Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
On Sat, 28 Dec 2019 13:01:25 + Mark Rousell wrote: > On 28/12/2019 07:01, Steve Litt wrote: > > So, if we insist on assisting Yahoo, Gmail, Hotmail, and their ilk, > > and all their users, by incorporating DMARC > > Really, it's surely not a matter of willingly helping them. It's more > a matter of survival at all in a world where they carry a significant > proportion (possibly a majority but it's not certain) of the world's > email and where they re-make the rules to suit themselves. Just be > glad they still support SMTP at all! YMMV, but I do not need to carry a significant proportion of global emails. In fact, all those listed above and plenty others are permanently blocked on my mail server for over a decade plus because of their "free speech" stupidty of passing on what is clearly spam. SMTP wiill be a very long time dying when the names' business models are all about exploiting their marks/customers. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Result of the Debian vote 'General Resolution: Init systems and systemd'
On Sat, 28 Dec 2019 23:11:16 +1100 Andrew McGlashan via Dng wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > On 28/12/19 9:03 pm, Alexis PM via Dng wrote: > > A mediocre result, neither good nor bad. The best option for people > > who don't want to use systemd, Option 6 "E: Support for multiple > > init systems is Required", came in last. But Option 1 "F: Focus on > > systemd" came in second place, if it had won it would have been a > > tragedy. > > It's completely broken when only one group of interested parties have > the only say; DDs should be ashamed. Another wasted opportunity to > make things right has been blown and there probably won't be any other > opportunity afforded ever again :( > > Debian needs to somehow find a way to include users (especially > sysadmins) in a meaningful way in votes of such significance. In my experience, when people who do not do the work start telling the people who do do the work, what to do, many efforts disintigrate. As a user, I simply choose which best distribution serves my purpose and when it ceases to do so, I simply move on as I have in the past. We(6 systems) moved from Debian to Devuan to escape the creeping systemd infection. We also dumped acting as a torrent source for any Debian or systemd distro and took up torrenting devuan. I'm very sure that some systemd free distro will continue and there is also BSD if we tire of rolling our own kernels as we did in the past. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Result of the Debian vote 'General Resolution: Init systems and systemd'
On Sat, 28 Dec 2019 23:11:16 +1100 Andrew McGlashan via Dng wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi, > > On 28/12/19 9:03 pm, Alexis PM via Dng wrote: > > A mediocre result, neither good nor bad. The best option for people > > who don't want to use systemd, Option 6 "E: Support for multiple > > init systems is Required", came in last. But Option 1 "F: Focus on > > systemd" came in second place, if it had won it would have been a > > tragedy. > > It's completely broken when only one group of interested parties have > the only say; DDs should be ashamed. Another wasted opportunity to > make things right has been blown and there probably won't be any other > opportunity afforded ever again :( > > Debian needs to somehow find a way to include users (especially > sysadmins) in a meaningful way in votes of such significance. > > A. > -BEGIN PGP SIGNATURE- > > iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXgdGXQAKCRCoFmvLt+/i > +z4mAP4x7ateI5rKrp4KelB64iy5prRlmb7C5Dz6/QBaol4FLQEAk3FcV0Poiy+f > dJyq5lOuMZfEk7PvQlZluOU5bUKeeM4= > =oikP > -END PGP SIGNATURE- > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I know Devuan has been pretty much more or less 'to create a binary compatible Debian but without systemd', but at what point would it be determined that the best course of action may be to leave Debian behind and continue our own way? Probably won't happen any time soon due to manpower issues but it's worth thinking about. -- ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Can we fix this DMARC thing?
