Re: [Mailman-Users] Customize "From" when munging it for DMARC?

[Jordan Brown]

On 8/4/2017 12:51 PM, Mark Sapiro wrote:
> I'm aware of issues with Microsoft services adding 'spoofing' warnings
> to messages where the From: address and the To: address are the same.
> Is this what you were referring to by "Setting it to the list name
> interacts badly with outloook.com and hotmail.com replies." in your
> OP. If not that, then what?

I haven't investigated deeply, but with an original message like:

Return-Path: 
Return-path: 
Date: Wed, 2 Aug 2017 19:44:35 + (UTC)
To: list2 , 
list1 
Subject: [list1] ...
X-BeenThere: li...@listdomain.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "list1" 
List-Unsubscribe: 
, 

List-Post: 
List-Help: 
List-Subscribe: 
,

From: Jane User via list1 
Reply-To: Jane User 
Errors-To: list1-boun...@listdomain.org
Sender: "list1" 

Two of my users (on outlook.com and hotmail.com) ended up with
reply-to-all results that were addressed to Joe User and list2, but not
to list1 at all.  (Note that this reply came to me via list2.)

Return-Path: 
Return-path: 
To: Troop 92 list2 , Jane User

Date: Wed, 2 Aug 2017 20:27:29 +
Subject: Re: [list2] [list1] ...
X-BeenThere: li...@listdomain.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: list2 
List-Unsubscribe: 
, 

List-Post: 
List-Help: 
List-Subscribe: 
, 

From: Susan MsUser via list2 
Reply-To: Susan MsUser 
Errors-To: list2-boun...@listdomain.org
Sender: "list2" 

My theory is that MS is (wrongly) dropping the "To" copy of list1 from
the reply because it's the From, and then (correctly) using the Reply-To
instead of the From.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Customize "From" when munging it for DMARC?

[Jordan Brown]

On 8/4/2017 8:24 AM, Mark Sapiro wrote:
> On 08/03/2017 07:15 PM, Jordan Brown wrote:
>> Is there a way to control the From value when it gets munged so we pass
>> DMARC?
> There's no configuration for it, but it's a simple patch.

Thanks.  Alas, I'm a hosting-provider customer, not standalone, and so
don't have access to make source changes.  Maybe it can go on the wish list?

> I suspect that this would cause other issues. In spite of the fact that
> there will always be a Reply-To: header with some value, there will be
> some user's MUAs that will include the From: address in a 'reply' or
> 'reply-all'. This may or may not be a problem depending on the exact
> content of the reply, the setting of DISCARD_MESSAGE_WITH_NO_COMMAND
> (defaults to Yes), and whether the MUA addresses the reply to the
> desired addresses in addition to From:.

It seems like that could be controlled through the choice of the address
used.  Although the -request address seems obvious, one could also use
the -owner address, or an address that bounces or leads into a black
hole.  Let the admin specify the address to use.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Customize "From" when munging it for DMARC?

[Jordan Brown]

On 8/4/2017 2:32 PM, Mark Sapiro wrote:
>> My theory is that MS is (wrongly) dropping the "To" copy of list1 from
>> the reply because it's the From, and then (correctly) using the Reply-To
>> instead of the From.
> It looks to me as if your theory is correct, except I wouldn't say
> "wrongly". I think an MUA is arguably doing the right thing by
> overriding the From: address with the Reply-To: address on a reply-all
> even though the From: address is also in To:.

It should certainly override the From with the Reply-To.

What I'm objecting to is the fact that it hunts down *other* instances
of the address in From and removes them (or perhaps replaces them with
the Reply-To and then eliminates duplicates).  I think Reply-All should
take {Reply-To, else From}, To, and CC, and reply to them.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Customize "From" when munging it for DMARC?

[Jordan Brown]

Is there a way to control the From value when it gets munged so we pass
DMARC?

Setting it to the list name interacts badly with outloook.com and
hotmail.com replies.  Since the From address really isn't used (because
there's a Reply-To), it seems like it could be anything that's at the
host domain - the request address, for instance.

Thanks.


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Customize "From" when munging it for DMARC?

[Jordan Brown]

On 8/6/2017 11:36 PM, Stephen J. Turnbull wrote:
> Unfortunately, you can assume that the large freemail services do not
> care what you think.

Yep.

50% :-)
50% :-(

> I'm not sure why they've all gone substantially
> downhill in the last decade, but they have.  Probably they get
> complaints and feel they have to "do something, anything" about them.

Sometimes I think they're trying to drive everybody to Facebook.

> That said, I don't know if it's a useful option for you, but one
> possibility would be to set reply-to to the list as well as using one
> of the munge_from settings.  Because munge_from has the effect of
> hiding the author's address, it also places the author's address in
> the reply-to, even if the list is already there.

Alas, no.  I've seen too many messages intended to be private sent to
the entire list with that configuration; I would never use it.  (I've
boycotted lists simply because they insisted on that configuration.)

Thanks.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Wish list: bounce notifications

[Jordan Brown]

My mailing list is hosted on a low-cost service with shared servers and
so a couple of times a year some other customer gets them onto a spam
blacklist and mail starts bouncing.  I need to know about those
situations ASAP so that I can prod the provider into fixing the problem
and requesting delisting, but Mailman doesn't seem to have a way to tell
me when it gets a bounce... only when it's gotten several bounces and
disabled a membership.  Since I don't want to wait for several bounces,
I have it set on a hair trigger; it disables people on the first bounce
and so I immediately get a notification.  That works, kind of, but it
means that I have an extra re-enable step to repair the damage and that
if I somehow drop a notification on the floor I can leave somebody disabled.

What I'd like would be a way to ask Mailman to notify me on *every*
bounce, without disabling the user.

(Or, of course, if there's just something I've missed in the config
pages, please educate me.)


