Lance A. Brown writes:
> I'm working on setting up MailMan 3 on an Ubuntu 24.04 LTS server.
> I've got everything running and working with docker-mailman. Now
> I'm looking at configuring ARC and am a bit lost.
>
> How is ARC configured in a mailman3 with multiple domains?
It shouldn't be. It should be configured in your MTAs. Mailman can't
do SPF, and it can't make the decision to distribute or not based on
ARC validation without a preexisting ARC-Authentication-Results field
from your host. Neither of those is fatal, but implementing in the
MTA is preferable.
ARC was originally added as a proof of concept. But I have to admit
setting it up in Mailman is easier than doing it in the MTA, it's not
as easy as throwing a switch in Postfix or Amavis (although it should
be!)
> Do I set it up to use the hostname of the server Mailman is running
> on?
That's arbitrary. Here's the theory of ARC:
1. I saw it come in. ARC (all the way back) was valid as of last
hop. Here are current SPF and DKIM results. Trust me!
2. It wasn't Evil when it came in and I didn't do anything Evil to
it. Trust me!
3. Here's my signatures. Validate them!
So the question is, "why do other systems trust you, and what identity
do you want your trustworthiness to bind to?" Could be an
organizational reputation you already have, in which case you might
want to use that domain. One of your Mailman domains (eg, the one
with the widest distribution) might serve as a representative. Or
none of the above has a reputation to the general public, and you need
to build it from scratch. In that case, the host name is as good a
place as any to start I guess.
Note, I have no experience inside the big email providers who are
generally the important consumers of ARC, so you should take the
advice above as a place to start thinking, rather than authoritative.
Unfortunately they tend to be very close-mouthed about how they
evaluate messages or sites, and their published advice amounts to
"follow best practices such as DKIM signing and ARC".
Note that as far as I know Mailman's ARC implementation doesn't do
anything except implement validation and signing. Some other part of
the process needs to decide what to do about a broken ARC chain or
other authentication failures, but I don't see a way to do it in
current Mailman -- the decision to reject, hold, or distribute takes
place before ARC handlers are invoked as far as I can tell.
_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at:
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/3DE2W2QDKFQWO6TJDQMG5RR6ULN4QIB2/
This message sent to arch...@mail-archive.com
