#3011: Write recommandation for mailing lits configuration reguarding
DKIM/DMARC/SPF
----------------------+-----------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Keywords:
----------------------+-----------------------
Given the amount of trouble mailing lists are having due to anti-spam
measures it would be useful if the OSGeo SysAdmin commettee would publish
recommendation about how to deal with them.
See https://lists.osgeo.org/pipermail/postgis-
devel/2023-October/030125.html for some background info
DKIM specs: DKIM Core Technical Specification
DMARC specs: Specifications – dmarc.org
SPF specs: SPF: Specifications
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011>
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3011: Write recommandation for mailing lits configuration reguarding
DKIM/DMARC/SPF
----------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin | Resolution:
Keywords: |
----------------------+------------------------
Comment (by strk):
A good explanation of the problem and different solutions is in Greg
Troxel mail in the aforementioned thread:
https://lists.osgeo.org/pipermail/postgis-devel/2023-October/030131.html
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommandation for mailing lits configuration reguarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Changes (by strk):
* keywords: => dkim, spf, dmarc
* component: SysAdmin => SysAdmin/Mailman
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommandation for mailing lits configuration reguarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by jef):
See also https://trac.osgeo.org/osgeo/ticket/2985
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing lits configuration reguarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Changes (by jef):
* summary:
Write recommandation for mailing lits configuration reguarding
DKIM/DMARC/SPF
=>
Write recommendation for mailing lits configuration reguarding
DKIM/DMARC/SPF
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Changes (by gdt):
* summary:
Write recommendation for mailing lits configuration reguarding
DKIM/DMARC/SPF
=>
Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
The test we're doing on postgis-tickets revealed some MUA fail to provide
an indication of the message coming from a mailing list and give advice on
how to unsubscribe. This would degrade the experience of some users and
thus keeping the footer seem to still have a value.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by lnicola):
Some more thoughts on this, which I've mentioned in an email before:
- rewriting the sender is really annoying because mail clients tend to
add the wrong name to the address book
- it looks like Mailman prefers to strip the incoming DKIM signature;
ours preserves it, but adds a Sender header, which invalidates the
signature
- stripping and re-signing is a valid option
- the postgresql.org list manager is able to pass DKIM through just fine
- we and postgresql.org send List-Unsubscribe headers, but some email
clients don't like those
- ideally (under RFC 8058), we'd have a List-Unsubscribe-Post header and
DKIM-sign both to support the one-click thingy; of course, we have no DKIM
at all
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by gdt):
It is clear that we can't have a solution that makes everybody happy.
List-Foo headers seem to be pretty clearly a standard, and if someone and
their MUA can't deal with that, I don't think we should make everyone
suffer from forged From: lines because of it.
I don't understand "stripping and resigning is a valid option". That
requires a forged From:.
The Sender: situation is crazy. It is normal for mailinglists to add
Sender:. So I see three options:
- Add Sender:. If a message to the list has DKIM covering Sender: and a
DMARC policy, reject it, because that domain has declared that messages
from its users may not appear on mailing lists.
- With DKIM/Sender and DMARC, skip adding Sender:
- Just don't add Sender either
The first option is righteous but unhelpful. Given the pg experience of
not having problems from not adding sender, I think the third option is
best.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by lnicola):
> List-Foo headers seem to be pretty clearly a standard, and if someone
and their MUA can't deal with that, I don't think we should make everyone
suffer from forged From: lines because of it.
I opened a ticket with Fastmail for that. But the solution is probably to
add `List-Unsubscribe-Post` and sign the two headers with DKIM. I'm not
sure how hard that is to set up.
> I think the third option is best.
That's my preference too.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:9>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by gdt):
How is a user not understanding that to unsubscribe from a list that they
should look at headers and find List-Unsubscribe, something that fastmail
should address? Are you saying that fastmail provides an MUA that fails
to notice these headers and provide an unsubscribe button? Or something
else?
(I read mail with emacs/gnus, and it doesn't have any automatic
unsubscribe action feature that I know of. When I want off a list, I
have no issue just looking at the headers and finding the List-Unsubscribe
etc. header and sending a request or finding the mailman page.)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:10>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by lnicola):
Yes, they normally show an Unsubscribe link next to the subject, in some
cases even when the headers are missing. I don't think we need to worry
too much about broken MUAs unless we're doing something wrong.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:11>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
Another case of mailing list messages going to spam: #3016
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:12>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
Removing the DKIM headers could be a good first step, and this recipe
might be a correct one for mailman2 (and could be global too):
https://mail.python.org/pipermail/mailman-users/2011-October/072304.html
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:13>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
The recipe in the above link is alrady in place for OSGeo, since 2017
(thanks jef) but it's evidently not working as expected
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:14>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Changes (by strk):
* cc: Jeff McKenna (added)
Comment:
It was actually jmckenna adding the `REMOVE_DKIM_HEADERS = Yes` in May
2019, according to git log, not sure why that change included also a
comment supposedly coming from 2017 by Jurgen (jef) --- I think it'll be
good to put that configuration in ansible.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:15>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
The help string for that variable:
{{{
# Some list posts and mail to the -owner address may contain DomainKey or
# DomainKeys Identified Mail (DKIM) signature headers
<http://www.dkim.org/>\.
# Various list transformations to the message such as adding a list header
or
# footer or scrubbing attachments or even reply-to munging can break these
# signatures. It is generally felt that these signatures have value, even
if
# broken and even if the outgoing message is resigned. However, some
sites
# may wish to remove these headers. Possible values and meanings are:
# No, 0, False -> do not remove headers.
# Yes, 1, True -> remove headers only if we are munging the from header
due
# to from_is_list or dmarc_moderation_action.
# 2 -> always remove headers.
# 3 -> always remove, rename and preserve original DKIM headers.
REMOVE_DKIM_HEADERS = No
}}}
The current value (YES == 1) is not enough to fix lnicola's case above:
https://trac.osgeo.org/osgeo/ticket/3011#comment:7
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:16>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
It's to be noted that DMARC moderation action can also be set globally
rather than expecting each list owner to deal with it. Now the
/etc/mailman/mm_cfg.py file is in ansible so further tweaks to it could be
done there
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:17>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
Configuration for avoiding to to set a "sender" seem to be per-list only,
with the only global configuration allowing or forbidding the avoidance:
{{{
# RFC 2822 suggests that not adding a Sender header when Mailman is the
agent
# responsible for the actual transmission is a breach of the RFC.
However,
# some MUAs (notably Outlook) tend to display the Sender header instead of
the
# From details, confusing users and actually losing the original sender
when
# forwarding mail. By setting this variable to Yes, list owners will be
# given the option to avoid setting this header.
ALLOW_SENDER_OVERRIDES = Yes
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:18>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
I've changed `include_sender_header` value to `0` for postgis-tickets
mailing list, to test if option 3 in
https://trac.osgeo.org/osgeo/ticket/3011#comment:8 is viable
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:19>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.