Re: [Mailman-Users] Fwd: Re: Mailing list membership.
willi uebelherr <willi.uebelherr@riseup.net> Thu, 02 March 2017 19:03 UTC
Return-Path: <willi.uebelherr@riseup.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7B91295D2 for <ietf@ietfa.amsl.com>; Thu, 2 Mar 2017 11:03:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.722
X-Spam-Level:
X-Spam-Status: No, score=-2.722 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEslPHkGzV7q for <ietf@ietfa.amsl.com>; Thu, 2 Mar 2017 11:03:33 -0800 (PST)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 848401295FC for <ietf@ietf.org>; Thu, 2 Mar 2017 11:03:33 -0800 (PST)
Received: from cotinga.riseup.net (unknown [10.0.1.164]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id B5C281A260B; Thu, 2 Mar 2017 19:03:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1488481412; bh=YFvp4ymG1sGJiRClHgt802D5Cut22BWYfpj7bi7LP2M=; h=Subject:References:From:To:Cc:Date:In-Reply-To:From; b=n8FKyJ4j6sNapToqB+1zi1v+cEO71MySmsr7MtgpiKOl4oebzIzI4HCjB/N2h5eJu dlV91r+o5d5aVeL+2me88kqRCBB+6eyFmznGvujtIo7nQkemF0Ew+DVfHNUQpQwmJr Uq3jy9uXYe+Bfx+lb9yypojROlf/RnCMu6kGAsRo=
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: willi.uebelherr) with ESMTPSA id A15FC41B3C
Subject: Re: [Mailman-Users] Fwd: Re: Mailing list membership.
References: <22711.59414.243751.688266@turnbull.sk.tsukuba.ac.jp>
From: willi uebelherr <willi.uebelherr@riseup.net>
To: IETF discussion <ietf@ietf.org>
X-Forwarded-Message-Id: <22711.59414.243751.688266@turnbull.sk.tsukuba.ac.jp>
Message-ID: <6f6dffc4-6a6b-210f-a20f-22ebb4e14c45@riseup.net>
Date: Thu, 02 Mar 2017 16:03:02 -0300
MIME-Version: 1.0
In-Reply-To: <22711.59414.243751.688266@turnbull.sk.tsukuba.ac.jp>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/V-trL0quzNMEUHFkAitKqJzQETg>
Cc: "Stephen J. Turnbull" <turnbull.stephen.fw@u.tsukuba.ac.jp>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 19:03:35 -0000
Dear friends, this is the answer from Stephen J. Turnbull from the Tsukuba University in Japan. A very detailed contribution to our DMARC discussion. many thanks to all and greetings, willi -------- Forwarded Message -------- Subject: [Mailman-Users] Fwd: Re: Mailing list membership. Date: Thu, 2 Mar 2017 18:38:30 +0900 From: Stephen J. Turnbull <turnbull.stephen.fw@u.tsukuba.ac.jp> To: willi uebelherr <willi.uebelherr@gmail.com> CC: mailman-users@python.org willi uebelherr writes: > Dear friends of Mailman, Thanks for getting in touch! > in the IETF discussion list we have a discussion about the bounces, that > are created based on the DMARC processing. > > I know, from a discussion in this mailman list, that mailman follow > strong the RFC 2821 (SMTP) and reject this DMARC nonsense. RFC 2821 has little practical significance for DMARC. DMARC processing itself has very little to do with SMTP (except for the indirect relation through SPF -- more about that below). I have all the respect in the world for Ted T'so, but he seems to be not very familiar with DMARC, DKIM, and SPF. Mailman can not and does not "reject" DMARC in any way (although some Mailman developers are pretty unhappy about it ;-). DMARC is a fact of life for mailing lists now. First, the good news: I (as a representative of the GNU Mailman project, as well as for personal interest) have been participating in the DMARC discussions as well as in development of the new "Authenticated Received Chain" (ARC) protocol. ARC allows an intermediate site to cryptographically sign its authentication results, which (we hope) will allow end receivers to trust those for DMARC purposes. However widespread implementation is at least a year off (theoretically possible as the DMARC Consortium, Google, Yahoo!, and AOL are all participating in ARC discussions, but you know how the Internet moves). Mailman 3 itself will be ARC-capable in limited ways in that time frame, and we expect Postfix, Exim, and Sendmail to implement it as well. (The "big guys" use MTAs developed in-house.) Now, the bad news. > The consequence should be, that the members in the list should change > her mailbox servers to avoid this "bounce errors", based on DMARC > processing, or not? >From the list