On 11/4/19 7:42 AM, Andy Cravens wrote:
> Using mailman 2.1.26.  I’m auditing the lists on my server for DMARC 
> compliance I’ve found several list configs that do not have the DMARC action 
> set to “munge_from.”  It appears I need to edit all those list and fix that 
> setting.  I’ve also noticed that in mm_cfg.py there is no setting for 
> REMOVE_DMIM_HEADERS.  I just wanted to verify the proper order for fixing 
> these issues.  Seems like I need to correct the munge_from setting for all 
> the affected lists and them as quickly as possible add REMOVE_DKIM_HEADERS = 
> 1 to mm_cfg.py and restart.  It appears that which ever task I complete first 
> some messages will be undeliverable until both changes are complete.  Maybe 
> it would be best to stop mailman, complete both changes and then restart?  
> Just looking for the best way to do this.


REMOVE_DMIM_HEADERS has nothing do do with and should not affect DMARC.
While it is true that DMARC action set to “munge_from will break DKIM,
DKIM is already broken by other list modifications to the message or you
wouldn't be having DMARC issues.

Best practice is to Munge the From: if necessary based on the DMARK
policy of the original From: domain and to DKIM sign the outgoing
message with a sig from your domain which is also the munged From: domain.

If you want Mailman to remove the older DKIM sigs, you can configure
that, but it should have no effect one way or the other. See
<https://tools.ietf.org/html/rfc6376#section-6.1>.

-- 
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Reply via email to