RE: Enabling DMARC workaround code for all IETF/IRTF mailing lists
"MH Michael Hammer (5304)" <MHammer@ag.com> Fri, 11 May 2018 15:13 UTC
Return-Path: <MHammer@ag.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A92C312D94E for <ietf@ietfa.amsl.com>; Fri, 11 May 2018 08:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aF7Bx0i1_z33 for <ietf@ietfa.amsl.com>; Fri, 11 May 2018 08:13:22 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.31]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D56A1200C1 for <ietf@ietf.org>; Fri, 11 May 2018 08:13:22 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES533.agna.amgreetings.com ([::1]) with mapi id 14.03.0266.001; Fri, 11 May 2018 11:13:21 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: John C Klensin <john-ietf@jck.com>, Alexey Melnikov <aamelnikov@fastmail.fm>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Enabling DMARC workaround code for all IETF/IRTF mailing lists
Thread-Topic: Enabling DMARC workaround code for all IETF/IRTF mailing lists
Thread-Index: AQHT6R3/hcwHJqV1jkuJ8o0vYGU8LKQq4v2A//++TDA=
Date: Fri, 11 May 2018 15:13:20 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B053743DE8B@USCLES544.agna.amgreetings.com>
References: <919855CA-9F77-420A-8B8F-79174CD2FC19@fastmail.fm> <61B1EDB45FC4FF33154B13B0@PSB>
In-Reply-To: <61B1EDB45FC4FF33154B13B0@PSB>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.144.6.88]
x-kse-attachmentfiltering-interceptor-info: protection disabled
x-kse-serverinfo: USCLES533.agna.amgreetings.com, 9
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean, bases: 5/11/2018 1:45:00 PM
x-kse-dlp-scaninfo: Skipped
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/xbwK7alkKVPkJLS1a47H32Sps64>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 15:13:25 -0000
John, I have to disagree with your comment in the appendix about a decline in bounce messages and changes/implementations such as DMARC. Joe Jobs and other abuse have been around a long time. Given a choice between constraining (some functionality) to mitigate/minimize damage and enabling large scale breakdowns of functionality due to abuse, I'll choose the former. I guess it's a case of picking your poison. Adjust, don't conform. Mike P.S. At the end of this month I am leaving American Greetings and will no longer be participating using this account. I already use my dotzero@gmail.com account for some working groups and will switch participation on the ietf list to that account. > -----Original Message----- > From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of John C Klensin > Sent: Friday, May 11, 2018 11:03 AM > To: Alexey Melnikov; ietf@ietf.org > Subject: Re: Enabling DMARC workaround code for all IETF/IRTF mailing lists > > Alexey, > > This may be the best that can be done given the degree to which DMARC is > an attack on the mail system (those who don't understand that assertion > should see the appendix below) but I think we should all be concerned about > the trend it seems to represent. Again, that is not a suggestion that we not > do this (and wouldn't be one even if the decision had not yet been made), > just a plea that we be very aware of, and document, the tradeoffs that are > being made. > > That said, I'm uncomfortable with using "=40" as a convention in the middle > of an address. First, there is nothing that supports the idea of encoded > octets in the middle of local parts and, as you know, there is ample > precedent for interpreting an equal sign in a local part as an indication of a > name-value setup. We haven't seen SMTPUTF8 addresses on the IETF list > yet, but I think there is a strong case to be made that, if we are going to start > encoding things, we should be encoding Unicode code points (e.g., > "alexey\u'0040'example.com@dmarc.ietf.org" or > "alexey?utf8"?40?example.com@dmarc.ietf.org" > ) rather than inventing yet another new system. I don't think > that is a good idea, in part because I encountered an example in the last 24 > hours that tries to use encoded words to deal with a non-ASCII local part > (something the EAI WG considered and rejected and that, if performed in > transit, is non-conformant with the SMTPUTF8 specs). Any encoding trick like > the above (or like just using "=40") is going to encourage that sort of > "innovation". > > With the understanding that I'm holding my nose while saying this (because I > have been happy to see the convention fade from use), we already have a > widely-supported and recognized convention for this type of encoding and I > wonder why those who have been involved with this effort rejected it. That > would be to use > alexey%example.com@dmarc.ietf.org > > just a thought. > best, > john > > > > ------- > Appendix: > > I've said this before but, to the degree to which the spam and other attacks > which DMARC is intended to mitigate force us to change the mail system in > ways that make it less functional, we are essentially admitting that the bad > guys have won. This is certainly not the only case and may not be