https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34927
--- Comment #9 from Thomas Dukleth <[email protected]> --- By February 2024, fixing DKIM re-signing may be needed for lists.koha-community.org and more for the Koha genral mailing list when Gmail and Yahoo mail [with AOL] may start blocking messages for not being DKIM re-signed when sent from the mailing lists. It is uncertain whether Gmail and Yahoo mail will continue to give a false pass for messages using the original author's DKIM signature which does not match the mailing list sending server, nor the From header with DMARC support enabled. Gmail, Yahoo mail, AOL mail, Microsoft [Exchange and various names] etc. have all rejected messages for bad DKIM signature from mailing lists during past periods of extra DKIM strictness. I have given precise technical details of changes which may be made to resolve the issue of OpenDKIM signing with people at BibLibre responsible for lists.koha.org . I have also communicated with Rachael Rachel Hamilton-Williams about adding DMARC support for the Koha general mailing list. Rachel informed me that she would like to hand over hosting of the Koha mailing list for more attentive hosting than her partner is able to provide. At the end of last week, a radio broadcast brought my attention to changes coming in February 2024 which affect everyone in some manner. For large volume senders there additional requirements, beyond those affecting everyone, which might affect people subscribing to the Koha general mailing list if the number of mailing list subscribers is enough and enough people route mail through the popular choice of Gmail even on mobile despite having some other apparent domain of some subscriber wherever that may be hosted initially. Details about more stringent SPF, DKIM, DMARC, ARC, and one-click unsubscribe link requirements are available from Google. Mailing lists may be able to substitute DMARC support for lack of ARC support when rewriting the From header and thus re-originating and not merely forwarding messages but adding ARC is best addressed second. "Email sender guidelines : Requirements for all senders" - https://support.google.com/mail/answer/81126#zippy=%2Crequirements-for-all-senders . Another part of the same document has the requirements which may affect the Koha general mailing list "Requirements for sending 5,000 or more messages per day" - https://support.google.com/mail/answer/81126#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day . The Yahoo guide which I found has fewer details and does not refer to the coming February 2024 policy change: "Sender Best Practices" - https://senders.yahooinc.com/best-practices/ . There is no shortage of secondary sources such as from the support provider Proofpoint, "Google and Yahoo Set a Short Timeline to Meet New DMARC Policy & Setup Requirements. Are You Ready?" - https://www.proofpoint.com/us/blog/email-and-cloud-threats/google-and-yahoo-set-new-email-authentication-requirements . The general Koha mailing list may also have enough subscribers for which the most stringent requirements will be set. Sidenote on ARC Support. ARC is intended for authenticating the email chain when forwarding messages which is the basic function of mailing lists. Adding DMARC support should make the issue of ARC support for acceptable authentication for mailing lists might be moot because the mailing list is more clearly shown as re-originating email and not merely forwarding. However, the announcements for February 2024 do not state that case with explicit clarity and Gmail adds ARC headers to all mail on their system and people at Google may presume that everyone else should to especially when messages may retain headers showing that the message has been forwarded over the mailing list despite having been re-originated from mailing list with DMARC authentication. While Mailman 3 has functionality for ARC support which was added essentially experimentally a few years ago, the proper place for ARC support is in the MTA not in the mailing list software. When using ARC via Mailman 3 the mail envelope is sealed before DKIM re-signing which is the wrong order and has caused ARC authentication failure. OpenARC, like OpenDKIM, functions in the MTA for Postfix or Sendmail, https://github.com/trusteddomainproject/OpenARC . Mailing lists at https://openarc.org/ . OpenARC is not as fully developed as OpenDKIM and support for some nice things such as multiple sending domains on the system seems to have been abandoned. OpenARC has better support for BSD Unix and Red Hat than Debian based systems but is not as well developed, and although not robustly maintained for Debian based systems, there are openarc packages based on the OpenARC development branch for Debian 9 to 11, https://download.opensuse.org/repositories/home%3A/andreasschulze/ . [Mailman 2 which we are using for the mailing lists does not go past Debian 10 for lack of Python 2. Upgrading to Mailman 3 is non-trivial because of configuration changes, etc. and should not be the most immediate priority.] There is a very brief blog post about using the Andreas Schulze Debian packages, "OpenARC with Postfix on Debian 10 (buster)" / Matthieu - https://weber.fi.eu.org/blog/Informatique/openarc_with_postfix_on_debian_10.html . You can also build your own packages from source as I have. [In current testing of my source build, Postfix has a socket permissions error for OpenARC which may be from a mistake I had made with umask settings long ago on the system which runs my mailserver.] I would be pleased to help when I am available. My question about what MTA is being used with Mailman for lists.koha-community.org and a recommended fix for various configuration files are in my original message quoted further below. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
