#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by lnicola):
Having tested on postgis-tickets, it seems that disabling the addition of
the Sender header is enough to keep DKIM signatures valid.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:20>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
Note I did not find a way to change that setting from the web UI, so I'm
not sure how to make it a default also for newly created lists. The
incantation I've used to change it for postgis-tickets was this:
{{{
list=postgis-tickets
config_list -o - ${list} |
sed 's/^include_sender_header =.*/include_sender_header = 0/' |
config_list -i /dev/stdin ${list}
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:21>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by gdt):
I think it's entirely unreasonable to remove DKIM headers. The problem
is that DMARC expects DKIM to be present and valid, and the only non-
problematic approach is to configure the list to not break DKIM (by not
modifying the message).
strk's change to stop setting Sender seems good. One could just change
the installed mailman code to make it default; it seems that with mail
senders including Sender: in DKIM (which is IMHO a bug but we can't fix
it), that it's no longer OK for lists to set it, in general.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:22>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
So to recap the current recommendation for mailing list would be to:
1. Set "Replace the From" to "no"
https://lists.osgeo.org/mailman/admin/postgis-tickets/general
2. Disable "Reply-to" munging
https://lists.osgeo.org/mailman/admin/postgis-tickets/general
3. Remove footer from the non-digest options
https://lists.osgeo.org/mailman/admin/postgis-tickets/nondigest
4. Set include_sender_header to false
https://trac.osgeo.org/osgeo/ticket/3011#comment:21
I guess next step would be writing a script to set the above
configurations programmatically for any list, and try it against the next
test list (sac?)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:23>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
It looks like the right place for writing the reccomendations would be the
wiki page:
https://wiki.osgeo.org/wiki/SAC:Mailing_Lists#Configuring_the_mailing_list
For now I've just added a link back to comment:23 but it would proabbly be
better to copy all the content there instead.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:24>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by strk):
I've added an /osgeo/mailman-tools/recommended_setup script on osgeo6 to
more quickly set the configuration of a mailing list. The script is
deployed via ansible as of https://gitea.osgeo.org/gitea/sac/ansible-
deployment/commit/7b621ce4c082e4d8f00035461f389b1e6947625c
The script does NOT yet deal with the footer but prints a link to deal
with it yourself.
As of today I've changed postgis-devel to use the new configuration and
updated the wiki page
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3011#comment:25>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by lnicola):
According to some subscribers to gdal-dev, Gmail greylists our messages,
probably because they lack DKIM. Combined with our own, less discriminate
greylisting, this causes significant delays.
I feel less strongly these days about leaving the headers untouched vs.
stripping and re-signing (some users don't really feel like changing their
filtering rules), but having no DKIM is a lot worse.
--
Ticket URL: <#3011 (Write recommendation for mailing list configuration regarding DKIM/DMARC/SPF) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3011: Write recommendation for mailing list configuration regarding
DKIM/DMARC/SPF
------------------------------+------------------------
Reporter: strk | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Unplanned
Component: SysAdmin/Mailman | Resolution:
Keywords: dkim, spf, dmarc |
------------------------------+------------------------
Comment (by gdt):
It would seem straightforward to just not remove the original DKIM header.
I get, or used to get, vast amounts of list mail that has DKIM from the
original sender, which doesn't validate.
As I understand things, google is basically saying "it's 2025; if you are
emitting mail without DKIM you are suspicious" and as much as I don't like
google setting rules for the world, they aren't really wrong in this case.
--
Ticket URL: <#3011 (Write recommendation for mailing list configuration regarding DKIM/DMARC/SPF) – OSGeo;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.