I'm not sure this is entirely on-topic for security-discuss - perhaps it belongs in the task-force Chris mentioned[0] - but since it's helpful to look at the problem from the perspective of "what are the needs this list" instead of having to take on "what are the needs of the entire ASF", I'll respond here ;)
On Wed, Oct 30, 2024 at 1:49 PM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > The purpose of these changes would be to guarantee that all the > subscribers of the mailing list receive all the messages sent to it. The > fate of each message depends on the DMARC policy published by the > sender's domain. I agree this is important. > 2. If technically possible, disable the rewriting of the `Reply-To` headers. If we keep the 'From', AFAICS we *have* to disable rewriting the `Reply-To`, right? Otherwise DKIM signatures will still be broken? In that case, how would you respond to the list? Would you have to type the list address each time? You mentioned in [1] that dev@kafka.a.o is set up this way, but AFAICS that is not the case, see e.g [2]. Putting the list in the 'Cc' doesn't help since that is also commonly included in the DKIM signature. How would you even know the message is from a list? I see only 2 solutions: 1) we could configure the list so that it changes the 'From' to the list address. That way the email is valid SPF-wise and could be signed with DKIM, since it's created on an apache.org mailserver. Ideally this would keep the original sender somewhere as well, such as in the Cc. 2) if this is not acceptable for some reason, perhaps we could implement ARC[3]. It seems to be designed for exactly this scenario, but I'm not sure how widely supported it is by receiving mailservers. Kind regards, Arnout [0] https://lists.apache.org/thread/pgyy2q4no4f9mmsgb5vhmdo5svsoyot2 [1] https://lists.apache.org/thread/9spd0rcjdwtjc92pwcjnc8n2jjfb3d1h [2] https://lists.apache.org/api/source.lua?id=kzxh2plyt9srrxj13vr3obogv9244gxv [3] https://en.wikipedia.org/wiki/Authenticated_Received_Chain > [1] https://lists.apache.org/thread/nnjzfxxz08obkvybqd7z7b8x8mzrw3y4 > > [2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail > > [3] https://en.wikipedia.org/wiki/DMARC > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: security-discuss-h...@community.apache.org > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
