On Jan 23, 2014, at 10:13 AM, Murray S. Kucherawy <[email protected]> wrote:
> On Thu, Jan 23, 2014 at 9:17 AM, Franck Martin <[email protected]> wrote: > > On Jan 22, 2014, at 8:38 PM, Murray S. Kucherawy <[email protected]> wrote: > > > The feature request asks for a way to whitelist deliveries for which > > there's "p=reject" and DMARC fails as long as there's a List-Id: or > > List-Post: field on a message. This is basically a filter bypass feature > > that's at the control of the sender, and it seems like a really bad idea as > > described. > > > > There would need to be more to it than just this. Can you develop the idea > > more? What should be in the field if it's present? Should it be tied to > > something else? > > > > It is not at the control of the sender, it is at the control of the receiver. > > The receiver needs to enter the IP of where mailing lists are sending from. > It is up to the receiver to decide if it should override the policy. This > feature is part of the spec where receivers can override the policy and > indicate it in the reports.. > > Ah, I misread the request. I thought the request was just to skip DMARC > enforcement if those header fields are present regardless of origin. > > I think John's point holds though, namely that the receiver will have to keep > that list pretty current, or find some secure way of doing so automatically. Yes, this may not be easy in some scenario. The way I found out on how to help, is to log each time I reject an email that contains a List-id or list-post header. I process these logs once in a while and pick the IPs I want to whitelist. Anyhow the point here is to have the capability, as it is part of the DMARC spec. How this list is built is left as an exercise ;) > > > Because some mailing lists like google-groups send from the same IP as other > mail streams, you only want to override the mail that is obviously from a > mailing list. The easy indicator I found is the presence of the List-id or > list-post header. > > The risk, of course, is that there might be a way to send abusive mail > from/via those IP addresses, and simply tack those header fields onto the > message. That bypasses DMARC entirely. So the receiver enabling this will > need to understand how the sender/relay uses those IP addresses and trust > that it's unlikely to change. Sure. > > > you could make it more complicated, and tie IPs with the presence of the > header and its content (usually the name of the mailing list), but also it > is common that several mailing lists are hosted on the same machine, so I > don't see the need to make the criteria of surgical precision. > > There are other possibilities. For example, List-Id: is generally the list's > submission address with the "@" changed to a ".". You might try saying "If > it comes from IP X, the value of this field ought to look like *.Y, where Y > is the Organizational Domain Name associated with X". And maybe the domain > name part of that needs also to be DMARC-aligned. I'm making this up as I > go, but you get the idea. Yes, This is what mailman does, but I think ezmlm (or majordomo?) does not put a list-id, only a list-post. What I mean, it is not well standardized, because mailing list software is usually old. And I'm on some mailing lists, which behave more like an alias than anything else, but then don't break DKIM :P
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
