Re: [Mailman-Users] cause of bounces

[Mark Sapiro]

On 10/19/2017 09:14 PM, Grant Taylor via Mailman-Users wrote:
> 
> RFC 6377 - DomainKeys Identified Mail (DKIM) and Mailing Lists,
> disagrees with you.  (RFC 6377 is also currently known as BCP 167.)


I am too tired at the moment to respond to your posts more completely. I
may do so tomorrow. But I suggest that if you are going to quote RFCs
that you understand the differences between Best Current Practice and
Standards Track categories.

Also, I don't disagree that there are issues between DKIM, DMARC and
Mailing Lists that make seamless integration of these impossible without
changing long standing norms and expectations for Mailing Lists. I also
think Mailman (both 2.1 and 3) give you tools to do pretty much whatever
you want in this vein except for changing the Message-ID: of the
original post. Note that one of the biggest reasons for that is if the
list copy has a different Message-ID: and some people receive and reply
to a list copy and some receive a direct To: or Cc: and reply to that
and people use MUAs that produce threaded views based on Message-ID:,
References: and In-Reply-To: headers, threading can get pretty messed up.

Finally, I think all we disagree on (as Steve implied in a post a day or
two ago) is very arcane, small technical details, and while we may never
come to agreement on these, I think we do agree that Mailman can operate
in this environment in ways we think are satisfactory.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Grant Taylor via Mailman-Users]

On 10/19/2017 10:14 PM, Grant Taylor via Mailman-Users wrote:

/The output of a resending MLM is/ *a new message*.

...

*The resending MLM is the author* /of the new message/.


Since the MLM is the author of the new message, I think it would be 
prudent to use either of the following as the RFC5322.From address:


   From: Grant Taylor via Mailman-Users 

Or, optionally use the Group syntax to help indicate that a group (read: 
mailing list) was the source.


   From: Mailman-Users:mailman-users@python.org;

I might be inclined to prefix body copy with something like the following:

   Message posted to Mailman-Users by: Grant Taylor 





--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Grant Taylor via Mailman-Users]

On 10/19/2017 09:15 PM, Mark Sapiro wrote:

I think that won't happen. The use of p=none subdomains by various
entities that publish p=reject for their primary domain is intended for
addresses for their own staff to use in communicating via mailing lists
and perhaps other channels. If a freemail provider such as Yahoo would
be willing to create a lists.yahoo.com domain with p=none for use by
their freemail users, that domain would be subject to the same abuses
that caused them to publish p=reject in the first place.



Agreed.

Further, end users would either need to make a choice of which sending 
domain to use, or Yahoo (et al) would need to have a list of domains to 
send from the list subdomain.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Grant Taylor via Mailman-Users]

On 10/19/2017 12:37 AM, Stephen J. Turnbull wrote:
The IETF has NO position on WHEN this should be done because it's not 
relevant to interoperability.  My personal reasoning with respect to 
mailing list managers like Mailman which normally pass through all 
text/plain, and perhaps add some tags to Subject and prefix or suffix 
the body, is that users (including posters) would be quite annoyed if 
de-duping didn't work.  And those of us who deal with mail in 
sophisticated ways would be quite upset if the Message-ID we give it 
doesn't correspond to the Message-ID distributed by the list and in 
the archive.


I believe RFC 6377 makes it fairly clear if a message is new or not. 
TL;DR:  If anything other than the SMTP envelope is modified, then the 
MLM is a resending MLM, which necessitates a new message with a new 
author and Message-ID.


I can respect your concern about the Message-ID changing, especially 
with deduplication.  However, I counter that the new message from the 
resending MLM is in fact a different message than the one that the 
original author sent to the resending MLM.  So, if you were in the To / 
CC / BCC of the message from the original author, you /should/ receive 
two copies of the message.


Fortunately nicer MLMs, like Mailman, can detect that a list subscriber 
was included in the To or CC and act on the subscriber's configured 
option if they want to receive a copy of the message from the MLM that 
they received directly.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Grant Taylor via Mailman-Users]

On 10/18/2017 11:50 AM, Mark Sapiro wrote:
This is the crux of our disagreement. The outbound message is still the 
original author's message, albeit slightly altered by subject prefixing, 
content filtering and/or other transformations to conform with list 
policies. I don't agree that it is a completely new message. I think it 
is still the original message with only technical and formatting changes.


RFC 6377 - DomainKeys Identified Mail (DKIM) and Mailing Lists, 
disagrees with you.  (RFC 6377 is also currently known as BCP 167.)


§ 3.2 calls this out specifically:

resending:  A resending MLM (see Sections 5.2 and 5.3 of [EMAIL-ARCH]) 
is one that may make changes to a message.  The output of such an MLM 
is considered to be a *new message*; 
*delivery of the original has been completed* prior to distribution of 
the reposted message.  Such messages 
are often reformatted, such as with list-specific header fields or other 
properties, to facilitate discussion among list subscribers.


/The output of a resending MLM is/ *a new message*.

MLM Output:  *MLM* (sending its reconstructed copy of the originating user's 
message) *is Author*; MLM's ADMD is Originator and Signer; the ADMD of each 
subscriber of the list is a Verifier; each subscriber is a Receiver.


*The resending MLM is the author* /of the new message/.

The dissection of the overall MLM operation into these two distinct phases 
allows the DKIM-specific issues with respect to MLMs to be isolated and 
handled in a logical way.  The main issue is that the repackaging and 
reposting of a message by an MLM is actually the construction of a 
completely new message, and as such, the MLM is introducing new content 
into the email ecosystem, consuming the Author's copy of the message, 
and creating its own.  When considered in this way, the dual role of the 
MLM and its ADMD becomes clear.


Since we have been talking about modifying more than /just/ the SMTP 
envelope, we are indeed talking about a resending MLM and not an alias MLM.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Mark Sapiro]

On 10/19/2017 04:07 AM, William Bagwell wrote:
> 
> So if enough users of Yahoo and AOL requested something such as 
> u...@list.aol.com to not be DMARC p=reject they /might/ listen?


I think that won't happen. The use of p=none subdomains by various
entities that publish p=reject for their primary domain is intended for
addresses for their own staff to use in communicating via mailing lists
and perhaps other channels. If a freemail provider such as Yahoo would
be willing to create a lists.yahoo.com domain with p=none for use by
their freemail users, that domain would be subject to the same abuses
that caused them to publish p=reject in the first place.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[William Bagwell]

On Thursday 19 October 2017, Stephen J. Turnbull wrote:
> As Mark says, they should use an @sysadmins.irs.gov address or
> something like that, which would have its own p=none policy.  Note
> that this has been already standard practice at Yahoo! (!), AOL (!!),
> LinkedIn, and several banks that participate in IETF discussions.
> Since 2013 for Yahoo! and LinkedIn IIRC.

So if enough users of Yahoo and AOL requested something such as 
u...@list.aol.com to not be DMARC p=reject they /might/ listen?

Only list I help administer the owner simply moderates the few remaining hold 
outs who can not switch and manually re-posts their messages. Would not have 
worked back when the list was busy... Think I now understand the correct fix 
but did not a few years ago when this mess started and that was the solution 
we came up with.
-- 
William
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Dimitri Maziuk]

On 2017-10-19 01:36, Stephen J. Turnbull wrote:


(I don't understand Dimitri's claim about SourceForge ads; all the
mail I get from SourceForge is originated there and AFAIK the DKIM
validates.  If it doesn't, their system is pretty brain-damaged.)


It is, but not DKIM-drain-bramaged. I PGP-sign when sending from my 
linux PCs and SF injects their ads into the signed part. hat>Which is part of the reason why they don't want you to sign your 
messages on the client, before they got their ads in.



That depends on how much mail you get, how much of it is unwanted,
how much you care about the time you spend dealing with unwanted mail,
and how much you care about losing wanted mail.


:) How would I know: it got thrown away, I never knew it existed.

Seriously, though, for me gmail is the only one that doesn't deliver 
wanted mail and sticks it into their "all mail" -- despite the blanket 
.forward I have in there. On my work MTA I pretend DMARC doesn't exist 
and I don't spend any more time on spam now than I did in 2007.