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Wish list: bounce notifications

[Jordan Brown]

On 10/11/2017 11:53 AM, Mark Sapiro wrote:
> On 10/11/2017 07:46 AM, Jordan Brown wrote:
>> What I'd like would be a way to ask Mailman to notify me on *every*
>> bounce, without disabling the user.
>>
>> (Or, of course, if there's just something I've missed in the config
>> pages, please educate me.)
> As mentioned by Christian F Buser in his reply, Since Mailman 2.1.19
> there has been a bounce_notify_owner_on_bounce_increment setting that
> does what you want. Also see
> <https://bugs.launchpad.net/mailman/+bug/1382150>.

Yep, sorry, duh.  It's new since the last time I did a full sweep
through the options, and I didn't look before writing.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Removing archived spam

[Jordan Brown]

On 11/11/2017 11:04 AM, Dimitri Maziuk wrote:
> On 2017-11-11 12:22, Phil Stracchino wrote:
>> Heh, I just looked at that myself.  How did such a useless tool ever
>> become standard?
> My guess is IIRC SunOS was on Solaris 8 by 2001, and it was *the*
> grown-up 64-bit unix: every other unix vendor's keeled over or was
> about to and x86_64 didn't exist. So it was a standard utility on the
> standard unix by the time when posix decided in 2001 The Standard
> Shall Be That Other Thing. Good thing about standards, as we all know,
> is there's plenty to choose from. 

arch(1) dates back to at least SunOS 4.0, ca 1987.  I haven't been able
to find manual pages before that.

The competitor, "uname -m", dates back at least that far, in the System
V branch of UNIX - it's in the SVID in 1986.

Much before that you find the "machid" system-type commands, e.g. the
"vax" command that succeeds on a vax and fails on all other systems. 
(and: sun, iAPX286, i386, m68k, pdp11, sparc, u3b, u3b2, u3b5, u3b15.) 
Those are still present at SunOS 4.0, but not in SVID.  (Strangely, I
don't see them in BSD 4.x.  I dimly remember them existing in a BSD
derivative ca 1985.)

UNIX v7 (my manual © 1979, 1983) does not have any of those.  I suspect
that at that time there was only Zool.  Er, PDP-11.

So I think the simple answer is that both the Sun/Berkeley fork and the
AT/SysV fork realized the need for a better answer than the "machid"
commands, and independently invented different answers.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Replying to the List

[Jordan Brown]

On 12/7/2017 10:21 AM, Phil Stracchino wrote:
> This is a religious dispute.

Yep.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Replying to the List

[Jordan Brown]

On 12/7/2017 9:15 AM, Phil Stracchino wrote:
> On 12/07/17 00:43, Ron Beatteay via Mailman-Users wrote:
>> Hi all, 
>> I’m new to mailman.  My previous Listserv platform ( LSoft ) made it easy to 
>> reply to discussions by automatically sending replies to the list.  With 
>> mailman, replies go to the person, not the list,, so we have to make the 
>> extra step of correcting the outgoing to: address.   Is there a way to make 
>> that default in settings?
> Yes.  The documentation explains how.
>
> Short version for free:  Edit /etc/mailman/mm_cfg.py and add the
> following line anywhere AFTER 'from Defaults import *':
>
> DEFAULT_REPLY_GOES_TO_LIST = 1

But don't do it.  Teach your users to use "Reply All" when they want to
talk to everybody and "Reply" when they want to talk to the author of
the particular message.

Mailing list mechanisms that set "Reply-To" to point to the mailing list
inevitably lead to messages that are intended to be private being
accidentally sent to the entire list.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/24/2018 12:50 AM, Stephen J. Turnbull wrote:
> I think there's an obvious algorithm for "smart single reply":
>
> 1.  If there is a Reply-To, address the message to Reply-To.
> 2.  Else if there is a List-Post, address the message to List-Post.
> 3.  Else address the message to From.  (If there's no From, the
> message violates the most basic RFCs so all bets are off.)
>
> Assuming that no lists munge Reply-To, I think you'll agree that this
> is what you want 90% of the time (conservative estimate).  There are
> some issues with this algorithm in practice:

If a message had only List-Post and From, that wouldn't get the result
that I would want.  I would want Reply to go to the author.  As a list
member, I consider it an absolute requirement that Reply go to the
author and only to the author; I boycott any list that directs Reply to
the list.  (I've dropped off the "staff" list for an event I was
participating in for this reason.)

I want "Reply" to go to the author, and "Reply All" to go to the author,
the list, and any other To or CC destinations.  I simply can't
understand any other answer.  I don't understand why anybody feels a
need for "Reply List".

How that translates into headers that the mailing list software
generates, shrug.  Yes, the mailing list software could always force in
a Reply-To:  to get the semantics that I want, but why should it
add that noise?  Or the mailing list software could omit List-Post,
which I suppose would be fine too (since I don't understand why you
would want it).

Before DMARC munging, I could have (mis)configured my MUA to ignore
Reply-To and mostly gotten the right semantics even on an evil
Reply-To: list.  With DMARC munging that's no longer an option; I
need Reply-To:  on DMARC-munged lists.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/24/2018 4:48 PM, Grant Taylor via Mailman-Users wrote:
> On 01/24/2018 10:40 AM, Jordan Brown wrote:
>> If a message had only List-Post and From, that wouldn't get the
>> result that I would want.  I would want Reply to go to the author. As
>> a list member, I consider it an absolute requirement that Reply go to
>> the author and only to the author; I boycott any list that directs
>> Reply to the list.  (I've dropped off the "staff" list for an event I
>> was participating in for this reason.)
>
> I think that the difference of Reply vs Reply-List applies to your
> statement.

