Subject: Re: [boost] Mangled "From" field in mailing list posts
From: Vladimir Prus (vladimir.prus_at_[hidden])
Date: 2017-06-14 06:40:08
On 14/06/2017 01:17, Michael Caisse via Boost wrote:
> On 6/13/17 01:22, Vladimir Prus via Boost wrote:
>> On 12/06/2017 23:32, Michael Caisse via Boost wrote:
>>> On 6/11/17 06:48, Stefan Seefeld via Boost wrote:
>>>> The "From:" field could contain the full address of the original poster,
>>>> not just his name. That's how things were before the change, IIUC.
>>>> But, AFAIU, that had to change because some mail servers would refuse to
>>>> serve mail whose "From:" address differed from the "sender" field (which
>>>> is the list address in our case). Am I describing this correctly ? I
>>>> wonder how others handle this situation (in particular, how mailman and
>>>> similar tools deal with this themselves), given how frequent a use-case
>>>> this is...
>>> With the old system, many people were having issues with DMARC filtering
>>> emails as-if they were spoof'd. In the recent couple years many
>>> corporate accounts have moved to utilize DMARC as part of their inbound
>>> authentication and the popularity continues to increase.
>>> Unfortunately, Mail Lists normally break because the original sender's
>>> domain DKIM signature doesn't match the Mail List. The most popular work
>>> around is rewriting the From header field. We are doing that in the most
>>> basic manner.
>> Hi Michael,
>> thanks for the explanation. So, if I understand correctly, the problem
>> is that some *senders* have their domains configured to ask recipients
>> to reject emails that don't pass DKIM or SPF? In other words, the
>> question is not how many organizations have DMARC for inbound
>> authentication, but how many users are sending emails to a mailing list
>> (which, by definition, forwards email with modifications) while also
>> requesting than any forwared with modifications emails are rejected by
>> recipients? How many such sending users/domains do we have?
> I might have explained poorly. When the ML sends emails, it is the
> receiving side (inbound) that is doing the check. The receiving server
> confirms headers, checks the signature against what is in the original
> sender's domain entries and then fails the message.
According to what I read, only if *sending side* requests to fail the
message with "p=reject" in DMARC DNS entry. Is it not true?
Also, according to what I read, if ML does not modify any headers and
does not modify body, and does not add its own DKIM signature, then DKIM
test will pass. Is it not true?
At present, it seems that mailing list:
- Adds footer (which breaks original DKIM signature)
- Adds its own DKIM signature (in fact, two)
- Modifies From header to "fix" things up.
I am asking whether we've tried to configure Mailman to try not
modifying anything at all, and act as close to perfect forwarding
> Some of the organizations/services that utilize DMARC: Microsoft, Yahoo,
> Pixar, any thing through Rackspace, and gmail.
Microsoft has "p=none" as well. Gmail likewise. Only Yahoo has "p=reject".
> We are talking about some other solutions... but most of them are
> horrible or short lived until the entire world moves to DMARC.
I am not 100% sure that Mailman can be configured to keep original
DKIM signature valid (and seems like its developers don't know either),
but it seems to me that loosing mailing list footer is better than
mangling From field, and therefore worth a try?
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk