DevHeads.net

Enable dmarc mitigations

Hello all!

Currently Fedora mailing lists use "From" field from original messages
and if sender's domain use DMARC=reject policy, mailing lists
subscribers cannot receive any messages from such users because their MX
servers follow DMARC procedure and drop them.

Previously I opened ticket in Fedora Infra[1].

Someone need to fix this because more and more mailing servers starts
enforcing DMARC=reject.

[1]: <a href="https://pagure.io/fedora-infrastructure/issue/7737" title="https://pagure.io/fedora-infrastructure/issue/7737">https://pagure.io/fedora-infrastructure/issue/7737</a>

Comments

Re: Enable dmarc mitigations

By Kevin Fenzi at 05/01/2019 - 11:43

On 4/30/19 4:46 AM, Vitaly Zaitsev wrote:
Which explains why DMARC is horrible. ;)

Which means more and more things break...
I guess I will enable the From field mitigation for this list, but I
will not like it. ;)

kevin

Re: Enable dmarc mitigations

By Vitaly Zaitsev ... at 05/02/2019 - 07:21

Hello, Kevin Fenzi.

Now it should work fine. Thanks.

I think it should be an option in mailman's settings. Each user can
enable or disable mitigations for his email address.

Re: Enable dmarc mitigations

By Stephen J. Turnbull at 05/04/2019 - 16:58

Vitaly Zaitsev via devel writes:

Patches welcome at GNU Mailman.

Potential time waste warning: The list owner must have the choice
whether to delegate the choice to subscribers. As a list owner, I
wouldn't allow that choice by subscribers, because I'd end up getting
the crap when people who didn't understand what was going on disabled
the "ugly" From munging and started losing mail and getting delivery
disabled or even unsubscribed from lists. As a Mailman developer, I
will strongly oppose turning on user choice by default because my
constituents are list owners, not subscribers. But that implies it
would be rarely available.

On the other hand, I would support giving users the option to choose
their mitigation (From munging vs. wrapping), and turn that on by
default when mitigation is enabled. Probably only relevant to Gnus
users, though, as nobody else can conveniently read the wrapped
messages. ;-)

Steve

Re: Enable dmarc mitigations

By Vitaly Zaitsev ... at 05/04/2019 - 17:04

Hello, Stephen J. Turnbull.

That's why it's time to deprecate all mailing lists and switch to modern
Web 2.0 platforms.

Re: Enable dmarc mitigations

By Roberto Ragusa at 05/05/2019 - 09:50

I swear I've intended this as a joke, before reading replies
and realizing it was supposed to be serious.

Regards.

Re: Enable dmarc mitigations

By qrsBRWN at 05/05/2019 - 04:57

On May 4, 2019 11:04:51 PM GMT+02:00, Vitaly Zaitsev via devel < ... at lists dot fedoraproject.org> wrote:
Exactly what platform did you have in mind?

While mailing lists aren't sexy they work very well and shuffle data like few other services.

Br
Q

Re: Enable dmarc mitigations

By Vitaly Zaitsev ... at 05/05/2019 - 08:19

Hello, qrsBRWN.

Discourse[1] for example. GTK developers already testing it[2] as
mailing lists replacement.

1: <a href="https://github.com/discourse/discourse" title="https://github.com/discourse/discourse">https://github.com/discourse/discourse</a>
2: <a href="https://blog.gtk.org/2019/03/05/testing-discourse-for-gtk/" title="https://blog.gtk.org/2019/03/05/testing-discourse-for-gtk/">https://blog.gtk.org/2019/03/05/testing-discourse-for-gtk/</a>

Re: Enable dmarc mitigations

By Vitaly Zaitsev ... at 05/05/2019 - 15:43

On Sun, 5 May 2019 14:19:59 +0200

To each their own, of course, but there was a long discussion of
discourse here a while ago. I tried it out, but it was like a bad
version of a mailing list. It sent me a mail informing me that there
were messages to read. Then I had to go there and read the messages on
the web, using their interface.

So much better than just getting the message directly into my chosen
mail client! (/sarcasm) It probably works well for those who are
addicted to the web, and check their phone every few minutes; it
fits with their work style, plus they get affirmation. But I don't
fit that template, so I wasn't enamored.

If forced to, I could probably use it, but I prefer the push model
to the pull model. That is, it isn't an improvement for me, it doesn't
buy me anything I want.

Re: Enable dmarc mitigations

By Matthew Miller at 05/06/2019 - 17:24

On Sun, May 05, 2019 at 12:43:02PM -0700, stan via devel wrote:
That's definitely the primary intended mode of interaction, but there is
also a "mailing list mode" which does more of what you want. (One email per
post, and you can reply directly.)

Re: Enable dmarc mitigations

By Stephen J. Turnbull at 05/07/2019 - 13:24

Matthew Miller writes:
To be fair, that's *one* intended mode of interaction, when Discourse
is used as an adjunct to a blog platform. As a substitute for "devel"
or "users", I would expect that it would sit there in a window (or
windows) of your browser pretty much always visible, or on the next
desktop, and there'd be a "bomb crater" emoji instead of the switch for
turning notifications on.