I don't understand this statement.  Or, I don't understand how it
disagrees with what I said.  I don't really care whether the MUA has a
"Reply List" button that does something list-specific.  "Reply" should
go to the author; "Reply All" should go to all of the original recipients.

> You are entitled to your opinion of how a mailing list should operate
> and free to configure any mailing lists you manage accordingly.

Of course, and I'm free to participate or not participate in mailing
lists based on their policies. And although I normally try to resist
this argument (and don't always succeed), somebody explicitly suggested
trying to define a best practice... and if there's ever a time to say
what one thinks the best practice should be, that's it.

>> I want "Reply" to go to the author, and "Reply All" to go to the
>> author, the list, and any other To or CC destinations.  I simply
>> can't understand any other answer.  I don't understand why anybody
>> feels a need for "Reply List".
>
> Lack of understanding does not mean that other ways are invalid.
>
> See my comment above for why I want replies to my message to
> /discussion/ lists to go to the list.

Sure.  That's what "Reply All" means.  Like you said, it's a matter of
user education :-)

Let's look at a couple of e-mail messages. (And not bothering to put in
real addresses, or the headers that the mailing list might magically add.)

From: Sam
To: Joe, Dave, Jordan

If I hit Reply, the message goes to Sam.  If I hit Reply All, the
message goes to Sam, Joe, and Dave.  (And maybe, depending on my MUA, to
me too.)

Any controversy there?

Now the second message:

From: Sam
To: MailingList

In the scheme I prefer:  If I hit Reply, the message goes to Sam.  If I
hit Reply All, the message goes to Sam and the mailing list.  This seems
totally consistent with the behavior above.

In the scheme you prefer (as I understand it):  If I hit Reply, the
message goes to the mailing list.  If I hit Reply All, the message goes
to the mailing list.  There's no way to get the message to go just to
Sam (absent cutting and pasting).  If Sam isn't on the mailing list, he
won't even get a copy.  But most importantly, the behavior is not
consistent with the non-mailing-list behavior above.

Now another message:

From: Sam
To: MailingList, Joe, Dave, Jordan

In my scheme, again, Reply goes to Sam; Reply All goes to everybody. 
Consistent with the behavior above.

In your scheme, Reply goes to ... ? Well, it depends.  If this is the
copy of the message that I got through the mailing list, Reply will go
to the mailing list, Joe, and Dave.  If, on the other hand, this is the
copy that I got directly, Reply will go to Sam.  Reply All goes to... if
it's the mailing list copy, it goes to the mailing list, Joe, and Dave;
if it's the direct copy, then Sam, the mailing list, Joe, and Dave.  For
the two replies based on the mailing list copy, the message won't go to
Sam unless he's on the mailing list.

And another:

From: Sam
To: MailingListA, MailingListB

For fun, let's assume that I'm on both mailing lists.

My scheme:  Reply goes to Sam; Reply All goes to Sam and both mailing
lists.  Consistent with the behavior above.

Your scheme:  Reply:  If this is the copy I got through list A, it goes
to list A; if it's the copy I got through list B, it goes to list B. 
Reply All:  goes to both mailing lists.  Only goes to Sam if he's on one
of the mailing lists.


Now, when you consider all of those cases, which scheme is simpler and
easier to understand?  Which is less likely to have messages going to
unexpected groups of people, when you spend all day responding to a mix
of all of the types?

And yes, those are all very real cases.  I expect that if I go through
my work e-mail for the last day I'll find examples of each, and I would
be virtually certain if I looked through a week.  (And that includes the
"Sam isn't a member of the mailing list" variants; those are *very* common.)


> In fact, I really dislike receiving the CC when messages are going to
> the list that I'm subscribed to.

Yes, that's a nuisance, but I think it's not nearly as bad as the
alternatives.  It costs me a tap o

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/24/2018 9:19 PM, Grant Taylor via Mailman-Users wrote:
> I understand your logic.  It seems reasonable enough.  I still
> disagree with it.  -  By the way the sun is purple.  ;-)  We can agree
> to disagree.

I think that's probably the end result :-)

>> And yes, those are all very real cases.  I expect that if I go
>> through my work e-mail for the last day I'll find examples of each,
>> and I would be virtually certain if I looked through a week.  (And
>> that includes the "Sam isn't a member of the mailing list" variants;
>> those are *very* common.)
>
> I don't doubt what you're saying.
>
> I do question how many of those are /discussion/ mailing lists like
> I've outlined above.

Eh.  Most of them have discussion occurring on them.  Since they are
*not* configured to set Reply-To to the list (thank goodness), I guess
you could say that by definition they are not "discussion lists", but I
think that would be kind of an unnatural definition.

> I feel sorry for Sam and think that he should subscribe to the mailing
> list.  But s/he has that option. 

Might not have the option, or want to.  He sent a question to my team
(and we might discuss the question and the answer), but that doesn't
make him a member of my team.

>> What's really needed there is a MUA that hides duplicates, though
>> that's tricky when mailing list software munges the message and the
>> headers.
> Please clarify what is duplicated that you'd like to see hidden?

You were complaining that in some list configurations you will tend to
get multiple copies of a message - one directly to you, and one via the
list.

I was suggesting that one way to address that complaint would be for
your mail client to detect the duplication and hide the duplicate copies.

> I hear and understand what you're saying.  I think that at least a
> tiny bit of responsibility is on you to check the address that the
> message is going to.  It may be 1%, or more, or less, but I do believe
> that you as a sender have a responsibility to check where you are
> sending the email to.

Maybe in theory, but that's a pretty significant mental processing load
to add to support maybe one in a thousand (if that many) replies that I
send.  It's especially bad in the non-trivial cases where there's more
than one recipient, so "Reply All" will contain a list that won't be
formed the way that it is "usually" formed.

And observed reality is that people, even experienced people, get it
wrong on a regular basis.