Dimitri
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Stephen J. Turnbull]

Grant Taylor via Mailman-Users writes:

 > IMHO, DMARC is going to eventually become the new norm.

It has been so since late 2015, according to the DMARC Consortium.  At
that time they claimed that 80% of legitimate email was originated at
domains that participate in DMARC reporting protocols.  I don't think
p=reject will ever be the norm for freemail providers.

 > I also wonder what ARC is going to do to this paradigm.

It may or may not help mailing lists.  It depends on whether the
spammers successfully jump on it to obfuscate themselves, which they
could do, in which case you might end up in the current situation
where you need to apply for whitelisting at some of the large
providers.  On the other hand, the large providers are getting better
at identifying responsible lists for themselves, and ARC would
definitely make authenticating those lists easier.

Steve

-- 
Associate Professor  Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnb...@sk.tsukuba.ac.jp   University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Stephen J. Turnbull]

Dimitri Maziuk writes:

 > That does not contradict what I said. Low specificity means low
 > probability of detection of "bad stuff". I.e. it doesn't mean much that
 > most of it passes.

That may be true for you, but for most of us having most of our mail
have a valid DKIM signature, plus a DMARC PASS, means that most of our
mail is authentic.  I care a *lot* about having my filters throw away,
or even quarantine, mail from a known correspondent using a known
address.  This almost never happens any more.

 > Ohkay, so what exactly am I the end user is supposed to need it
 > for?

That depends on how much mail you get, how much of it is unwanted,
how much you care about the time you spend dealing with unwanted mail,
and how much you care about losing wanted mail.

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Stephen J. Turnbull]

Mark Sapiro writes:

 > I don't agree that it is a completely new message. I think it is
 > still the original message with only technical and formatting
 > changes.

The IETF's position is that this decision is up to the forwarding
agent.  If they change the Message-ID, that means they consider it a
new message, and are taking authorship (perhaps with substantial
quoting, but it's quoting, not forwarding).  If they don't, it's not
new, and From MUST contain the address placed there by the original
author.  (That's an RFC-2119 "must".  This is why Mark is correct to
say that Munge From is non-conforming.)

The IETF has NO position on WHEN this should be done because it's not
relevant to interoperability.  My personal reasoning with respect to
mailing list managers like Mailman which normally pass through all
text/plain, and perhaps add some tags to Subject and prefix or suffix
the body, is that users (including posters) would be quite annoyed if
de-duping didn't work.  And those of us who deal with mail in
sophisticated ways would be quite upset if the Message-ID we give it
doesn't correspond to the Message-ID distributed by the list and in
the archive.


 > However, if you are just sending the body of the original message From:
 > the list, according to RFC 5322 et al, you are saying the list is the
 > author of that message body. This is not true and is why I say the
 > message is not compliant with RFC 5322 et al.

This isn't quite accurate.  We do make an effort to identify the
author, so I wouldn't say we're "claiming authorship".  The problems
are that we make it impossible to identify the author by the usual
methods (filtering on email address), and it's ugly, especially for
folks with MUAs that display only the display name (and of course we
had a lot of people rather confused by this through most of 2014!)

Steve


-- 
Associate Professor  Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnb...@sk.tsukuba.ac.jp   University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] cause of bounces

[Stephen J. Turnbull]

Grant Taylor via Mailman-Users writes:

 > I use DKIM validity as a signal that I then make decisions based on. - 
 > Hence why I have chosen to alter spam score on my mail server based on 
 > the DKIM result.

You can do that.  But call it what it is: a deliberate decision NOT to
conform to a standards-track RFC.

The fact of the matter is that the spammers are laughing at you.  THEY
have perfectly valid DKIM signatures, or if they're going to try a
replay attack, they remove the DKIM signature they're about to break.
Broken DKIM signatures principally mean somebody added a footer to the
body, a DMARC mitigation in From, or a tag to the Subject.  So this
rule primarily targets perfectly legitimate mail posted to mailing
lists.

(I don't understand Dimitri's claim about SourceForge ads; all the
mail I get from SourceForge is originated there and AFAIK the DKIM
validates.  If it doesn't, their system is pretty brain-damaged.)

Steve

-- 
Associate Professor  Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnb...@sk.tsukuba.ac.jp   University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org