[Redirecting back onto the mailing list for a moment, from Adrian's sudden digression into private mail.] Quoting Adrian Zaugg (a...@ente.limmat.ch): > I think this DKIM issue or non-issue is just noise for others. Concur. But: I participate on public mailing lists in order to have a public discussion for public benefit.[1] There's nothing wrong with someone inviting another public-discussion participant into private e-mail side-discussion (as you just did, except without explanation), but I would suggest accounting for the reason for private-mail diversion (when you do that), and asking rather than just implicitly expecting participation, in what is a fundamentally different thing, one for private rather than public benefit. As to your private-mail inquiry: I think my meaning in saying 'Nope' on the public thread will be obvious, if you think about the larger discussion context. Hint: Whether or not vm6.ganeti.dyne.org is able to check DKIM signatures is actually irrelevant to the matter that was being discussed (i.e., what is 'wrong'). I didn't think that point justified any comment longer than 'Nope'. [1] And there's a word for wanting answers in private: consulting. ;-> ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
Quoting Hendrik Boom (hend...@topoi.pooq.com): > Can I hope that it won't append a Reply-To: header if there is already one? I really have no idea. Mailman's versions of the last few years have, if as listadmin you have the poor judgement to enforce Reply-To munging via the admin WebUI, done that forcing _additively_, appending the forced header to any existing one supplied by the sender (e.g., as a second Reply-to addressee, comma-delimited). So, I suspect the ones added for DMARC mitigation would do likewise. If you wish the answer to that specific question, maybe you should ask the GNU Mailman developers. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists : solved by workaround
Quoting Steve Litt (sl...@troubleshooters.com): > The preceding description describes what I see on my end. However, when > I click "Return to sender", Claws-Mail takes me literally and sends > to the munged To, which is now the mailing list. Claws does not > consult the "Reply to" when I click "Return to sender." This is my > problem. Your 'problem' results from Reply-To munging being (IMO) evil and (not just in my opinion) violating RFC 5322 section 3.6.2. If you merely mean that this situation sucks, then we agree, and you can (please) ignore the remainder of my present post. ;-> If _not_, and you are still complaining and thinking complaining will magically produce some better results: The least-bad mitigation GNU Mailman so far offers uses such munging on mail from domains with strong-asserted DMARC policies because there is, so far, no less-destructive way to permit mail from those domains to arrive at domains enforcing that declared policy on arriving mail without the mail being rejected or quarantined as forgeries. Do you understand this, yet? I'm getting really, really, really, _really_ tired of explaining. I don't like Reply-To munging, either, not even if it's used only on some postings and not others. It has bad effects. People getting high bounce scores on mailing lists, getting their delivery disabled, and getting unsubscribed for reasons they don't understand and that then causes them to complain in ignorance to listadmins, is also bad. Pick one. The Devuan administrators have, for the time being, elected the former rather than the latter. That brings us up to the present -- and your continually complaining doesn't accomplish anything at all. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
Quoting Bernard Rosset via Dng (dng@lists.dyne.org):
> On a more gneric topic, what I read about DMARC over here seems to
> be a bit unfair.
If you mean specifically my own postings on the subject, that's quite
arguably true, especially the stuff I wrote a bit over a year ago, when
I was well and truly furious about the destructive effect of strong
DMARC policies on the (many) mailing lists I administer, and trying to
help fellow listadmins understand and cope with the problem.
I'd be willing to consider offers to hire me to write utterly dispassionate
and exhaustive documentation, as well, at consulting rates, two-hour
minimum. But that would be a different need from the one I had been
(and recently, somewhat exhaustedly, continued) attempting to satisfy.
> DMARC is only there to *enforce* SPF and/or DKIM ("DomainKeys
> Identified Mail" hence not really "former" DomainKeys, just mere
> relabeling).
I'm a little unclear on what you're saying, here, and what your point
is. If you're saying DKIM is just a newer name for DomainKeys, but was
unchanged from DomainKeys, you are incorrect: Yahoo had produced a
draft called 'enhanced DomainKeys', and that was merged with a separate
Cisco effort called 'Identified Internet Mail' to produce DKIM in 2004.
Yes, DMARC is a defined superset of SPF and/or DKIM. DKIM, IIRC, had
the same destructive effects on mailing lists for the same reasons.
Saying DMARC is 'only there to enforce' it is rather missing the point,
IMO.
> The real protection mechanisms being considered/violated here are
> SPF and/or DKIM. DMARC's policy only triggers if *both* SPF & DKIM
> fail.
Your wording, here, is a bit ambiguous. If you are intending to
suggest that DMARC requires that a domain implement both SPF and DKIM,
that is not correct. OTOH, if you mean that DMARC fails only if neither
SPF or DKIM validates, then that is correct.
