On 12/8/20 3:43 PM, Per Jessen wrote:
Peter Simons wrote:
AFAICT, mailman offers only two (marginally useful) options, per list - replace from with list address or wrap message in an outer message. Neither is of much use to us, we don't want the From: address to change.
you realize, though, that it's impossible to keep "From:" as-is if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
If you keep the original "From:", then those the postings will potentially fail the SPF check. I have that exact problem with my private domain cryp.to. I cannot post as simons@cryp.to to mailing lists that don't re-write "From:" because sites like gmail.com will reject those messages. When I found out about that, I could not believe that they would check the SPF records against the "From:" header found in the message payload, but, well, they do.
That is certainly non-standard. It should really only be checked on the envelope address.
This ship has sailed with the continously growing adoption of DMARC. Like it or not you have to use munge_from.
Besides, if we were to fiddle with the From: header, the DKIM validation would likely fail.
That's why you also strip old DKIM headers and let your MTA re-sign the new message.
Anyway, isn't this all a bit off topic here on this list?
I agree. Move that to heroes list? Ciao, Michael.
Michael Strc3b6der wrote:
On 12/8/20 3:43 PM, Per Jessen wrote:
Peter Simons wrote:
AFAICT, mailman offers only two (marginally useful) options, per list - replace from with list address or wrap message in an outer message. Neither is of much use to us, we don't want the From: address to change.
you realize, though, that it's impossible to keep "From:" as-is if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Anyway, isn't this all a bit off topic here on this list?
I agree. Move that to heroes list?
Done. -- Per Jessen, Zürich (1.2°C) Member, openSUSE Heroes
On 12/8/20 4:04 PM, Per Jessen wrote:
Michael Ströder wrote:
On 12/8/20 3:43 PM, Per Jessen wrote:
Peter Simons wrote:
AFAICT, mailman offers only two (marginally useful) options, per list - replace from with list address or wrap message in an outer message. Neither is of much use to us, we don't want the From: address to change.
you realize, though, that it's impossible to keep "From:" as-is if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Again: This issue is not caused by SPF alone. IIRC classic SPF checks only covered envelope sender. It's caused by DMARC which mandates checking the From: header. And DMARC adoption is increasingly used for being able to deliver to big players like GMail, Yahoo and Microsoft. As said: This is a moving target anyway and this issue will rather increase instead of going away. Ciao, Michael
Hello, On Tue, 8 Dec 2020, Michael Ströder wrote:
AFAICT, mailman offers only two (marginally useful) options, per list - replace from with list address or wrap message in an outer message. Neither is of much use to us, we don't want the From: address to change.
you realize, though, that it's impossible to keep "From:" as-is if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Again:
This issue is not caused by SPF alone. IIRC classic SPF checks only covered envelope sender.
It's caused by DMARC which mandates checking the From: header. And DMARC adoption is increasingly used for being able to deliver to big players like GMail, Yahoo and Microsoft.
Right, and as DMARC checks the From: header, neither it, nor any of the other signed headers or the body must be changed by the list server, that usually includes Subject. If the list server then doesn't change any of those headers no From: rewriting is necessary, unlike you claimed above. It is merely the alternative to other header-rewriting (or body-rewriting even); if the list server does any of that, then yes, From munging is necessary. Ciao, Michael.
Michael Matz wrote:
Hello,
On Tue, 8 Dec 2020, Michael Ströder wrote:
> AFAICT, mailman offers only two (marginally useful) options, > per list - replace from with list address or wrap message in > an outer message. Neither is of much use to us, we don't want > the From: address to change.
you realize, though, that it's impossible to keep "From:" as-is if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Again:
This issue is not caused by SPF alone. IIRC classic SPF checks only covered envelope sender.
It's caused by DMARC which mandates checking the From: header. And DMARC adoption is increasingly used for being able to deliver to big players like GMail, Yahoo and Microsoft.
Right, and as DMARC checks the From: header, neither it, nor any of the other signed headers or the body must be changed by the list server, that usually includes Subject.
the DMARC policy for suse.com was only recently updated to include "subject", but I presume some bigger providers have already been quarantining mails from suse.com addresses since mid-November. Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
If the list server then doesn't change any of those headers no From: rewriting is necessary, unlike you claimed above. It is merely the alternative to other header-rewriting (or body-rewriting even); if the list server does any of that, then yes, From munging is necessary.
Currently, all we do is add a footer. -- Per Jessen, Zürich (1.4°C) Member, openSUSE Heroes
On 12/8/20 6:56 PM, Per Jessen wrote:
Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
How do you know? For example the postmaster for opensuse.org doesn't get the DMARC reports for my domain. I currently see immediate reports from various domains and aggregated reports also from Yahoo. Maybe I misunderstood you though. Ciao, Michael.
Michael Strc3b6der wrote:
On 12/8/20 6:56 PM, Per Jessen wrote:
Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
How do you know?
Only from the mail log, where Google's servers say: "250 2.0.0 OK DMARC:Quarantine ...... " I don't see any such report from anyone else. Very useful from Google.
For example the postmaster for opensuse.org doesn't get the DMARC reports for my domain. I currently see immediate reports from various domains and aggregated reports also from Yahoo.
Right - I have no idea what the others do or don't. -- Per Jessen, Zürich (0.9°C) Member, openSUSE Heroes
Hello, On Tue, 8 Dec 2020, Per Jessen wrote:
> > AFAICT, mailman offers only two (marginally useful) options, > > per list - replace from with list address or wrap message in > > an outer message. Neither is of much use to us, we don't want > > the From: address to change. > > you realize, though, that it's impossible to keep "From:" as-is > if you want to deliver postings reliably to all recipients?
Well, for at least the last four years, it has not caused us any problems. (i.e. I haven't seen any tickets nor have I heard anyone complain).
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Again:
This issue is not caused by SPF alone. IIRC classic SPF checks only covered envelope sender.
It's caused by DMARC which mandates checking the From: header. And DMARC adoption is increasingly used for being able to deliver to big players like GMail, Yahoo and Microsoft.
Right, and as DMARC checks the From: header, neither it, nor any of the other signed headers or the body must be changed by the list server, that usually includes Subject.
the DMARC policy for suse.com was only recently updated to include "subject", but I presume some bigger providers have already been quarantining mails from suse.com addresses since mid-November.
Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
Sure, I merely wanted to refute the claim that From: munging is a necessity of mailing list servers for DMARC reasons (still quoted above).
If the list server then doesn't change any of those headers no From: rewriting is necessary, unlike you claimed above. It is merely the alternative to other header-rewriting (or body-rewriting even); if the list server does any of that, then yes, From munging is necessary.
Currently, all we do is add a footer.
That's body rewriting and would also invalidate DKIM signatures (if body is included, of course, but it often is), and hence necessitate From munging. Ciao, Michael.
participants (3)
-
Michael Matz
-
Michael Ströder
-
Per Jessen