Mailing List Manager (MLM) Transformations

v. L. Anelli 13 20122 Milano MI Italy vesely@tana.it

DMARC DKIM Mailing List MLM The widespread adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) led Mailing List Managers (MLM) to rewrite the From: header field as a workaround. This document proposes a method to revert MLM transformations, in order to restore the original From: line after reception. There are two strategies to undo From: rewriting, author-centric, whereby the signing agent takes measures for undoing, and list-centric, whereby the MLM does so. The present method uses the former strategy.

Introduction Domain-based Message Authentication, Reporting, and Conformance (DMARC) () hinges on the alignment of the domain in the From: header field with an authenticated identifier. For that reason, mailing list managers (MLMs) that transform messages, however lightly, have to rewrite From:, an operation known as From: munging or From: rewriting. Depending on the kind of mailing list, From: munging can annoy participants or not. For lists paired by web fora, for example, it is almost unnoticed. For classic discussion lists, where personal knowledge plays a role, it can become a nuisance as it hinders off-list messaging. One way to restore the end-to-end nature of the From: header field is to revert it to its original value after the message is delivered to the final subscriber's mailbox. This requires that the author domain and/ or the MLM save the original value, along with other necessary data. For security reasons, the replacement should only be done after verifying the original DKIM signature (), which can be done after reverting MLM transformation. Indeed, the other identifier, SPF () cannot be verified on forwarded messages, while replacing without verifying would be an easy attack vector. The method described here works with MLMs configured to add just a footer and/ or a subject tag to the messages that they redistribute, which is what "classic" MLMs currently do. The method requires no conferral of trust, but needs author domains to produce "robust" signatures (in the sense described in ) which several domains do, but not all. Other methods to verify signatures after transformations exist, and , which require MLMs to cooperate by annotating what transformations they carry out. Those requirements aim at getting a higher reliability. However, their implementation requires two separate actors, a MLM which records the changes and a receiver which undoes them. Synchronizing them can be hard, especially during an initial deploying period characterized by the discovery of failure cases. Having the signer save the data necessary to the verifier might seem to still involve two parties, but they are typically both implemented by the same code, which typically signs outgoing and verifies incoming messages. That way, a mail domain deploying such code can at least verify the messages that itself emitted. The present method actually originated from an attempt at implementing when, after coding was completed, a guessing part was added in order to perform tests.

Terms Definitions Signers and verifiers are defined by DKIM (). The use of the term Mailing List Manager, almost always abbreviated MLM follows . A MLM is a kind of Mediator in parlance. It is usually composed of a Message Transfer Agent (MTA) with the usual suite of tools plus the mailing list software proper and any home brewed additions. Message is defined in . It consists of a header made up of one or more fields, and a body possibly composed of various MIME entities, the latter being defined in and companions. The term original is used here to refer to the Author or parts of the Author's message as it was sent out by the author's domain, where Author is defined in and . We use colon (:) to indicate header field names, as in From:, Author: and the like. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Revertible Transformations Message modifications can affect the header and/or the body of a message. This document only considers a very limited set of transformations, described in the following subsections. They turn out to be revertible.

Header Transformations

Subject MLM MAY modify the Subject: field by inserting a tag at the beginning of its value. A tag consists of a short text delimited by square brackets. For example: This transformation is easily reverted by removing the tag. For security reasons, subject tags MUST NOT exceed 20 characters. Note that some MLMs carry out further changes to this field. For example: can be transformed to: In a cosmopolitan environment, it may be worth to save a copy of it as Original-Subject:.

From From: rewriting is necessary for DMARC. That way, the MLM domain becomes the primary identifier of a message, in the DMARC sense. It is often achieved by transforming a field like this: ]]> into one like the following: ]]> Many MLMs save the original From: in a variety of places, including Reply-To:, Cc:, X-Original-From:. When the original value is known, the transformation is revertible.

Body Transformations We only consider footer addition. It MUST be performed in one of three ways, according to the format of the original message.

Single-part plain text: When the original message is not structured, a footer can be appended at the end of the original text. See example in
Multipart added: The footer stands in its own MIME entity, which is appended as the last part of an original multipart/mixed structure. See example in
Multipart wrapped: The footer stands in the second entity of a new multipart/mixed MIME structure whose first entity consists of the original body. See example in

The footer begins with a line consisting exclusively of underscore ("_", ASCII 95) characters, at least four of them. Alternatively, a footer can consist of the three characters "-- " (dash, dash, space), the Usenet signature convention (see for example ). For security reasons, the footer MUST belong to an entity of Content-Type: text/plain in all cases. In addition, footers cannot exceed 10 lines of text, each shorter than 80 characters. If these restrictions are not met, the transformation cannot be reverted safely.

