Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Stephen J. Turnbull]

Henry Yen writes:

 > Do you think your analysis will change now that AOL and Yahoo! are
 > now both part of Verizon?

I really don't know.  It depends on whether Verizon management is
willing to leave well enough alone.  Email abuse is a very hard
problem, so if they try to make big changes, they're likely to cause
problems.  But I suspect they'll be happy enough with their new market
power for a while, and email is not a cash cow for anybody but maybe
Google any more.

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[John Levine]

In article <20170608234027.gu8...@nntp.aegisinfosys.com> you write:
>Do you think your analysis will change now that AOL and Yahoo! are
>now both part of Verizon?

Probably not.  Verizon's folded their legacy mail system into AOL's.
Maybe they'll merge the AOL and Yahoo mail systems, but I would be
surprised since they're technically quite different and their users
expect different features.

R's,
John
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Henry Yen]

On Thu, Jun 08, 2017 at 03:56:12AM +0900, Stephen J. Turnbull wrote:
> If Yahoo! and
> AOL come on board in a timely fashion, ARC will help a lot.  My
> expectation is that Yahoo! will be there, although their financial
> situation exudes the stench of reorganization.  AOL is more dubious.
> Good intentions from their IETF delegates, but they've had severe
> staffing problems in the not-so-distant past.

Do you think your analysis will change now that AOL and Yahoo! are
now both part of Verizon?

-- 
Henry Yen   Aegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Authenticated Received Chain in Mailman?

[Stephen J. Turnbull]

[My apologies, I drafted this a couple days ago, but never finished
it.]

Brett Delmage writes:

 > Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) 
 > http://arc-spec.org/ ?

We will be doing so in Mailman 3, probably by mid-July for the Gitlab
trunk, and planned for release in Mailman 3.2.

However, configuring ARC in Mailman is a not-great idea if you can
avoid it.  instead, use an ARC-enabled MTA on your boundary MX.  There
is no need based on the protocol itself to do this in Mailman; we're
providing the feature only for experimentation and because it seems
likely many virtual hosting services will take a while to update their
MTAs.  (Of course, they're even more likely to take a while to update
from Mailman 2.1 to Mailman 3.)

In detail:

(1) Mailman cannot do ARC by itself.  It requires help from the DNS
for the distribution of the public key needed to verify the
signatures.  So you already need somebody with sensitive access to
sensitive hosts, you can't delegate to Mailman list/site admins.

(2) In many configurations, the private signing key will be the key
used for DKIM.  You don't want anybody but root to have access to
that.

(3) The ARC host should be a boundary host (ie, the first host in your
administrative domain to receive the post on the way in, and the
last host to touch it on the way out).  In many configurations,
the Mailman host will not be a boundary host.  This is especially
likely in the current state of Mailman 3, as there are strong
reasons to put all of the services (Mailman itself, Postorius, and
HyperKitty) on the same host.  On the other hand, because the
Mailman component communicates with the MTA by LMTP and submission
or SMTP, there's no need for Mailman to be on the MTA host.  This
allows isolation of the MTA on a more secure host (recommended).

(4) Mailman cannot verify SPF because it does not have access to the
SMTP connection.  Few important hosts are dependent on SPF (almost
everybody with SPF also has DKIM configured), but this is a
weakness of doing it in Mailman.

If you're running your own host and can configure your own DNS, you
can use the Mailman version, but I do have to recommend an MTA-based
implementation of ARC over ours.

In the next few days I'll follow up with Sendmail, Postfix, and Exim
to see what they're planning for ARC.  (We don't officially support
Qmail, but if there are Qmail fans out there, feel free to check and
let me know!)  I do know that the ARC developers are planning milters
(which would take care of Sendmail and Postfix).

Hope this helps,

Steve

-- 
Associate Professor  Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnb...@sk.tsukuba.ac.jp   University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Stephen J. Turnbull]

Joseph Brennan writes:

 > Wonderful, another offering of "This document is not an Internet
 > Standards Track specification; it is published for informational
 > purposes" adding further complexity to email in a mad attempt to make
 > up for the "potential" (?) problems that the previous "informational"
 > one (DMARC) has done to mailing lists.

Have you actually participated in IETF decision-making?  It's complex
and political.

I am not pleased with Yahoo! and AOL, but at least they're honest
about what they've done.  On the other side, there are Certain Parties
who show up every time mail abuse gets discussed, arguing for
solutions that are as bad as the disease (not to mention scaling
poorly).  It could be worse (the IETF could be run by the Republican
Party), but it wouldn't be *much* worse.  There's also the problem
that it's not clear whether the 800-lb gorillas would be willing to go
along with some of the changes that the Reasonable People Among Us
seemed to favor.  This way, at least we have a standard.