> I'm /not/ saying where your reply /does/ go.  I'm saying where I would
> /like/ it to go. 

Mostly, I'd say that you've already said that by including the mailing
list in the To or CC list.  When I reply to a message with multiple
recipients (however those recipients might be specified), I'd say that
the normal convention is to include all of them in any ongoing
discussion by hitting Reply All.  If you wanted your message to go to
the mailing list but didn't want replies to go there, you could have put
the mailing list into the BCC.  (And people do occasionally do that, to
drag a discussion from one mailing list to another, or to shotgun a
broad set of destinations for the initial query but focus discussion in
one place.)
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/28/2018 8:40 PM, Stephen J. Turnbull wrote:
> I believe that many users think
> of mailing lists as fundamentally different from personal email, and
> they would like their MUAs to distinguish automatically.  This
> algorithm, I believe, would do a pretty good job of that.


This particular user distinguishes between mail to one (human) recipient
and mail to multiple recipients, but the difference between two and a
thousand is only shades of gray, and whether some are from mailing list
expansion is mostly unimportant.  Either I want to reply to the author
alone, or to everybody, or (rarely) to some other subset.  The obvious
Reply and Reply All behaviors handle the first two, and the last is
probably best handled as Reply All followed by editing the address list.

I suspect that there will always be disagreement as to what a single
"one button reply" button should do, whether it should reply to the
author or reply to everybody.  I doubt that there will ever be a
solution, server-side or client-side, that will make everybody happy.  I
can only hope that whatever standards develop make both "reply to
author" and "reply to all" convenient.

(And that's another of the key items:  the "Reply-To: "
configuration makes it *difficult* to reply to the author, and that
seems just plain rude.)

Side question:  when you have a message addressed to multiple mailing
lists, what does "reply to list" even mean?


>  > I want "Reply" to go to the author, and "Reply All" to go to the author,
>  > the list, and any other To or CC destinations.  I simply can't
>  > understand any other answer.  I don't understand why anybody feels a
>  > need for "Reply List".
>
> Your preference is noted, but you are definitely in a minority of
> those whose opinions I've seen over the decades.  Even those who use
> Reply and Reply All as you do (I do on this list, for example),
> usually have considered it suboptimal.  The preferences of list owners
> also should be respected, to the extent that replying users don't
> care.  The prevalence of reply-to-munging says that they (or perhaps a
> majority of their subscribers) want replies to automatically go to the
> list.

Lists at my company are simply never configured that way; I don't think
our e-mail system even has the option.  (And at ~140K users and
thousands of mailing lists, that's not a trivial data point.)

Note also that the MailMan UI says "Where are replies to list messages
directed? Poster is /strongly /recommended for most mailing lists." so
it's not just me.

Interesting.  I was going to say that none of the FOSS lists that I
participate in use this configuration, but it seems that a couple do and
Thunderbird's mail.override_list_reply_to is silently saving me from
their misbehavior.  Yay, T-bird!  Though, while I appreciate the fact
that the default is the way I want it, I have to reluctantly say that
it's wrong.  It should respect the Reply-To by default, no matter how
wrong it is.  But note also:  the fact that the T-bird authors chose
this behavior by default suggests that they are not members of the
"Reply-To: " community.

(I'm not sure whether T-bird can save me from a DMARC-munged list that
uses "Reply-To: ".  That combination just makes my head hurt.)


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

[ Feh.  My biggest MUA<->ML nuisance is that I don't have a way to force
replies to use the custom From address that I use for that mailing
list.  Grant, sorry for the dup. ]

On 1/30/2018 3:42 PM, Grant Taylor via Mailman-Users wrote:
> On 01/30/2018 03:11 PM, Jordan Brown wrote:
>> There are those who would consider it a problem if your mailing list
>> is (mis:-)configured to add "Reply-To: " if there is no
>> existing "Reply-To".
>
> I don't see how the MLM's behavior (good / bad / indifferent) has
> anything to do with this being a problem.  Specifically that the
> sample message has the Reply-To: set to the same value as the From:.

If your Mailman is configured so:

Should any existing Reply-To: header found in the original message
be stripped? If so, this will be done regardless of whether an
explict Reply-To: header is added by Mailman or not. 
(Edit *first_strip_reply_to*)

<http://troop92bsa.org/mailman/admin/parents_troop92bsa.org/?VARHELP=general/first_strip_reply_to>

No  Yes

Where are replies to list messages
directed? Poster is /strongly/ recommended for most mailing lists. 
(Details for *reply_goes_to_list*)

<http://troop92bsa.org/mailman/admin/parents_troop92bsa.org/?VARHELP=general/reply_goes_to_list>

Poster  This list   Explicit address

(that is, first_strip_reply_to=No, reply_goes_to_list=This List)

Then if user A sends a message to the list without a Reply-To, replies
will go to the list, but if user B sends a message to the list with
"Reply-To: " replies will go to user B.

Some people would regard it as a problem that the replies to user B
aren't directed towards the list.

As you say, setting Reply-To to the same as From should have no effect,
but that's not the case in this configuration.  (Nor is it the case for
Stephen's proposed "smart single reply", at the MUA end; in his proposal
an explicit Reply-To beats List-Post beats From.)

(I would regard it as a problem that replies to user A *are* directed
toward the list, but we're not talking about my preferences here; I'm
just trying to explain why some people have a problem with a message
that has Reply-To the same as From.)

