Opened 3 years ago

Last modified 11 days ago

#12821 new project

using torbirdy + thunderbird: domains emailing with dmarc

Reported by: cypherpunks Owned by: ioerror
Priority: Medium Milestone:
Component: Applications/TorBirdy Version: Tor: unspecified
Severity: Normal Keywords: torbirdy, thunderbird, dmarc, dkim, adsp, spf, email
Cc: ter.one.leeboi@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

im a little concerned about the following and still trying to figure it out:

...[i also realise it may be difficult to test without having specific access to a domain with dmarc setup]...

PM me or ping back on tor-talk - i have a domain with dnssec, dkim, adsp, spf, dmarc - im doing some testing with NIST soon at had-pilot.biz (unrelated to torbirdy)

if multiple parties are using torbirdy with thunderbird and lets say
some domain owners have dmarc setup with reporting enabled

other dmarc capable domains (gmail, hotmail, or any ISP even from their abuse email) will send back reports with the IP used for mail transmission & respond with fail or pass; a fail will occur if you use torbirdy everytime, and you can also see interesting results from abuse if other try to spoof sending from your domain with fake addresses

the reports can contain IP addresses from which emails were sent from a domain
ie i believe the IP that you logged into to thunderbird and sent mail

essentially you'll see fail every time if you use torbirdy *and* your
domain is configured with dmarc, and its going to leak the IP you sent
email from (logged in with thunderbird to send) defeating the purpose of
using torbirdy

the dmarc queries are going out in the usual clear dns

are there any other shortcomings here that are of concern?

is dmarc reporting too privacy invasive in this situation to bother
implementing, and better left to business/companies ?

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by ioerror

TorBirdy merely ensures that you're connecting everything over Tor as well as disabling any leaky or obviously exploitable component. This means that with TorBirdy, your connection to your SMTP server is over Tor. As I understand it, DMARC should not impact the end user as long as their SMTP server is properly configured to handle it.

As an example, if you connect to Gmail with Tor Browser or TorBirdy, does DMARC fail?

Please give specific examples of failures - full headers and everything required to reproduce it.

I think that generally, we need not worry about this for TorBirdy. If your mail server is going to Narc you out, they'll only get as far as the Tor Exit node. That is why users are using Tor - exactly for this kind of privacy invasion. Obviously, people should use mail servers that don't leak this kind of data but if they do, they'll at least not leak their home/work/other IP address.

comment:2 Changed 3 years ago by leeroy

If you use DMARC with a domain using SPF it shouldn't be a surprise you get consistent failures as SPF is ip based. Unless you've authorized the ip of the exit used for the mail server communications it'll fail because SPF must know that ip in advance. Even if you update your SPF records to include exits it takes time to distribute the changes. DMARC compliance requires either DKIM or SPF+DKIM be used. It definitely sounds like the root of DMARC failure reports is your use of SPF on Tor.

As to whether the reporting is privacy invasive--it's no more invasive than using DKIM or SPF without DMARC. They're all DNS based. The goal is to improve deliverability. In the least DMARC compliance requires records for DKIM so no matter what the receiving mail server is going perform a DNS lookup.

comment:3 Changed 3 years ago by leeroy

Cc: ter.one.leeboi@… added

comment:4 Changed 11 days ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.