owner's point of view, "it would be nice if" posters would post from DMARC "p=none" domains. ("p=none" includes sites which have no DMARC DNS record at all; it is the implicit default that DMARC receivers must assume.) However, in the great majority of cases, users get very upset about being asked to use "p=none" mailboxes if that means changing their workflows. IETF mailing lists *may* be an exception, but I suspect there are a lot of people using Yahoo! and other DMARC-protected addresses in the IETF subscriber base. > For me, i don't like any form of work arounds. We need a clear > base. And this can only be the standard RFCs. Unfortunately, there are no RFCs that help here. DMARC is *intended* to prevent "unwanted" indirect mail flows, and unfortunately the heuristic chosen also will interdict mailing lists. What the DMARC RFC *should* say is "if your mailbox provider posts a DMARC policy other than 'p=none', that is automatically a policy of prohibiting posting to mailing lists". And that is precisely why the DMARC RFC is "Informative", rather than "Standards Track", as you would expect with an RFC with so much promise for reducing phishing and other mail abuse. The DMARC Consortium really wanted to avoid any language that would implicate DMARC users is negative effects of the standard, and an informative RFC allowed the Consortium members to retain control. The only RFC-conforming option that allows you to avoid triggering DMARC backscatter is to turn off ALL message-modifying options: subject tags and serial numbers, and body headers and footers. (I believe that is currently the complete list of Mailman features that invalidate common DKIM signatures.) Other than that, your choice is to turn your "p!=none" posters into backscatter bombs, or use of one of the options that Mailman provides to avoid triggering DMARC. There are more, and more attractive, options in the most recent Mailman 2 versions (at least 2.1.20), as Jim Popovich mentioned. I hope this helps. Below some comments on technical aspects of the appended correspondence. > 3) The IETF discussion list don't follow the DMARC processing. This > means, it act only outside. DMARC processing, by which I mean the protocols defined in RFC 7489, is in no way done by mailing lists. Anything that a mailing list or its MTA does to handle DMARC is a "workaround". (This will change with ARC, but ARC will provide no guarantees -- use of ARC is entirely optional for the receivers.) > I understand and agree absolutly, that the maillist server never change > the From-line in the header. Changing the From field in the RFC 2822 header is the most popular workaround by far. This is not a denial of your position, it's a statement of current common practice. > The mailman maillist server use bounce-counters for every member and > some limits for this bounce-counter. If the limit exceeds, and the > admin-group do nothing, then the maillist server mailman disable the > delivery. It is not an unsubscription. Under some setting of the bounce processing in Mailman, it *can* result in unsubscription. > The DMARC processing is defined in the DNS info. But we can ignore it, > or not? If you ignore it, your list(s) will be subject to adverse consequences based on DMARC processing at poster and subscriber addresses. That's your choice, of course. > Based on that process, we can clean all this nonsense in our IETF > lists environment and work strong based on the RFC 2821, like > mailman do it. As Jim Popovich mentioned, the IETF lists are handled by GNU Mailman. According to the most recent message I received it is Mailman 2.1.18. Ted T'so writes: > > RFC 2821, Simple Mail Transfer Protocol, section 3.10.2 > > > > "To expand a list, the recipient mailer replaces the > > pseudo-mailbox address in the envelope with all of the expanded > > addresses. The return address in the envelope is changed so that all > > error messages generated by the final deliveries will be returned to > > a list administrator, not to the message originator, who generally > > has no control over the contents of the list and will typically find > > error messages annoying." > > > > This is the SMTP