssassin either, so that easy way out isn't
present as well.

And I don't see the Debian maintainers turning these things on even in the
exim-daemon-heavy package either while they're "EXPERIMENTAL".

Aside from being lazy the usual answer of "compile it yourself" means
potentially critical delays when it comes to security updates, so I'm
asking what's stopping these things from becoming non-experimental?

If nothing else, more exposure by being easily accessible/configurable
will help polish these features.

Note that I'm no fan of any of the above schemes, but that lemmings train
seems to have come and gone.

Regards,

Christian
--
Christian Balzer Network/Systems Engineer
chibi@gol.com Rakuten Communications

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DMARC and ARC in the default configuration? [ In reply to ]
On Thu, 27 Dec 2018 at 11:53, Christian Balzer via Exim-users <
exim-users@exim.org> wrote:

>
> Hello,
>
> it's a few days to 2019 and the default, non-experimental configuration
> options for Exim are still w/o SPF, DMARC or ARC (can of worms if I ever
> saw one) for that matter.
>
> Given that this ML is clearly run by an Exim build that has all of these
> enabled, the question is, why?
>
> DKIM is in there, but of very limited utility by itself at this point in
> time.
>
> No DMARC to be had via SpamAssassin either, so that easy way out isn't
> present as well.
>
> And I don't see the Debian maintainers turning these things on even in the
> exim-daemon-heavy package either while they're "EXPERIMENTAL".
>
> Aside from being lazy the usual answer of "compile it yourself" means
> potentially critical delays when it comes to security updates, so I'm
> asking what's stopping these things from becoming non-experimental?
>
> If nothing else, more exposure by being easily accessible/configurable
> will help polish these features.
>
> Note that I'm no fan of any of the above schemes, but that lemmings train
> seems to have come and gone.
>
> Regards,
>
> Christian
> --
> Christian Balzer Network/Systems Engineer
> chibi@gol.com Rakuten Communications


I believe that configuring DKIM signing is pretty standard. There can be a
configuration in the default configure, but it will remain just an example,
and un-activated
because of the process required in generating the keys and the DNS records
creation.
The same can be said about DMARC. The packagers for the different platforms
could do this, but they are NOT gonna do it - because it's up to the Mail
Server Admin to do that.
DKIM+SPF+DMARC are not BASIC requirements for mail delivery. They are ways
to ensure "safe" mail delivery. I think of them as advanced methods of
ensuring the Internet is clean from spam, so they are actually addons for
mitigating spam.
It's the same way the default configuration does not include any bits to
use spamassassin/rspamd to fight counter spam - because the external
softwares require work by the MailAdmin., work which is out of the scope of
Exim itself.



Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DMARC and ARC in the default configuration? [ In reply to ]
On 27/12/2018 08:42, Christian Balzer via Exim-users wrote:
> Given that this ML is clearly run by an Exim build that has all of these
> enabled, the question is, why?

> Aside from being lazy the usual answer of "compile it yourself" means
> potentially critical delays when it comes to security updates, so I'm
> asking what's stopping these things from becoming non-experimental?

Experience in operational deployments, testsuite coverage, and
developers willing to run, monitor and maintain buildfarm systems
with those features enabled.

Please volunteer, if you want your favourite $feature to be supported.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DMARC and ARC in the default configuration? [ In reply to ]
> 27. des. 2018 kl. 10:36 skrev Odhiambo Washington via Exim-users <exim-users@exim.org>:
>
>
> I believe that configuring DKIM signing is pretty standard. There can be a
> configuration in the default configure, but it will remain just an example,
> and un-activated
> because of the process required in generating the keys and the DNS records
> creation.
> The same can be said about DMARC. The packagers for the different platforms
> could do this, but they are NOT gonna do it - because it's up to the Mail
> Server Admin to do that.
> DKIM+SPF+DMARC are not BASIC requirements for mail delivery. They are ways
> to ensure "safe" mail delivery. I think of them as advanced methods of
> ensuring the Internet is clean from spam, so they are actually addons for
> mitigating spam.

These do not mitigate spam.

They mitigate sender address fraud.

There’s TONS of spam from DMARC verified signed sources. Google. Yahoo. As well as a bazillion custom domain names created over the past years.

Please don’t perpetuate the pretense that this is about spam.


Cheers,
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DMARC and ARC in the default configuration? [ In reply to ]
On Thu, Dec 27, 2018, 15:21 Jan Ingvoldstad <frettled@gmail.com wrote:

>
> > 27. des. 2018 kl. 10:36 skrev Odhiambo Washington via Exim-users <
> exim-users@exim.org>:
> >
> >
> > I believe that configuring DKIM signing is pretty standard. There can be
> a
> > configuration in the default configure, but it will remain just an
> example,
> > and un-activated
> > because of the process required in generating the keys and the DNS
> records
> > creation.
> > The same can be said about DMARC. The packagers for the different
> platforms
> > could do this, but they are NOT gonna do it - because it's up to the Mail
> > Server Admin to do that.
> > DKIM+SPF+DMARC are not BASIC requirements for mail delivery. They are
> ways
> > to ensure "safe" mail delivery. I think of them as advanced methods of
> > ensuring the Internet is clean from spam, so they are actually addons for
> > mitigating spam.
>
> These do not mitigate spam.
>
> They mitigate sender address fraud.
>
> There’s TONS of spam from DMARC verified signed sources. Google. Yahoo.
> As well as a bazillion custom domain names created over the past years.
>
> Please don’t perpetuate the pretense that this is about spam.
>
> —
> Cheers,
> Jan


Thank you for the clarification.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DMARC and ARC in the default configuration? [ In reply to ]
On Thu, 27 Dec 2018 11:06:59 -0500 John C Klensin wrote:

> --On Thursday, December 27, 2018 13:21 +0100 Jan Ingvoldstad via
> Exim-users <exim-users@exim.org> wrote:
>
> > They are ways
> >> to ensure "safe" mail delivery. I think of them as advanced
> >> methods of ensuring the Internet is clean from spam, so they
> >> are actually addons for mitigating spam.
> >
> > These do not mitigate spam.
> >
> > They mitigate sender address fraud.
> >
> > There's TONS of spam from DMARC verified signed sources.
> > Google. Yahoo. As well as a bazillion custom domain names
> > created over the past years.
> >
> > Please don't perpetuate the pretense that this is about spam.
>
> Exactly.
>
> Also one more thing that should be added to the "why
> experimental now" list: DMARC is rather seriously defective in
> a number of ways and it is not clear that propagating its
> increased use is in anyone's best interests other than,
> possibly, those very large email providers who foisted it on the
> community (none of whom, AFAIK, are running Exim). ARC should
> be better although how much better is still unclear. But its
> specifications are still a bit unstable and the one in the
> publication queue (and going nowhere fast due to reference
> dependencies) is formally experimental. That all translates
> into features with bleeding-edge specs almost certainly should
> require some serious effort to turn on in Exim.
>

While I 200% agree with the statement above in regards to all the
sentiments about the questionable nature/utility and in particular the ham
fisted approach with which this was foisted upon us, the head in the
sand approach isn't the way forward either.

Especially for those of use whose job it is to supply/support large scale
mail systems.

As for Jeremy, I'll probably go and do the operational deployment at least
on some secondary MXs, but can't help with the buildfarm bits.

Regards,

Christian
--
Christian Balzer Network/Systems Engineer
chibi@gol.com Rakuten Communications

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/