the most > important one. For example, the mail system was designed on the > assumption that delivery would be reasonably reliable, that non-delivery > would be indicated by NDNs ("bounce messages"), and therefore that > delivery or read acknowledgments would typically be unnecessary > (important because they pose privacy problems). > However, because of concern about blowback attacks, fewer and fewer sites > are generating bounce messages, at least to unauthenticated senders. > > Rules against tampering with or even inspecting message content in transit > have also eroded due to the need to do malware > filtering. That is probably also the least-bad solution > possible but takes us down a path similar to the switch from HTTP to HTTPS- > based web connections: enterprises with concerns about attacks hidden > behind the encryption have huge incentives, even a sense of necessity, to > fake termination points and keys > to allow content inspection at firewalls or the equivalent. > > In each case, the bad guys may get frustrated in their immediate goals but > the long-term effect is a narrowing of the functionality and reliability of the > Internet. > > > --On Friday, May 11, 2018 13:00 +0100 Alexey Melnikov > <aamelnikov@fastmail.fm> wrote: > > > Hi, > > Many of you have seen several long discussions thread about DMARC and > > how it affects use of IETF/IRTF mailing lists. > > > > After testing DMARC workaround code written by Henrik Levkowetz on > > several high volume IETF and IRTF mailing lists (e.g. CFRG, WebRTC, > > DMARC, QUIC), the tools team and the IESG decided that Henrik's code > > should be deployed for all IETF and IRTF mailing lists. In particular > > the workaround allows people from DMARC p=reject domains to > > participate in IETF mailing lists, as well as to avoid the problem of > > recipients being unsubscribed from mailing lists. These 2 issues were > > the main reasons for developing the DMARC workaround code.. > > > > The workaround will be deployed today, May 11th. > > > > > > Below are some technical details on how the email address rewriting > > workaround is going to work: > > > > Emails from domains that don't have a p=reject DMARC setting are not > > going to be affected in any way. > > > > For emails from p=reject domains: > > > > - The From header field of such emails will be rewritten to be under > > @dmarc.ietf.org domain (which will have a p=none policy). For example, > > "alexey@example.com" email address would become > > "alexey=40example.com@dmarc.ietf.org". The original From header field > > will be preserved in the X-Original-From header field, which can be > > used for automatic message processing by Sieve and Mail User Agents. > > > > Note that the mapping is reversible, so it is possible to send replies > > or new messages to an original sender by sending them to the > > corresponding mapped @dmarc.ietf.org email address. > > >
- Re: Enabling DMARC workaround code for all IETF/I… Andrew G. Malis
- Re: Enabling DMARC workaround code for all IETF/I… Russ Housley
- Re: Enabling DMARC workaround code for all IETF/I… Andrew G. Malis
- Enabling DMARC workaround code for all IETF/IRTF … Alexey Melnikov
- Re: Enabling DMARC workaround code for all IETF/I… Andrew G. Malis
- Re: Enabling DMARC workaround code for all IETF/I… John C Klensin
- RE: Enabling DMARC workaround code for all IETF/I… MH Michael Hammer (5304)
- RE: Enabling DMARC workaround code for all IETF/I… John C Klensin
- Re: Enabling DMARC workaround code for all IETF/I… Alexey Melnikov
- Re: Enabling DMARC workaround code for all IETF/I… Ted Lemon
- Re: Enabling DMARC workaround code for all IETF/I… Andrew G. Malis
- Re: Enabling DMARC workaround code for all IETF/I… John C Klensin
- Re: Enabling DMARC workaround code for all IETF/I… Spencer Dawkins at IETF
- Re: Enabling DMARC workaround code for all IETF/I… John C Klensin
- Re: Enabling DMARC workaround code for all IETF/I… Viktor Dukhovni
- Re: Enabling DMARC workaround code for all IETF/I… Spencer Dawkins at IETF
- Re: Enabling DMARC workaround code for all IETF/I… John Levine
- Re: Enabling DMARC workaround code for all IETF/I… John C Klensin
- Re: Enabling DMARC workaround code for all IETF/I… Viktor Dukhovni
- Re: Enabling DMARC workaround code for all IETF/I… John Levine
- Re: Enabling DMARC workaround code for all IETF/I… Viktor Dukhovni
- Re: Enabling DMARC workaround code for all IETF/I… Hector Santos
- Integrity of mail systems (was Re: Enabling DMARC… Andrew Sullivan
- Re: Enabling DMARC workaround code for all IETF/I… Alessandro Vesely
- Re: Integrity of mail systems (was Re: Enabling D… John C Klensin
- Re: Integrity of mail systems (was Re: Enabling D… Michael Richardson
- Re: Integrity of mail systems (was Re: Enabling D… Phillip Hallam-Baker
- Re: Enabling DMARC workaround code for all IETF/I… Hector Santos
- Re: Enabling DMARC workaround code for all IETF/I… Brandon Long
- Re: Enabling DMARC workaround code for all IETF/I… Brian E Carpenter
- Re: Enabling DMARC workaround code for all IETF/I… Glen