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/30/2018 6:22 PM, Mark Sapiro wrote:
> On 01/30/2018 04:53 PM, Jordan Brown wrote:
>> (that is, first_strip_reply_to=No, reply_goes_to_list=This List)
>>
>> Then if user A sends a message to the list without a Reply-To, replies
>> will go to the list, but if user B sends a message to the list with
>> "Reply-To: " replies will go to user B.
>
> No.  In the User A case messages from the list will have a Reply-To with
> the list address and replies (ignoring the pathological recent
> Thunderbird) will go to the list as you say, but in the User B case,
> messages from the list will have a Reply-To with both User B's address
> and the list address and replies will go to both User B and the list.
>
> Of course, not all MUA's behave exactly the same with reply in cases
> where there are multiple addresses in Reply-To: but reasonable ones at
> least will address the reply to all the Reply-To: addresses.
>

Thanks for the correction.

(Then I don't know why people are unhappy when Reply-To == From.)


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/30/2018 11:46 AM, Grant Taylor via Mailman-Users wrote:
> The more we discuss this and the longer that this thread goes on,
> makes me think that this should be a user configurable action that the
> MUA prompts the user for what they want to reply to in the ambiguous case.

Even getting agreement on what constitutes an ambiguous case might be tough.

50% :-)
50% :-(

It is absolutely, 100%, clear to me what I want to happen on Reply and
Reply All.  But it seems that that is not what you want to happen...

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/30/2018 1:33 PM, Grant Taylor via Mailman-Users wrote:
> So I'm curious how the Reply-To: being set to the same thing as the
> From: causes any problems here.

There are those who would consider it a problem if your mailing list is
(mis:-)configured to add "Reply-To: " if there is no existing
"Reply-To".  Replies will be routed to the author, where replies to
other messages will be routed to the list.


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/30/2018 2:09 PM, Dimitri Maziuk wrote:
> The only problem then is list mail will seldom land in the list
> sub-folders as the direct replies should almost always come first and
> land in inbox.

That depends entirely on how you design your filters.  My Mailman filter
looks for From, To, CC, or BCC containing mailman-users@python.org.  It
could also reasonably look for Envelope-To[*] containing
mail...@jordan.maileater.net, which would also capture private
Mailman-related conversations, but I haven't had enough of those to bother.

[*] Added by my MTA on receipt.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 1/29/2018 9:56 PM, Stephen J. Turnbull wrote:
>  > (And that's another of the key items:  the "Reply-To: "
>  > configuration makes it *difficult* to reply to the author, and that
>  > seems just plain rude.)
>
> Why?  Nobody is talking about taking away anybody's Reply-To-Author
> function, and nobody says you personally have to bind "smart reply" to
> anything in your MUA.

If you have "smart reply" as a separate function, yes.  If you have the
typical "Reply" and "Reply All", and the mailing list software sets
"Reply-To: ", then replying to the author is awkward and
error-prone.  RFC-compliant MUAs are unlikely to have a simple operation
that replies to the sender.


>  > Side question:  when you have a message addressed to multiple
>  > mailing lists, what does "reply to list" even mean?
>
> Long answer: click here -> https://tools.ietf.org/html/rfc2369
> Short answer: List-Post may occur at most once.  It goes there.

So for the general case where you might have gotten a message directly,
and through list A, and through list B, the result is random unless you
pay careful attention to how you got this particular copy of the message.

>  > Note also that the MailMan UI says "Where are replies to list messages
>  > directed? Poster is /strongly /recommended for most mailing lists." so
>  > it's not just me.
>
> Opposing "Reply-To munging" is nowhere near advocating restricting
> reply UI to "Reply-to-Author" and "Reply-to-All", no more, no less.
> In fact, my opposition to Reply-To munging is a good part of *why* I
> think "smart reply" would be a useful addition to AOL's MUA, inter alia.

OK, so maybe we aren't so far off alignment.  We might choose different
options, but that's OK.

It sounds like neither of us want the list to set "Reply-To: ".

You want a "smart reply" button that sends to Reply-To, List-Post, or
From, in that order.  (Right?)
I want plain "reply" that sends to Reply-To or From, in that order.  (I
don't mind if it's renamed to "Reply to Author".)

I wouldn't use your "smart reply" button, because I think it does the
wrong thing for mailing lists, but if you want to do the wrong thing
with your replies, I guess that's up to you.

My only fear is that in the ongoing simplification (dumbing-down?) of
this stuff, "smart reply" will become the only option.  And, actually,
if that happens then I *have* lost the "reply to author" function.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

[ This was getting pretty long and a bit repetitive, so I trimmed it
brutally.  It's still pretty long, sigh. ]

On 2/6/2018 2:09 AM, Stephen J. Turnbull wrote:
>  > But:  in my work contexts, it is quite common for a discussion to span
>  > two teams.  Again, a "reply" that goes to the List-Post address (versus
>  > All) won't do the right thing.  Normal "Reply All" does the right
>  > thing.
>
> OK.  I'm assuming that each team has its own list, only one List-Post
> is present, so you need Reply-All even for list posts, right?

Our mailing list software doesn't add List-Post, so yes, no other
variation does anything like the right thing.

For discussion purposes, I'm assuming that you would consider that to be
a misconfigured mailing list, and so I'm discussing how things would
work if it *did* include List-Post.  I shudder to imagine a world where
both kinds of mailing lists (with and without List-Post) are considered
correct, and you'd have to know which kind of mailing list each was to
know how your Reply button would work.

>  > Normal "Reply" does the right thing (assuming non-munged
>  > Reply-To).
>
> Reply-To munging is precisely the issue this is intended to address.
> Munged lists *have* caught me (although actually sending a message
> misaddressed to list is extremely rare).  I think the difference is
> that when I use "smart reply" I have implicitly requested that it go
> to the list.  If I really want to reply to author (which is not that
> rare), I do use Reply-Author, and find it natural.  (I'm not saying
> you would.)

I think I might finally understand some of the disconnect.

When you say "smart reply", what I hear is that it's a replacement for
the Reply button.  If it's a replacement for the Reply button, the
button you use to reply just to the author in all *other* contexts, then
it will naturally lead you into sending your private message to the world.