Robustness of DKIM Signatures DKIM protocol allows to configure signing very flexibly. The resulting signatures can be more or less "robust", where by that term we mean the ability to preserve verifiability through minor alterations that don't alter the semantic of the message. These signing requirements can be considered as an alternative to requiring MLMs to track the changes they perform. First and foremost, Author domains who DKIM-sign outgoing messages MUST NOT sign "technical" header fields that MLMs will change, namely:

MIME-Version:
Content-Type:
Content-Transfer-Encoding:
Resent-Date:, Resent-From:, Resent-To:, Resent-Cc:
List-Id:, List-Help:, List-Unsubscribe:, List-Subscribe:, List-Post:, List-Owner:, List-Archive:

Not signing Content-Type: implies that author domains MUST NOT use the l= signature tag, according to . Second, since MLMs may reflow header fields, DKIM signatures MUST use the "relaxed" canonicalization, at least for the header. In order to increase reliability, the original value of the signed fields SHOULD be mirrored by corresponding fields, From: copied to Author:, the other fields to an Original-*: field, that is Reply-To: copied to Original-Reply-To:, Subject: to Original-Subject: and so forth. Copying Date: is actually not necessary. Copying Reply-To:, To: and Cc: is only useful if there are multiple recipients and the MLM changes their order. Original-Subject: is necessary if it starts with a tag that can be removed when attempting to recover the original value; Original-Subject: is defined by , where similar considerations hold. As said above, author domains who DKIM-sign outgoing messages can copy the value of From: to Author:, at least when one or more recipients are MLMs. Additionally, signing the Author: field certifies that it was added at the origin. We can assume that such act denotes an interest in this experiment. Therefore, DMARC aggregate results are to be reported to the Author: domain as well, in case it differs from the received From: domain. MLM transformations are not limited to subject tag and footer. They often alter the encoding, especially for plain text messages. If the original message was encoded as quoted-printable () and the MLM converts it to base64, there is no way to recover the original text, as it is impossible to guess original soft line breaks after re-encoding. Therefore, The quoted-printable encoding MUST NOT be used for the body of single-part text/plain messages. Base64 is much more robust. However, single-part text/plain messages encoded as base64 MUST follow a constant column width of 76 characters (which is what most encoders do.) Since the verifier will try and convert base64 content to the default 7bit or 8bit, if the original encoding differs, it MUST be advertised by adding a new header field as follows: Original-*: fields with an empty value stand for non-existing counterparts. If the author domain needs to sign empty fields that MLMs may add, it is worth declaring them that way.

Outline of a Reverting Verifier This informative section describes the algorithm implemented in a mail filter . These kind of filters usually read the input message twice —first pass to verify; last pass to rewrite the message and insert Authentication-Results: (). When enabling MLM transformation reversion, there can be a retry pass in between those two. The result is yielded during the SMTP dialogue with no noticeable delay. Implementing reversion changed the software from 22730 lines of C code to 26762. The bulk of such ~18% increase is due to the addition of encoding conversion functions. Changes involve both verifying and signing functions (see for the latter). While reading the header in the first pass, the verifier looks for specific fields:

From:
Author:
Original-From:
X-Original-From:
Reply-To:
Cc:

