dovecot - Feb 2019 - offtopic: rant about thoughtless enabling DMARC checks

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
> For some reason mailman failed to "munge from" for senders with
dmarc policy ;(
> 
> It's now configured to always munge to avoid this again.
I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.

And everyone using p=reject should think about it as well - as I said,
DMARC does not play well with mailing lists, so setting p=reject on a
domain used to participate on mailing lists is not wise, to say the least.
You should not follow Yahoo and AOL - you know, why they did it, don't you?

And Aki, please go back to "munge only if needed" - munging all
messages
leads to a really bad "user experience".

Thanks.


Back to lurking,
  Juri

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 09 February 2019 at 20:48 Juri Haberland via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
   </div>
   <blockquote type="cite">
    <div>
     For some reason mailman failed to "munge from" for senders with
dmarc policy ;(
    </div>
    <div>
     <br>
    </div>
    <div>
     It's now configured to always munge to avoid this again.
    </div>
   </blockquote>
   <div>
    I'd say, let Mailman throw all people off the list that have enabled
DMARC
   </div>
   <div>
    checking without using exceptions for the lists they are on. It's a
known
   </div>
   <div>
    fact that DMARC does not cope well with mailing lists. Blindly enabling
   </div>
   <div>
    DMARC checks without thinking about the consequences for themselves should
   </div>
   <div>
    not be the problem of other well behaving participants.
   </div>
   <div></div>
  </blockquote>
  <div>
   The problem is that it would drop all gmail users for a start, which there
are plenty of. Also judging from the amount of bounces ww got it seemed like
half the subscribers would drop out.
  </div>
  <blockquote type="cite">
   <div>
    Most people use OpenDMARC and there are patches to mark certain hosts as
   </div>
   <div>
    mailing lists senders, so it is possible.
   </div>
   <div></div>
  </blockquote>
  <div>
   Wonder how many would do this though?
  </div>
  <blockquote type="cite">
   <div>
    And everyone using p=reject should think about it as well - as I said,
   </div>
   <div>
    DMARC does not play well with mailing lists, so setting p=reject on a
   </div>
   <div>
    domain used to participate on mailing lists is not wise, to say the least.
   </div>
   <div>
    You should not follow Yahoo and AOL - you know, why they did it, don't
you?
   </div>
   <div></div>
  </blockquote>
  <div>
   Unfortunately this is usually required by many common providers such as
microsoft and google, otherwise they refuse your mail.
  </div>
  <blockquote type="cite">
   <div>
    And Aki, please go back to "munge only if needed" - munging all
messages
   </div>
   <div>
    leads to a really bad "user experience".
   </div>
   <div></div>
  </blockquote>
  <div>
   It does not seem to work correctly. I'll review the settings when we
manage to upgrade to mailman3
  </div>
  <blockquote type="cite">
   <div>
    Thanks.
   </div>
   <div></div>
  </blockquote>
  <div>
   Hope you understand .
  </div>
  <div>
   <br>
  </div>
  <div>
   Aki
  </div>
  <blockquote type="cite">
   <div></div>
   <div>
    <br>
   </div>
   <div>
    Back to lurking,
   </div>
   <div>
    Juri
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div class="io-ox-signature">
   ---
   <br>Aki Tuomi
  </div> 
 </body>
</html>

On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:
>> On 09 February 2019 at 20:48 Juri Haberland via dovecot < dovecot at
dovecot.org
>> <mailto:dovecot at dovecot.org>> wrote:
>> Most people use OpenDMARC and there are patches to mark certain hosts
as
>> mailing lists senders, so it is possible.
> Wonder how many would do this though?
Yeah, unfortunately not enough...
>> And everyone using p=reject should think about it as well - as I said,
>> DMARC does not play well with mailing lists, so setting p=reject on a
>> domain used to participate on mailing lists is not wise, to say the
least.
>> You should not follow Yahoo and AOL - you know, why they did it,
don't you?
> Unfortunately this is usually required by many common providers such as 
> microsoft and google, otherwise they refuse your mail.
That is definitely not true. They might require you to have DKIM and/or SPF
and maybe even a DMARC policy, but they definitely don't require p=reject!
Most of my domains have p=none and our mails are accepted by all major
providers...
> Hope you understand .
Understood. Had to write that mail anyway ;-)