But it seems that you're really intending it as a replacement for the
Reply All button, a multicast reply that tries to figure out what the
exactly right address is to reply to.

Do you just never have three-way conversations with specific people?  Or
do you have to mentally split replies into three kinds:  just back to
the author, to a mailing list, or to an ad-hoc group?

My mental rule is really simple:  if I want to reply to the author, I
hit Reply; if I want to reply to everybody in the conversation I hit
Reply All.  Every once in a while I need to spin off a subset or add
somebody, and then I do one of the above and edit the list.

Do you have all three buttons (Reply, Smart-Reply, Reply-All)?

If you have a message from Joe, To you, CC Sam, and you want to reply to
both Joe and Sam, what button do you use?  If you just want to reply to
Joe, what button do you use?

>  > than Reply or Reply All, as appropriate.  (If you're interested, I'll
>  > see if I can do an analysis of my message traffic to see how often it
>  > would do something that I would consider to be clearly wrong and how
>  > often it would be an improvement.)
>
> I would be interested in that.  I expect that you'll find a pretty
> high ratio of wrong to right.  But if it came out anywhere near even,
> it would be a pretty strong indication in favor of writing an RFC.  I
> don't expect that to be enough to interest you in changing (there
> would be muscle memory costs, etc).
>
> I would appreciate it if you would *not* count "omitting the author of
> a list post from the reply" as "wrong" for this purpose because I don't
> think my target audience for "smart reply" would count it as wrong.

I'll see what I can do.  The hard part will be determining whether
people on the To/CC list are on the mailing list.
[ After an experiment... ] Yeah, the SMTP server doesn't implement EXPN,
making that hard to automate.  Still, I'll see what I can do by hand.

>  > One might say that different behaviors are appropriate for
>  > different fora, and that wouldn't be totally wrong, but remembering
>  > that different fora will behave differently requires effort, and
>  > since Reply/Reply-All do the right thing in *every* fora, why would
>  > I want to spend that effort (and take the risk of mixing it up)?
>
> Well, I did it because I'm (intermittently) on a crusade to eliminate
> Reply-To munging.  (Just so you know there is *some* method to this
> madness.)  I realize that's a very specialized motivation. ;-)

Oh, I'm on a crusade to eliminate Reply-To munging too.  I'm just
nervous about doing it by pushing a UI idiom that has a very similar
effect, especially spinning it as the "does what you really want" answer.

> I also disagree that Reply-All does the right thing in the subscribe-
> to-post discussion lists I participate in.  Sure, I can go back and
> edit out all but the person I'm replying to, but even I don't always
> do that, and most people *never* do.  YMMV, of course.

And the harm is that people get duplicate copies of messages in threads
they've participated in. 

Re: [Mailman-Users] Reply-to options not working

[Jordan Brown]

On 2/5/2018 12:29 AM, Stephen J. Turnbull wrote:
> The question I asked, which you misinterpreted completely IMO, and
> Grant partially agreed with is "Does an algorithm which 1. gives
> overriding precedence to Reply-To, 2. otherwise if List-Post is
> present directs it there, and 3. finally falls back to From, seem
> likely to DTRT most of the time?"
You don't mention what your "smart reply" does with To and CC
addresses.  Discards them, I assume?

I suppose it depends on what "most of the time" means, and how often
cross-posting happens, and how often messages to mailing lists include
non-members.

Indeed, most of the time I want to continue the conversation in the same
fora that it's happening in.

But:  in my work contexts, it is quite common for somebody to address a
question to a different team, a team that they are not a member of.  A
"reply" that goes to the List-Post address (versus All) won't do the
right thing, because it won't include the original author.  Normal
"Reply All" does the right thing.

But:  in my work contexts, it is quite common for a discussion to span
two teams.  Again, a "reply" that goes to the List-Post address (versus
All) won't do the right thing.  Normal "Reply All" does the right thing.

But:  It's quite common for a discussion to be between an ad-hoc group
of people on the To/CC lines.  A "reply" that doesn't include To and CC
doesn't do the right thing.  Normal "Reply All" does the right thing.

But:  Even in a mailing list context, I think that "To:  CC:
" conveys useful context; I'm replying to what *you* said, and
including everybody else in the audience.  Reply All does the right
thing.  (Yes, it's suboptimal in that the To/CC list tends to accumulate
people over time, but the MUA can't get that right because it doesn't
know who is on the mailing list, ref points above.)

And, finally, it isn't uncommon (probably 5% < x < 20%) for me to want
to reply privately, perhaps to criticize, perhaps to try to resolve a
private disagreement, or perhaps simply to pursue a side thread that
isn't of general interest.  Again, a "reply" that goes to List-Post
(versus From) won't do the right thing and may lead to significant
embarrassment, a risk that in my experience outweighs any possible
advantage.  I do *not* want my "Er, did you really mean to say " note to go to the entire audience.  Normal "Reply" does the
right thing (assuming non-munged Reply-To).

So, net, there are many cases where "smart reply" doesn't do what I
think is the right thing, and none where I think it's appreciably better
than Reply or Reply All, as appropriate.  (If you're interested, I'll
see if I can do an analysis of my message traffic to see how often it
would do something that I would consider to be clearly wrong and how
often it would be an improvement.)


On what might be a side note, I think there might be a key difference in
attitude between different camps.  One side wants to keep discussion on
the mailing list when possible; another wants to keep discussion *off*
the mailing list if it isn't of more or less general interest.  There is
nothing quite so annoying, for instance, as a "me too" flood.  95% of my
e-mail is work, so every message costs the company money, times the
number of people who have to pay at least enough attention to it to
delete it.  Ten seconds to scan a message, times a thousand people at
$50 to $100 or more per hour, is $140 to $280 or more per message.