These are candidates to the original mailbox. Note that Reply-To: and Cc: may contain multiple mailboxes; only the first one is considered. The verifier also collects the Subject: and any field named Original-* that the original signer might have set to ease the reversion. On reaching the end of the header, during the first pass, the verifier sorts the candidate original mailboxes according to the display name, which MLMs try and keep unaltered. The best candidate is then added to the collected set of Original-* fields. If the Subject: begins with a tag, its version without tag is added to that set as well, unless one was already found as Original-Subject:. Next, before reading the body, the verifier looks for prospect signatures; that is, signatures whose "d=" domain is not aligned with SPF credentials (), List-Post: (), Sender:, or the munged From: (if deemed to have been munged). If any such signature exist, along with MLM or other signatures, then the verifier enables parsing the body to look for a footer. Reversing verifiers also have to watch out for idiosyncrasies used to mask DKIM signatures. For example, a MLM introduced a header field named X-Mailman-Original-DKIM-Signature, because some receivers took the habit to downgrade messages with failed signatures, despite recommendation to consider an unauthenticated message regardless of whether or not it looks like it was signed. Body parsing is done in parallel with body canonicalization during the first pass. For multipart, track top level entities. Set transformation type to "wrapped" if there are exactly two entities, "added" otherwise. However, some lists, perhaps out of misconfiguration, insert an empty attachment before the one containing the footer. As it is unlikely that a mail client sends an empty attachment, heuristically it may be preferable to just not count it. For single-part, body parsing must avail of encoding conversions as needed. Assume identity encoding, 7bit or 8bit, unless otherwise directed by an Original-Content-Transfer-Encoding: field. At the end of the first pass, the verifier knows how prospect signatures did. Let's recall that DKIM signature verification results from two independent operations, steps 3 and 4 in . The signature in the "b=" tag depends on the header, while the body hash in the "bh=" tag depends on the body:

If the signature "b=" did not verify and the set of Original-* fields is not empty, then it is worth to try and re-canonicalize the header using the values in the set of Original-* fields.
If the body hash "bh=" did not match and a footer was found, then it is worth to try and re-canonicalize the body excluding the footer.

None, one, or both of the above operations are performed in the retry pass. On writing Authentication-Results, if a prospect signature verifies after reversion, the verifier must signal this fact. How to signal it is a question of local settings and convenience. It can consist of an apposite reason or comment in Authentication-Results:, or it can just write dmarc=pass. It can also add an Original-From: field as a signal that From: can be restored to that value, having previously removed or renamed any existing field with the same name. For example: Authentication-Results: example.com; spf=pass smtp.mailfrom=list.example; dkim=pass reason="transformed" header.d=example.org; dkim=pass (whitelisted) header.d=list.example; dmarc=pass header.from=example.org; ]]> That way, reversion elements can be easily recognized and parsed by downstream agents. It is up to the mail delivery agent (MDA) to restore the original value of From:. The DKIM verifier MUST NOT alter the message, except for adding Authentication-Results: and possibly Original-From: or another field where the filter saves the verified original value of From:. The MDA can use the presence of such field and/ or the reason of dkim=pass as a signal that From: can be restored. The MDA replaces From: just before saving the message to the mailbox, after any possible forwarding has been executed.

Security Considerations Rewriting the From: header field is a treacherous modification to messages. It fosters the belief that the display name of a mailbox is more true than the angle address. A belief further consented by the tendency to not even display the latter. Bad actors take advantage of this belief by displaying the names of trusted institutions paired with trash email addresses hidden between angle brackets. That trick defeats DMARC's purpose. It is out of this document's scope to suggest how mail user agents (MUAs) could counter phishing by highlighting security indicators (for the extent that indicators can actually help preventing phishing attacks). Let's just note that MUAs have to cope with MLMs and phishing alike, which makes it hard to devise a pattern to tell apart one from the other without getting involved with the reputation of the specific domains. By safely restoring munged From: to the original value in the MDA, that contrast is eliminated. Then, perhaps, deceptive From: lines might become amenable to some kind of efficient indication. Of course, MLM role can be played by miscreants as well. However, replaying a signed message, even with revertible transformations, has more limits than forging scam messages anew. Therefore, the risk introduced by easing transformation reversion is considerably lower than that of not signing, or of keeping DMARC policy at "none". An unlikely risk is that of a fake MLM sending messages with Author: signed by a broken signature in order to trick a reverting verifier into sending fake feedback reports. Compared with the use of "l=" tag (), the fact that footers are written in plain text removes the main security objection about footer additions. Namely, footers cannot completely replace the original content in the end recipient's eyes by exploiting lax HTML parsing in the MUA. Still, a footer can contain dangerous URLs and deceiving text. That possibility has to be countered by usual mail filtering and savvy behavior.

IANA Considerations IANA maintains the "Message Header" registry with several subregistries. IANA is asked to make the assignments set out in the following section.

Provisional Message Header Field Names IANA is asked to create new entries in the "Provisional Message Header Field Names" registry as follows.

