On 3/23/21 2:55 PM, Grant Taylor via NANOG wrote:
On 3/23/21 1:40 PM, Michael Thomas wrote:
The big problem with mailing lists is that they screw up security by
changing the subject/body and breaking DKIM signatures.
What you are describing is a capability, configuration, execution
issue with the mailing list manager software.
Said another way, what you are describing is *NOT* a problem with the
concept of mailing lists.
MLMs can easily receive messages -- after their MTA imposes all
germane filtering -- and generate /new/ but *completely* *independent*
messages substantially based on the incoming message's content. These
/new/ messages come /from/ /the/ /mailing/ /list/! Thus the mailing
list operators can leverage all the aforementioned security / safety
measure for the mailing list.
But they still have the originating domain's From: address. Manifestly
using MLM signatures as means of doing a reputation check is a
previously unsolved problem hence the silliness of the ARC experiment
which relies on the same assumption you are making here. Since Google
participated in ARC, that is a pretty tacit admission they don't know
how to do mailing list reputation either.
SPF / DKIM / DMARC are mean to enable detection (and optionally
blocking) of messages that do not come from their original source.
Mailing lists are inherently contrary to this. But the mailing list
can be a /new/ source.
The sticking point is the From: address. If I set up a DMARC p=reject
policy, I should not be surprised that the receiver does what I asked
and trashes mailing list traffic. The point in my blog post is that
after over 15 years a solution is not going to be found, and trust me I
have tried back in the day. That we should just give up caring about
mailing list traversal and put the burden on MLM's to figure it out by
either not changing the message body/subject, or using that horrible
hack of rewriting the From address.
This makes companies leery of setting the signing policy to reject
which makes it much easier for scammers to phish.
Hence, having the mailing list send out /new/ messages with /new/
protection measures mean less breakage for people that send messages
to the mailing list.
Mailing lists have been sending out resigned messages for over a decade.
We still have really low adoption of p=reject signing policy and at
least part of the problem is because of fear of mailing lists affecting
users.
Treating the mailing list as it's own independent entity actually
enables overall better security.
Aside: It is trivial to remove things that cause heartburn (DKIM)
/after/ NANOG's SMTP server applies filtering /before/ it goes into
Mailman.
An unsigned message is treated the same as a broken signature. That
doesn't help from the From: signing policy standpoint.
Mike