>  > So for the general case where you might have gotten a message
>  > directly, and through list A, and through list B, the result is
>  > random unless you pay careful attention to how you got this
>  > particular copy of the message.
>
> Yes and no (I partly disagree with Mark here).  It's definitely
> deterministic, and *not* random, but to users it may seem arbitrary.

It is of course completely deterministic.  But note that I said "unless
you pay careful attention to how you got this particular copy of the
message".

>  > I wouldn't use your "smart reply" button, because I think it does the
>  > wrong thing for mailing lists,
>
> I don't understand why you think that.  So far you have consistently
> responded to this thread on-list AFAICS, and everybody in this thread
> got here by reading it on the mailing list (all first responded to a
> mailing list post, not to one where they were personally addressed).

You don't know about the private conversations :-)

I did have a side conversation with Grant about exactly how I manage my
e-mail addresses (distinct "From" addresses for each mailing list and
each business I deal with).  There were a couple of side comments to Mark.

You also suppose that this style of mailing list dominates my mailing
list usage... it doesn't.  It's easily beaten by my Boy Scout e-mail,
which often goes to both the "parents" and the "Scouts" lists, and at
the moment (for stupid hosting reasons and because of a mailing list
manager with ... suboptimal ... header handling) it's usually going 

Re: [Mailman-Users] options for dealing with DMARC

[Jordan Brown]

[ Today is not my day for getting details right.  Sigh. ]

On 12/28/2017 11:57 AM, Jordan Brown wrote:
> I've been running my mailing list for a few years with "Munge From" to
> defend against DMARC rejection.  This means that my messages get
>
> From: Joe User <mymailingl...@mydomain.com>

That should be

From: Joe User via MyMailingList <mymailingl...@mydomain.com>

> Reply-To: Joe User <j...@example.com>
>
> That mostly works, but sometimes confuses people a bit, and just now
> I've had somebody send what I think was intended as a private address to

Should be "... intended as a private message to ..."

> that From line, not to the Reply-To line.  (I think their e-mail client,
> Pegasus, has an excessively flexible policy on which headers to use for
> a reply and may be subtly misconfigured, but maybe they just naively
> copied the From line.)
>
> That's leading me to wonder whether there's another way, whether I can
> leave From alone and still get past the DMARC checks.  Wikipedia tells
> me that DMARC passes if either SPF *or* DKIM passes.  There's no hope
> for SPF with the original sender in From, because the mailing list
> server isn't the user's mail server.  However, DKIM seems like it
> *might* pass, if I'm careful in how I configure the mailing list.  In
> particular, it looks like I'd have to get rid of the message footer. 
> That would be OK.  Looks like I might also have to kill off the
> [ListName] addition to the Subject, which is less OK but might be better
> than the alternative.
>
> Before I go recruit a couple of users from several DMARC-using providers
> and run some tests, can anybody tell me if there is any hope there, and
> maybe share some configuration tips?
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] options for dealing with DMARC

[Jordan Brown]

I've been running my mailing list for a few years with "Munge From" to
defend against DMARC rejection.  This means that my messages get

From: Joe User 
Reply-To: Joe User 

That mostly works, but sometimes confuses people a bit, and just now
I've had somebody send what I think was intended as a private address to
that From line, not to the Reply-To line.  (I think their e-mail client,
Pegasus, has an excessively flexible policy on which headers to use for
a reply and may be subtly misconfigured, but maybe they just naively
copied the From line.)

That's leading me to wonder whether there's another way, whether I can
leave From alone and still get past the DMARC checks.  Wikipedia tells
me that DMARC passes if either SPF *or* DKIM passes.  There's no hope
for SPF with the original sender in From, because the mailing list
server isn't the user's mail server.  However, DKIM seems like it
*might* pass, if I'm careful in how I configure the mailing list.  In
particular, it looks like I'd have to get rid of the message footer. 
That would be OK.  Looks like I might also have to kill off the
[ListName] addition to the Subject, which is less OK but might be better
than the alternative.

Before I go recruit a couple of users from several DMARC-using providers
and run some tests, can anybody tell me if there is any hope there, and
maybe share some configuration tips?


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] options for dealing with DMARC

[Jordan Brown]

[ Mark, sorry for the dup.  Sent from the wrong address, so the copy to
the mailing list bounced. ]

On 12/28/2017 1:27 PM, Mark Sapiro wrote:
> On 12/28/2017 11:57 AM, Jordan Brown wrote:
>> That's leading me to wonder whether there's another way, whether I can
>> leave From alone and still get past the DMARC checks.  Wikipedia tells
>> me that DMARC passes if either SPF *or* DKIM passes.  There's no hope
>> for SPF with the original sender in From, because the mailing list
>> server isn't the user's mail server.  However, DKIM seems like it
>> *might* pass, if I'm careful in how I configure the mailing list.
> Correct. As pointed out in item 2 at <https://wiki.list.org/x/17891458>
> you can avoid breaking DKIM signatures by turning off Content filtering,
> scrubbing of non-digest messages and Reply-To: header munging and remove
> subject_prefix, msg_header and msg_footer so Mailman doesn't make
> message modifications that break DKIM signatures.
>
> If you are willing to have your list not make any such transformations,
> that will work.

Thanks!  (And sorry for not looking at the FAQ first.)

(In looking to see what else I might have missed, I found DEV/DMARC; you
might want to link the two together.)

> Ideally, you might check DMARC on incoming mail, because if it fails,
> that mail will bounce anyway. E.g., I have seen a case where a user had
> configured a "Yahoo" account in her local email client to send From: her
> yahoo.com address but not send via a yahoo SMTP server. Thus, all of her
> mail, including list mail, would be bounced by anyone not checking DMARC
> because it had no yahoo.com DKIM signature, but in the case of list mail
> without DMARC mitigations, this would cause multiple recipients to
> bounce the mail and perhaps have their delivery disabled.


