savannah-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[savannah-help-public] DMARC related settings have been changed for the


From: sysadmin
Subject: [savannah-help-public] DMARC related settings have been changed for the Mailman list savannah-hackers
Date: Wed, 17 Jul 2019 14:44:00 -0400

The Free Software Foundation is making changes to our GNU Mailman
systems.

This is a long email, so I want to mention up front that we plan to
change the list settings of this list again in about 1 month unless a
list administrator or moderator opts out. Read below for more
information.

Messages sent from users with strict DMARC policy domains like yahoo.com
are often being rejected when sent to list subscribers by Mailman. See
the end of this email for a technical overview of DMARC and DKIM. There
are two ways to fix the issue by changing Mailman list settings.

The first option, and the preferable way for discussion lists, is what
we call the "unmodified message fix." There are Mailman list settings
which modify the messages by adding a subject prefix (e.g. [list-name])
or a footer. Modifying the message breaks DKIM message signatures and
thus DMARC. Following this option, we would turn those settings
off. Many lists are already this way and there is no change for
them. Instead of using the subject prefix to identify a list,
subscribers should use the "List-Id" header, To, and Cc.  List footer
information can also be be put in the welcome email to subscribers and
the list information page by list administrators.

Related to this, on June 7th, we upgraded the version Mailman that we
run. This fixed a bug where we were breaking the DKIM signature of any
reply message.

The second option is for lists which want or need to continue to modify
the message, for example with subject prefix or footer settings. We
would enable a Mailman list setting called dmarc_moderation_action:
"Munge From". With this setting, if a strict DMARC sender sends to the
list, we alter the headers of that message like so:

A message sent to the list:

To: alist@listdomain
From: Anne Example Person <exampleperson@examplepersonsdomain>

Is modified my Mailman and sent to subscribers as:

To: alist@listdomain
From: Anne Example Person via Alist <alist@listdomain>
Reply-To: Anne Example Person <exampleperson@examplepersonsdomain>

Without going into all of the details, here's a few points about why we
concluded the unmodified message fix is better for discussion
lists. Email clients don't all treat munged messages the same way as
unmunged, and humans read these headers so it can confuse people,
causing messages not to be sent to the expected recipients. GNU Mailman
has an option to do "Munge From" always, but does not recommend using
it[1]. While we're not bound by what others do, it's worth noting that
other very large free software communities like Debian GNU/Linux have
adopted the unmodified message fix[2]. The unmodified messages fix
avoids breaking DKIM cryptographic signatures, which show the message was
authorized by the signing domain.

Since this list appears to be a discussion list that adds subject
prefixes or footers, "Munge From" has been turned on as an initially
less disruptive fix, but we will change this lists settings to send
unmodified messages in one month from now unless a list
administrator/owner or moderator opts this list out of the change. This
list does not have any administrators or moderators in the Mailman
settings, so we are emailing the list directly.

Sometimes people don't have their email listed in the settings because
Mailman sends automated emails to whoever is listed as administrator or
moderator and there is no way to opt out. We recommend filtering your
email if you don't want those messages. If you have the administration
password for a list, please log in and add an administrator or moderator
email addresses at the top of the "General Options" section of the list
administration interface.

If no list administrators or moderators are around for this list, anyone
should feel free to try to track them down or figure out who should
become one and explain in detail by replying to address@hidden. Please
be patient, this process may take several weeks.

To opt this list out, reply to address@hidden, append "opt out" to the
subject line, and send it from one of the list administrator or
moderator email addresses.

For any Mailman list administrator who wants to change or look over the
relevant settings: The dmarc_moderation_action setting is under "Privacy
Options" subsection "Sender Filters". The only options that should be
selected are "Accept" or "Munge From", along with corresponding changes
to the subject_prefix option under "General Options", and msg_footer is
under "Non-digest options".

Please send any questions that should be public to address@hidden. For
private ones, just reply to address@hidden.

For the general announcement of these changes, please read
https://lists.gnu.org/archive/html/savannah-hackers-public/2019-06/msg00018.html



A short DMARC technical overview:

DMARC policy is a DNS txt record at a _dmarc subdomain. For example:

$ host -t txt _dmarc.yahoo.com
_dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100;
rua=mailto:address@hidden;";;

The only important thing there for our purpose is p=reject. p=reject
means that conforming mail servers that receive mail with a from header
of *@yahoo.com will reject that email unless it was either 1. sent from
Yahoo's email servers, or 2. its DKIM signature is verified. A DKIM
signature[5] is a public key cryptographic signature of the email body
and some headers included in the message header "DKIM-Signature". A
verified DKIM signature means that email body and signed headers have
not been modified.

Comprehensive resources about DMARC tend to downplay or ignore its
problems, but some that have helped me are Wikipedia[6], the Mailman
wiki[1], dmarc.org wiki[7], and the DMARC rfc[8].



[1]: https://wiki.list.org/DEV/DMARC
[2]: https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html
[5]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[6]: https://en.wikipedia.org/wiki/DMARC
[7]: https://dmarc.org/wiki/FAQ#senders
[8]: https://tools.ietf.org/html/rfc7489

Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org



reply via email to

[Prev in Thread] Current Thread [Next in Thread]