  Juri

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:
> On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
>> For some reason mailman failed to "munge from" for senders
with dmarc policy ;(
>>
>> It's now configured to always munge to avoid this again.
> 
> I'd say, let Mailman throw all people off the list that have enabled
DMARC
> checking without using exceptions for the lists they are on. It's a
known
> fact that DMARC does not cope well with mailing lists. Blindly enabling
> DMARC checks without thinking about the consequences for themselves should
> not be the problem of other well behaving participants.
> 
> Most people use OpenDMARC and there are patches to mark certain hosts as
> mailing lists senders, so it is possible.
can you please let me know where to find those patches?

I ran DMARC in testing on one domain and had to disable it because over 
95% of the reports were false positives from mailing lists, and the few 
that were genuine spoofed would have easily been caught by spam/malware 
filters anyway.

However a project I am working on, DMARC is highly desired. Designing a 
white-list for known mailing lists is something I want to do.

Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.

On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:
> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:
*snip*
> 
> Honestly I was sort of tempted to try and create my own DMARC validator 
> (I was thinking one daemon that does both DKIM and DMARC - for postfix, 
> Exim has DKIM native but I only use Exim for submission) that tried to 
> sniff Mailman and not enforce it but it looks like it would be very time 
> consuming.
> 
What I wanted to do, was sniff mailman in headers and if it was sent by 
mail, reject if reverse DNS didn't match HELO/EHLO and white list from 
OpenDMARC enforcement if it did. That would prevent most spoofed that 
tried to look like Mailman since spoofed mail rarely has reverseDNS 
properly set up but Mailman admins tend to.

On 09/02/2019 20:13, Michael A. Peters via dovecot
wrote:
> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:
>> Most people use OpenDMARC and there are patches to mark certain hosts
as
>> mailing lists senders, so it is possible.
> 
> can you please let me know where to find those patches?
https://sourceforge.net/p/opendmarc/tickets/180/

Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/.

I have an Ubuntu-PPA where you can get a package with all of the above
patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc).


Cheers,
  Juri

* Juri Haberland via dovecot:
> Blindly enabling DMARC checks without thinking about the consequences
> for themselves should not be the problem of other well behaving
> participants.
Can you judge if DMARC is enabled "blindly"? No, I thought not. Also,
the issue was not on the receiving end, but the reject policy for the
originating domain.

Personally, I choose to treat "reject" as if it was
"quarantine",
i.e. affected mail is rerouted to a specific folder.
> And Aki, please go back to "munge only if needed" - munging all
> messages leads to a really bad "user experience".
Only speak for yourself please.

-Ralph

Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> I'll review the settings when we manage to upgrade to mailman3
Hello Aki,

before updating to mailman3 consider an simpler update to latest mailman2.

you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!

and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?

Andreas

On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:
> * Juri Haberland via dovecot:
> 
>> Blindly enabling DMARC checks without thinking about the consequences
>> for themselves should not be the problem of other well behaving
>> participants.
> 
> Can you judge if DMARC is enabled "blindly"? No, I thought not.
Also,
> the issue was not on the receiving end, but the reject policy for the
> originating domain.
> 
> Personally, I choose to treat "reject" as if it was
"quarantine",
> i.e. affected mail is rerouted to a specific folder.
> 
>> And Aki, please go back to "munge only if needed" - munging
all
>> messages leads to a really bad "user experience".
> 
> Only speak for yourself please.
> 
> -Ralph
+1 (for entire post) 

... and surely he does not expect those with a million plus users sit
here and whitelist the million plus mailing lists that exist around the
world, heh, like thats going to happen :) 

-- 
Kind Regards, 

Noel Butler 

 		This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
------
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190210/733d2b8b/attachment.html>