Header Field Name	Applicable Protocol	Status	Author/Change controller	Reference
Original-Content-Transfer-Encoding	mail	provisional	IETF	this I-D
Original-Reply-To	mail	provisional	IETF	this I-D
Original-Cc	mail	provisional	IETF	this I-D

References Normative References Informative References zdkimfilter

Examples In the examples that follow, the first character of each wrapped line of DKIM-Signature: fields should be a TAB. For editorial reasons, it is rendered as four spaces. While visually there is little difference, those signatures won't verify unless replacing them with a TAB. To verify the examples, public keys can be set as follows:

Single-part plain text Base64 encoding has to be decoded in order to locate the footer. The original encoding was text/plain, this can be inferred by the verifier from the absence of an Original-Content-Transfer-Encoding: field. The original body hash will match after decoding and removing the footer. Note that an "l=" tag couldn't have done the trick in this case. Received: from mua.example.com by mail.example.com with ESMTPA Message-ID: <123456@author.example> Date: Mon, 28 Oct 2020 13:12:55 +0100 From: Author MIME-Version: 1.0 To: MLM@lists.example Subject: [example] Check simple MLM message Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: base64 VGhpcyBpcyBhIHBsYWluIHRleHQgbWVzc2FnZSBzdWJtaXR0ZWQgdG8gYSBtYWlsaW5nIGxpc3Qu ClRoZSBtYWlsaW5nIGxpc3QgaXMgZXhwZWN0ZWQgdG8gYWRkIGEgZm9vdGVyIGFuZCBhIHN1Ympl Y3QgdGFnLgoKQmVzdApBdXRob3IKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KdGhpcyBtZXNzYWdlIHdhcyBtb2RpZmllZCBieSBNTE0gZXhhbXBsZQphZGRpbmcgdGhp cyBmb290ZXIgYW5kIHRoZSBzdWJqZWN0IHRhZwoobm90ZSB0aGF0IGw9IGlzIG5vdCBzZXQpCg== ]]>

Multipart added When the original message has a MIME structure, MLMs can append an entity. Received: from mua.example.com by mail.example.com with ESMTPA Message-ID: <123456@author.example> Date: Mon, 28 Oct 2020 13:12:55 +0100 From: Author via MLM MIME-Version: 1.0 To: MLM@lists.example Subject: [example] Check simple MLM message Content-Type: multipart/mixed; boundary=original-boundary Original preamble must be preserved! --original-boundary Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is a plain text message submitted to a mailing list. The mailing list is expected to add a footer and a subject tag. Best Author --original-boundary Content-Type: image/png Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAAYAAAAGCAYAAADgzO9IAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz AAAHKgAAByoB49HU1wAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAB+SURB VAiZNcGxDYUgAEXRhxTMYWLFVlDTOAUjOIEzWDqEC1igCQ0LSLi/+ueotUZKieu6uO+bdV2ptaLz PDHGsG0b+74jieM40Pd91Fr5K6UAMC3LImutxhgaY8g5p3meNcUYFULQ+756nkchBMUYpd47OWe8 93jvyTnTe+cHXqRZbKSV4EoAAAAASUVORK5CYII= --original-boundary Content-Tyep: text/plain ________________________________________ this message was modified by MLM example adding this footer and the subject tag (note that l= cannot work in this case) --original-boundary-- ]]>

Multipart wrapped When the original body is multipart/alternative, MLMs have to wrap the whole body into the first entity of a multipart/mixed structure. Indeed, appending an entity to a multipart/alternative would result in it either hiding or being hidden by the existing ones. Received: from mua.example.com by mail.example.com with ESMTPA Message-ID: <123456@author.example> Date: Mon, 28 Oct 2020 13:12:55 +0100 From: Author via MLM MIME-Version: 1.0 To: MLM@lists.example Subject: [example] Check simple MLM message Content-Type: multipart/mixed; boundary=MLM-boundary This is the MLM preamble, not signed by Author. --MLM-boundary Content-Type: multipart/alternative; boundary=original-boundary Original preamble must be preserved! --original-boundary Content-Type: text/plain; This is a plain text message submitted to a mailing list. The mailing list is expected to add a footer and a subject tag. Best Author --original-boundary Content-Type: text/html;

This is a plain text message submitted to a mailing list. The mailing list is expected to add a footer and a subject tag.

Best
Author
--original-boundary-- Original epilogue --MLM-boundary Content-Type: text/plain ________________________________________ this message was modified by MLM example adding this footer and the subject tag (note that l= is not set) --MLM-boundary-- MLM epilogue ]]>