Is DMARC checking available as a Mailman feature?  I don't remember
seeing a "check DMARC" option in the UI, and I don't find one in the
docs.  I'm an HSP customer with cPanel as my UI.  It looks like I could
enable DKIM on a domain-global basis, but I don't see anything for DMARC
per se.  I don't want to turn on any domain-global rejection of
"failing" mail, because I wouldn't want to reject messages sent to the
non-mailing-list addresses.  It would be OK to add a "failed DMARC"
header to the message and then have Mailman reject on the basis of that
header.



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] non-subscribers getting through--email address in "Real Name"

[Jordan Brown]

On 7/27/2018 4:18 PM, Richard Damon wrote:
> Yes, there are existing formats that at least mostly represent this in
> the message itself, but not for display. Especially that currently the
> wrapping message would say it is from the list, but you really want
> some way for it to say that in the MUA's message list, it should
> indicate who the author of the embedded message was, not the 'author'
> of the wrapping message. This probably means that we need a new
> message content type to indicate it. 

A message content type is one possibility, but other headers might also
be reasonable.

> Also, the MUA (or maybe their MTA) should know enough to pierce through
> that wrapping message and give an indication that the wrapped message
> passes or fails the appropriate tests. The current formatting doesn't
> imply that that should happen.

Shrug.  I wouldn't consider it to be silly for an MUA to apply those
tests to any message/rfc822 part, whether or not it came from a mailing
list.

If I do a forward-as-attachment to forward a message to you, it would be
good if you could independently verify that the forwarded message is
from who it says it is from.

Anyhow, it's clearly possible, probably with minimal standards for
message metadata.  The problem (after getting agreement on the metadata)
is getting an adequate number of MUAs to behave well with the wrapped
messages.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] ARC

[Jordan Brown]

On 7/25/2018 2:53 AM, Stephen J. Turnbull wrote:
> Note that if I were intuit.com's CISO, I would fight tooth and nail
> against the system you suggest, because it implies that I have DKIM
> private keys for all those subdomains owned by clients.  Every spammer
> in the world would be trying to hack the server that has those keys.
> I could probably keep them out, but Lordy, the liability involved!

Well, yeah, but to provide such a service in a way that has any
resemblance to being secure, Intuit *must* have some secret that allows
it to send mail "from" those subdomains.  If Intuit doesn't need such a
secret, then anybody could send mail like that.

The price of the privilege of sending mail  on behalf of your clients is
that you must protect that ability so that villains cannot hijack it.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] non-subscribers getting through--email address in "Real Name"

[Jordan Brown]

On 7/25/2018 5:24 PM, Richard Damon wrote:
> Yes, one set of solutions would involve defining standards of how to
> compose composite messages, with standards on how to display them. A
> major part of the current issue is that for anything more than a
> single part plain text you can't be sure how it will be handled.

I can't say that I'm a true expert, or that I've really investigated,
but I believe you can wrap an entire message (with multiple parts) into
a single part of the wrapper message.  I don't think you need any new
message-structure standards.  You might need standards for headers that
would say that that's what you've done, and you certainly would need MUA
support.

(And to others who have replied:  yes, all understood.  Like I said,
adoption would be hard.)

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] ARC

[Jordan Brown]

On 7/26/2018 9:19 PM, Stephen J. Turnbull wrote:
> Jordan Brown writes:
>
>  > Well, yeah, but to provide such a service in a way that has any
>  > resemblance to being secure, Intuit *must* have some secret that allows
>  > it to send mail "from" those subdomains.  If Intuit doesn't need such a
>  > secret, then anybody could send mail like that.
>
> Sure, but (1) anyone can send mail like that anyway (and they do),

Wasn't this in the context of signature-checking schemes that detect
forged origin metadata?

> (2) the customers will (well, should) be checking invoices against their
> own purchasing records before they pay, and (3) after the vendor
> identifies Intuit as its billing agent, Intuit's own signature will do
> the trick.

So the vendor has to notify their customers who they use to do their
billing, and every time that they change billing vendors?  Ofttimes, the
goal is that the billing vendor is completely invisible to the end
customer.  I'm buying something from FrobozzCo; I should see e-mail that
comes from FrobozzCo (in a verifiable way), web pages that say FrobozzCo
and frobozzco.com, and the entry on my credit card statement should say
FROBOZZCO.  The fact that FrobozzCo uses Intuit is none of my business
and should be totally hidden from me.

Having your billing vendor be visible is, like having your company
e-mail address be @gmail.com, a mark of a tiny company that hasn't
really figured out how to make its business work.

> Securing a small number of own keys that get rotated on a schedule is
> one thing, securing a database of others' keys that regularly gets
> updated and multiple regular employees need access to is going to be
> quite another.

Not anywhere near as hard as it is for a full-scale e-mail vendor. 
Google secures a database of millions of users' secrets, and must have
internal and external controls that keep the wrong people from sending
mail that pretends to come from those users.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] non-subscribers getting through--email address in "Real Name"

[Jordan Brown]

Hmm.  It would take MUA changes to be fully effective, but a possibility
that comes to mind is to have mailing lists leave the original message
absolutely unmodified, but wrap it in a message that comes "from" the
mailing list.  That way everything about the message is verifiably true.

A list-aware MUA could more or less transparently unwrap such a
message.  It would probably display some indication that the message
came through the ML - the name of the list, unsubscribe mechanism,
archive pointers, ML header or footer text, et cetera, and maybe
activate alternative "reply" options[*]  - but would largely present the
message as "from" the original author, *via* the mailing list.

Perhaps the wrapper message would look like today's munged ML messages -
From: Real Person  / Reply-To: Real Person
 - but a list-aware MUA would largely hide that.

Of course there are a million details and getting adoption would be hard.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org