Monday 22 August 2016

AUTHENTICATED RECEIVED CHAIN PROTOCOL

FINAL EVALUATION


INTRODUCTION

With the adoption of stricter email authentication policies to curb spam, many MTAs are moving to stricter DMARC policies, i.e. any mails that fail the DMARC test are rejected outright `p = reject`. This has helped curb spam, yes, but it has also created problems for intermediate mail handlers like mailing lists. The basic philosophy underlying these authentication checks is to check the extent to which the mail has been altered from its original shape to the point of delivery to the recipient. Mailing lists inherently do modify the mail before broadcasting it onward to the members by adding list-specific headers, footer, and alterations to the Subject, etc. These are necessary for the identification of the mail with the mailing list. And till now, the mailing lists had no way of letting the receiving MTAs know about their handling of the message. This lead to high probability of these mails to be flagged suspicious, and in some strict cases as spam. The solution for this was recently drafted in the IETF ARC Protocol.

From Mailman's point of view, ARC is a protocol that can help mitigate denial of service to subscribed addresses at Yahoo!, AOL and other MTAs that have a `p=reject` DMARC policy. Also it will help reduce the ambiguity in decisions for other MTAs with a lenient policy. Basically setting up ARC would allow Mailman to securely register its handling of the message, thus allowing the set-up of a trust mechanism (not binding) between Mailman and the involved MTAs and hence reducing the denial of service.


WORK DETAILS

The project involved working on two repositories.
The `arc` module was created for Mailman, whereas the work on the `dkimpy` (or sign-message) module mostly involved refactoring the existing module.

1. The `dkimpy` module - The `dkimpy` package, based on work by Greg Hewgill (originally called "pydkim" on PyPI) and then substantially augmented by Scott Kitterman, provided the functions for DKIM signing of a mail. So as a part of the project, we worked on refactoring the original module to add ARC features, with minimal API changes. This was done with the final motivation of contributing this code back upstream by sending a PR to the original author.
The commits for the work done can be found here -

https://gitlab.com/adityadivekar/sign-message/commits/master

2. The `arc` module - Since the ARC protocol involves signing in three stages, a separate module was required to implement the signing by making function calls to the `dkimpy` module. This module has been developed with the intention of merging into the Mailman core for ARC signing ability. Also, the required test-suite for the ARC protocol has been implemented in this module.
Currently, we are in the process of merging this module into Mailman.
The commits for the work done can be found here -

https://gitlab.com/adityadivekar/arc/commits/master

2 comments:

  1. "dkimpy" is based on work by Greg Hewgill (called "pydkim" on PyPI) and substantially augmented by Scott Kitterman.

    ReplyDelete