Envelope From field. The FROM field is not changed, > > but the SMTP return address is changed, so that bounces go to the > > mailing list administrator as opposed to the person who sends mail to > > the mailing list. This is true, but it is not part of the definition of mailing list, nor is there any popular mailing list software left that doesn't give you the option of fiddling with the FROM field (for several reasons such as anonymization, as well as working around DMARC). > > Unfortunately, if you are using a system whose domain requests that > > all recipients enforce DMARC alignment, this specifically instructs > > recipients to bounce mail if the SMTP Envelope return address doesn't > > match the FROM field in the header. This is a misunderstanding of the DMARC protocol. I won't go into details, but in practice the vast majority of originating domains use DKIM as well as, or instead of, SPF.[1] In the case of DKIM verification, the authorizing domain is the one claimed in the DKIM-Signature field, not the Envelope From. > > Hence mailing list systems that enforce DMARC, or request DMARC > > processing, are fundamentally incompatible with mailing lists as > > defined by section 3.10.2 of RFC 2821. This is false. In practice, a mailing list that does not alter the From, Subject, Date, and Message-ID header fields and does not alter the body is compatible with DMARC originators which provide DKIM signatures. That's pretty much all of them, as mentioned above. As I mention above, Mailman can be configured that way, but it rarely is. A few list-owners run into legal issues where the list must provide visible legal disclaimers or unsubscription instructions, which typically occur in footers appended to the message body, invalidating the DKIM signature. I doubt such a legal requirement applies to the IETF lists, however. Hope this helps. Steve Footnotes: [1] According to a source at DMARC Consortium, their analysis shows that nearly 100% (I forget the exact figure) of p=reject traffic is DKIM-signed. Of course that's heavily weighted by Yahoo! and AOL, the two biggest sources of p=reject traffic. -- Associate Professor Division of Policy and Planning Science http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnbull@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
- Re: Mailing list membership. John Levine
- Mailing list membership. Khaled Omar
- Re: Mailing list membership. S Moonesamy
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. S Moonesamy
- Re: Mailing list membership. Theodore Ts'o
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. Theodore Ts'o
- Re: Mailing list membership. Kazunori ANDO
- Re: Mailing list membership. Michael StJohns
- Re: Mailing list membership. Bob Hinden
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. Michael StJohns
- Re: Mailing list membership. Carsten Bormann
- Re: Mailing list membership. David Morris
- yet more DMARC stuff, was Re: Mailing list member… John Levine
- Re: Mailing list membership. willi uebelherr
- Re: Mailing list membership. Carsten Bormann
- Re: Mailing list membership. Barry Leiba
- Re: Mailing list membership. Miles Fidelman
- Re: [Mailman-Users] Fwd: Re: Mailing list members… willi uebelherr
- Re: [Mailman-Users] Fwd: Re: Mailing list members… S Moonesamy
- Re: [Mailman-Users] Fwd: Re: Mailing list members… willi uebelherr
- Re: yet more DMARC stuff, was Re: Mailing list me… willi uebelherr
- Re: yet more DMARC stuff, was Re: Mailing list me… Carsten Bormann
- Re: yet more DMARC stuff, was Re: Mailing list me… Dave Crocker
- Re: yet more DMARC stuff, was Re: Mailing list me… Carsten Bormann
- Re: yet more DMARC stuff, was Re: Mailing list me… John R Levine
- Re: yet more DMARC stuff, was Re: Mailing list me… Dave Crocker
- Re: yet more DMARC stuff, was Re: Mailing list me… Carsten Bormann
- Re: yet more DMARC stuff, was Re: Mailing list me… Viktor Dukhovni
- Re: yet more DMARC stuff, was Re: Mailing list me… Philip Homburg
- Re: yet more DMARC stuff, was Re: Mailing list me… Brandon Long
- Re: yet more DMARC stuff, was Re: Mailing list me… Philip Homburg
- Re: yet more DMARC stuff, was Re: Mailing list me… Martin Rex