> Now, if the sender's domain supports DKIM, and provided the headers
> potentially important to the mailing list's piping are not provided
> & signed (Sender, List-*, Reply-To, etc.), ie if mere From, Subject
> are signed (which I believe is a common case), it is alright.
>
> Well. It is alright... provided mailing lists stop doing what they
> have been doing for ages, ie *modifying* protected content, either
> protected headers or body.
In other words, with the typical DKIM-attested set of headers and
content, mailing lists break short of major changes such as wrapping the
message, From: rewriting, or ceasing all message modifications, meaning
not just no more footers and subject prefixes, but also (IIRC) problems
with List-ID and similar headers.
More than a year ago, I could have written a comprehensive explanation
of all the gory details, but will confess I've dropped a lot of it from
memory since then.
> Hence, the real problem comes from violating DKIM... or having no
> DKIM set up.
Again, your wording is ambiguous. If you're suggesting that having no
DKIM set up at a sending domain is somehow problematic for that domain,
then that is incorrect. E.g., my linuxmafia.com domain does not have
DKIM setup (because I think that technology design was poorly written),
and I have no deliverability problems at all -- particularly because
my domain has a correct, strongly asserted SPF policy, and because I
follow reputable SMTP practices carefully and protect the reputation of
my sending IP address.
I'm not entirely sure what you mean, if you meant something else.
> DMARC + DKIM should do the trick, provided mailing lists (softwares)
> stop being intrusive.
'Stop being intrusive'? The nerve!
Also, the term 'DMARC + DKIM' doesn't actually make a lot of sense.
DMARC is a superset built atop either DKIM or SPF (or both).
> In the current state of my understanding of DMARC, SPF & DKIM, I
> have a hard time understanding flaming any of those protection
> mechanisms.
Well, I have no problem taking care of that need, in your absence.
No charge, sir.
> The only trouble I see here is that mailing lists have a long
> history of modifying email headers and/or content, and it has been
> deemed "normal" over years of doing so.
That's like saying the only trouble you see is that humans have a long
history of eating.
> Would you mind if I arbitrarily opened/modified your (private)
> postal mail or any written message from/to you?
This is an abuse of metaphor, and I'm having a difficult time believing
you aren't trolling.
Mailing lists are sophisticated remailer mechanisms. In postal mail
context, the proper metaphor would be an optional commercial service
you can send a letter to, where the letter would be photocopied and then
remailed to all of your friends. This isn't 'arbitrary'; the original
sender engages the services of the remailing mechanism. Nor is it
'private'.
When you signed up for Dng, you were aware that you were voluntarily
engaging the services of a software remailing service that would
generate slightly modified/au
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
Quoting g4sra via Dng (dng@lists.dyne.org): > Thanks Rick, I appreciate that chain of summaries and the time it has > saved now not having to dig through archives. No problem! E-mail is a dreadful solution to the problem of collective knowledge, and I really ought to post that somewhere persistent on the Web. Maybe https://dev1galaxy.org/viewforum.php?id=7, dunno. Of course, what I wrote wasn't a proper Devuan Project doc, but rather a personal take on the matter as a friendly outsider. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
On 29/12/2019 07:47, Rick Moen wrote: [snip] Thanks Rick, I appreciate that chain of summaries and the time it has saved now not having to dig through archives. Email has probably got to be one of my weakest areas of knowlege, I have learnt something today. When drawing my own conclusions I pay little heed to dissagrievements on mailing lists, but find facts really helpful. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
On Sat, Dec 28, 2019 at 09:41:48PM -0800, Rick Moen wrote: > > tl;dr: Mailman will now munge the From: address if and only if the > sender's domain publishes a problematic DMARC policy, to substitute the > mailing list's address for the sender's. On those mails, Mailman > also appends a Reply-To: header pointing to the sender's real address. > No other mails will be touched. Can I hope that it won't append a Reply-To: header if there is already one? -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists : solved by workaround