Furthermore, IMHO, as Internet standards go (whether "Standards Track"
or "Informational") DMARC is a high quality standard, something that
people will be willing to conform to with little ambiguity.
Admittedly, it has been abused by at least two large providers, but
not to the extent nor the harm that RFCs 821 and 822 have. :-/

ARC is also looking to be a good standard, potentially useful for
mailing lists, and it's being pushed by the same large providers who
are problems (real and potential) for mailing lists.  If Yahoo! and
AOL come on board in a timely fashion, ARC will help a lot.  My
expectation is that Yahoo! will be there, although their financial
situation exudes the stench of reorganization.  AOL is more dubious.
Good intentions from their IETF delegates, but they've had severe
staffing problems in the not-so-distant past.

 > It would be too easy for email-reading software to show me the address
 > of the sender and the name of the system that handed the message to my
 > system, and let me use my own common sense to decide whether it's
 > spoofed.

Sure, but you *have* common sense.  There's good empirical support for
the phrase "more money than brains", you know.  And let's not forget
that a sadly large fraction of the vulnerable are elderly, with no
chance of recovering from a financial loss by earning more.  Finally,
although the high-profile political phishing was done by APTy
entities, who can probably suborn your DNS, that's not true of many of
the lesser, purely profit-oriented or malicious, threats.  But the
social engineering skill needed to craft such phishing messages is
widely distributed, including among garden-variety stalkers-in-the-
grass.

YMMV, but after talking to the people who have the data about the
average bloke, and watching relatively well-educated people fall like
dominos for phishing emails, I've come around to the idea that DMARC
is a very useful tool.  Shame about *my* ox, of course.

To sum up, I too wish that we could go back to the days of "friendly
networks", but DMARC + ARC is not all that bad a way to play the cards
that spammers and phishers deal us.

Regards,

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Jim Popovitch]

On Tue, Jun 6, 2017 at 3:11 PM, Joseph Brennan  wrote:
> On Tue, May 30, 2017 at 10:34 PM, Brett Delmage
>  wrote:
>> Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) 
>> http://arc-spec.org/ ?
>
>
> Wonderful, another offering of "This document is not an Internet
> Standards Track specification; it is published for informational
> purposes" adding further complexity to email in a mad attempt to make
> up for the "potential" (?) problems that the previous "informational"
> one (DMARC) has done to mailing lists.

In the Spam fighting world these have been happening for so long they
are known as FUSSPs.

Fret not, a year or two after ARC the same people will come along with
a new spec and insist that everyone support it.  It's kind of like a
mafia, "do this or we'll shame you into doing it by promoting your
competitors on our website".

-Jim P.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Joseph Brennan]

On Tue, May 30, 2017 at 10:34 PM, Brett Delmage
 wrote:
> Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) 
> http://arc-spec.org/ ?


Wonderful, another offering of "This document is not an Internet
Standards Track specification; it is published for informational
purposes" adding further complexity to email in a mad attempt to make
up for the "potential" (?) problems that the previous "informational"
one (DMARC) has done to mailing lists.

It would be too easy for email-reading software to show me the address
of the sender and the name of the system that handed the message to my
system, and let me use my own common sense to decide whether it's
spoofed.

Well, we have to play the cards we're dealt. Onward.

Joseph Brennan
Columbia University

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Barry Warsaw]

On May 30, 2017, at 08:05 PM, Mark Sapiro wrote:

>Steve will probably have more to say on this, but we had a GSOC project last
>year on this and there is a Mailman 3 branch at
> that is a work in
>progress on ARC.

Steve did briefly mention at Pycon that ARC was getting turned on at various
large providers.  I'd like to target ARC support for Mailman 3.2.

-Barry
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Authenticated Received Chain in Mailman?

[Mark Sapiro]

On 05/30/2017 07:34 PM, Brett Delmage wrote:
> Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC)
> http://arc-spec.org/ ?


Steve will probably have more to say on this, but we had a GSOC project
last year on this and there is a Mailman 3 branch at
 that is a work in
progress on ARC.

There are no plans to incorporate ARC in Mailman 2.1.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Authenticated Received Chain in Mailman?

[Brett Delmage]

Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) 
http://arc-spec.org/ ?


I was unaware of this until today, when I saw ARC headers in my gmail test 
account when I was testing a Mailman server migration.


"If you are a mailbox provider or intermediary (mailing list operator, 
message forwarder), you should be planning your ARC implementation now 
(March 2017). AOL and GMail already validate ARC headers, and more mailbox 
providers will come online with ARC in the second half 2017.


Patches for the most popular mailing list managers (MLMs) will be 
available starting in March 2017..."


Brett

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org