I could see using it in a "users" style forum, where I'd use it like
Twitter: wander in, see if there was anything interesting, if there
were a post or two with insufficient answers I'd provide what help I
could, and then come back next week and do the same. I wouldn't want
to use it in a "devel" forum, but that's likely *mostly* because I
have a complex set of customizations for dealing with my devel forums
in my mail client, and I'm pretty sure they won't be replicated in any
web forum. I would probably eventually come up with alternatives and
workarounds, but for many months I would be in A Very Bad Bad Mood,
and Extremely Unpleasant to Be Around. :-)

This should not be considered advocacy one way or the other vis-a-vis
Fedora channels -- I'm here more or less by accident, but if GNU
Mailman can provide better support to the Fedora community I'd like to
push that forward.

Which ain't so great. Not for the person who likes mailing lists, and
not for the people who like discourse as a platform. It's partly
social, of course, but there's also the technological difference
between synchronous and asynchronous messaging. Platforms designed
for synchronous messaging tend to have longer "conversations", whereas
ansynchronous messaging tends to result in branchy thread trees.

Much as I love mailing lists, I admit that there are valid arguments
and personal preferences for web fora. This is going to be one of
those situations where it kinda has to be tyranny of some kind, maybe
the tyranny of inertia, maybe tyranny of the majority. But some
people (fvo "some" including "many") will be dissatisfied.

Steve

Re: Enable dmarc mitigations

By qrsBRWN at 05/06/2019 - 02:24

On May 5, 2019 9:43:02 PM GMT+02:00, stan via devel < ... at lists dot fedoraproject.org> wrote:
I have used Discourse and yes it does behave pretty much like a webforum from 90s.

Exactly this. While swanky it really does nothing new but takes away accessibility since there will be a gazillion email notifications which in and of themselves are useless. With a mailing list I can just reply directly instead of having to switch to a different interface.

This just adds a step and forces me to use a particular client.

I realized now that this mail sounds really negative. To add nuance: great suggestion and I'm all for changing things if the new things solves the problem better than the old things. Discourse however, doesn't seem to do that.

Re: Enable dmarc mitigations

By Garry T. Williams at 05/05/2019 - 21:18

On Sunday, May 5, 2019 3:43:02 PM EDT stan via devel wrote:
[snip]

+1

Re: Enable dmarc mitigations

By Stephen J. Turnbull at 05/01/2019 - 12:10

Kevin Fenzi writes:
No, it explains why p=reject domains that post to mailing lists are
horrible. DMARC is a good thing when used properly.

It's possible to do this only for domains that advertise p=reject.
They deserve what they get.

If there are any issues that seem like they can be addressed in
upstream GNU Mailman (unfortunately, we don't carry a stick big enough
to convince blockheaded mail domains not to publish p=reject), let me
know and I'll push it with the Mailman devs. No promises, of course.

Steve
GNU Mailman

Re: Enable dmarc mitigations

By Florian Weimer at 05/02/2019 - 04:21

* Stephen J. Turnbull:

Gmail *recipients* (which includes most redhat.com subscribers these
days) need this rewriting as well. Discarding mail is always a policy
decision carried out by the recipient, so it needs to be configurable
for mailing list subscribers. The mailing list server cannot detect
this recipient behavior automatically.

The DMARC policy set by the sender does not really matter here. People
tell you differently, but they are misinformed because the discard
policy is implemented by the recipient, not the sender.

Thanks,
Florian

Re: Enable dmarc mitigations

By Tom Hughes at 05/02/2019 - 04:54

On 02/05/2019 09:21, Florian Weimer wrote:
No, but if the mailing list server rewrites when the sender has a
reject policy then the email gmail receives will no longer violate
the policy so they won't put it in the spam folder.

Yes, but based on what the sender requests.

Tom

Re: Enable dmarc mitigations

By Florian Weimer at 05/02/2019 - 05:32

* Tom Hughes:

Based on some reports, I don't think this is how the Gmail
implementation works. It will discard mailing list mail for senders
with a DMARC policy that does not set p=reject, too.

Thanks,
Florian

Re: Enable dmarc mitigations

By Stephen J. Turnbull at 05/04/2019 - 16:58

Florian Weimer writes:

Based on conversations with GMail developers, that has nothing to do
with DMARC, though. A proper mailing list *also* signs its messages,
and it develops a reputation much faster than any individual poster.
(It's also more dangerous than individual posters, so that may or may
not balance out exactly.) As far as GMail is concerned, therefore, a
post by such a user has a valid signature, but the treatment of the
post depends only on the reputation of the mailing list and the
content of the post, rather than on the reputations of the poster and
the list, and the content. Note that this is the same distinction
that occurs when the list munges From.

Bottom line: I don't think a per-subscriber option is likely to help
subscribers who are GMail users (in general, if you don't own your own
MX), and for reasons I've given elsewhere, I think providing a
per-subscriber option is likely to be a PITA for list admins (== my
primary constituency as a GNU Mailman developer).

Steve

Re: Enable dmarc mitigations

By =?iso-8859-1?q?... at 05/01/2019 - 15:06

Stephen J. Turnbull wrote:
Yes please, don't break things more than what's necessary.

Björn Persson

Re: Enable dmarc mitigations

By Kevin Fenzi at 05/01/2019 - 15:11

On 5/1/19 12:06 PM, Björn Persson wrote:
Yes, that is what I did. From mangling only applies to those domains
that set a DMARC policy of reject or quarantine. I did not enable this
globally.

kevin

Re: Enable dmarc mitigations

By Florian Weimer at 04/30/2019 - 09:41

* Vitaly Zaitsev:

Can we, as recipients, please opt out if know that our mail receiving
policy is fully compatible with mailing lists?

Thanks,
Florian