On Sat, 28 Dec 2019 21:41:48 -0800 Rick Moen wrote: > tl;dr: Mailman will now munge the From: address if and only if the > sender's domain publishes a problematic DMARC policy, to substitute > the mailing list's address for the sender's. On those mails, Mailman > also appends a Reply-To: header pointing to the sender's real address. > No other mails will be touched. The preceding description describes what I see on my end. However, when I click "Return to sender", Claws-Mail takes me literally and sends to the munged To, which is now the mailing list. Claws does not consult the "Reply to" when I click "Return to sender." This is my problem. If I click "Reply to list" it replies only to the list, which is exactly what I want under normal situations. If I click "Reply" or "Reply to All", it sends to the list and copies the return address. I then have to prune off whichever address I don't want, and if the one I want is the return address, I need to change it from Cc to To. So my solution is procedural. I removed my "Reply to Sender" button, because in the age of DKIM it does just what I don't want, even if it's literally correct. Now, whenever I want to email somebody offlist, I'll: 1) Click Reply to all 2) Delete the mailing list address 3) Change the Cc to To The point is, if I see two addresses up there, I'll understand there's danger and delete the dng one. So, although I have the same opinion of DKIM that I've always had, my procedural workaround means I won't need to ask anyone else for help. SteveT Steve Litt December 2019 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
On 29/12/2019 06:30, Rick Moen wrote:
Quoting Mark Rousell (mark.rous...@signal100.com):
That said, the mail list *does* seem to work as Steve wants.
It really doesn't.
On 28/12/2019 14:16, Mark Rousell wrote:
At least it does for my mail client (Thunderbird).
It definitely seems to be MUA-specific. The last bit from Mark is
important: the Thunderbird MUA seems to always show consistent behaviour
of its "Reply" & "Reply List" buttons.
The only thing which changes for this MUA is the set of displayed
headers above the message.
Non-DMARC-protected domains show From, Subject & To, while
DMARC-protected ones show From, Subject, Reply-To & To.
I concur with Mark on the fact this email client seems to do the job, at
least on that front.
-
On a more gneric topic, what I read about DMARC over here seems to be a
bit unfair.
DMARC is only there to *enforce* SPF and/or DKIM ("DomainKeys Identified
Mail" hence not really "former" DomainKeys, just mere relabeling).
The real protection mechanisms being considered/violated here are SPF
and/or DKIM. DMARC's policy only triggers if *both* SPF & DKIM fail.
SPF is a mechanism to ensure the envelope matches the headers & sender
machine is authorized to emit for a domain (hence protects against
impersonation).
DKIM protects against message tempering by signing body & some headers
of the emitted email.
From-munging, used to circumvent SPF, actually means
faking/modifying/impersonating the original email source.
It also happens to circumvent DKIM... and DMARC as a whole, since the
emitting domain would now be the list's one, *not* the sender's.
This From-munging is a perfect man-in-the-middle example, actually
pulling the plug on all headers checks at destination.
Now, if the sender's domain supports DKIM, and provided the headers
potentially important to the mailing list's piping are not provided &
signed (Sender, List-*, Reply-To, etc.), ie if mere From, Subject are
signed (which I believe is a common case), it is alright.
Well. It is alright... provided mailing lists stop doing what they have
been doing for ages, ie *modifying* protected content, either protected
headers or body.
That means no From header modification (no From-munging).
That means no Subject header modification (no added prefix and rather
let destination users route incoming email based on headers rather than
Subject prefix).
That means no body modification (and rather leverage List-* headers &
let MUA augment received messages based on those).
As stated before, a DMARC policy fails if *both* SPF & DKIM checks fail
or if one fail and the other is non-existent.
Hence, the real problem comes from violating DKIM... or having no DKIM
set up.
DMARC + DKIM should do the trick, provided mailing lists (softwares)
stop being intrusive.
In the current state of my understanding of DMARC, SPF & DKIM, I have a
hard time understanding flaming any of those protection mechanisms.
The only trouble I see here is that mailing lists have a long history of
modifying email headers and/or content, and it has been deemed "normal"
over years of doing so.
Would you mind if I arbitrarily opened/modified your (private) postal
mail or any written message from/to you?
My understanding might be incomplete. If so, please enlighten me &
anyone interested, by all means.
Cheers,
Bernard Rosset
https://rosset.net/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
