Juri Haberland
2019-Feb-09 18:48 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:> For some reason mailman failed to "munge from" for senders with dmarc policy ;( > > It's now configured to always munge to avoid this again.I'd say, let Mailman throw all people off the list that have enabled DMARC checking without using exceptions for the lists they are on. It's a known fact that DMARC does not cope well with mailing lists. Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants. Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible. And everyone using p=reject should think about it as well - as I said, DMARC does not play well with mailing lists, so setting p=reject on a domain used to participate on mailing lists is not wise, to say the least. You should not follow Yahoo and AOL - you know, why they did it, don't you? And Aki, please go back to "munge only if needed" - munging all messages leads to a really bad "user experience". Thanks. Back to lurking, Juri
Aki Tuomi
2019-Feb-09 18:56 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 09 February 2019 at 20:48 Juri Haberland via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 09/02/2019 10:44, Aki Tuomi via dovecot wrote: </div> <blockquote type="cite"> <div> For some reason mailman failed to "munge from" for senders with dmarc policy ;( </div> <div> <br> </div> <div> It's now configured to always munge to avoid this again. </div> </blockquote> <div> I'd say, let Mailman throw all people off the list that have enabled DMARC </div> <div> checking without using exceptions for the lists they are on. It's a known </div> <div> fact that DMARC does not cope well with mailing lists. Blindly enabling </div> <div> DMARC checks without thinking about the consequences for themselves should </div> <div> not be the problem of other well behaving participants. </div> <div></div> </blockquote> <div> The problem is that it would drop all gmail users for a start, which there are plenty of. Also judging from the amount of bounces ww got it seemed like half the subscribers would drop out. </div> <blockquote type="cite"> <div> Most people use OpenDMARC and there are patches to mark certain hosts as </div> <div> mailing lists senders, so it is possible. </div> <div></div> </blockquote> <div> Wonder how many would do this though? </div> <blockquote type="cite"> <div> And everyone using p=reject should think about it as well - as I said, </div> <div> DMARC does not play well with mailing lists, so setting p=reject on a </div> <div> domain used to participate on mailing lists is not wise, to say the least. </div> <div> You should not follow Yahoo and AOL - you know, why they did it, don't you? </div> <div></div> </blockquote> <div> Unfortunately this is usually required by many common providers such as microsoft and google, otherwise they refuse your mail. </div> <blockquote type="cite"> <div> And Aki, please go back to "munge only if needed" - munging all messages </div> <div> leads to a really bad "user experience". </div> <div></div> </blockquote> <div> It does not seem to work correctly. I'll review the settings when we manage to upgrade to mailman3 </div> <blockquote type="cite"> <div> Thanks. </div> <div></div> </blockquote> <div> Hope you understand . </div> <div> <br> </div> <div> Aki </div> <blockquote type="cite"> <div></div> <div> <br> </div> <div> Back to lurking, </div> <div> Juri </div> </blockquote> <div> <br> </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>
Juri Haberland
2019-Feb-09 19:12 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:>> On 09 February 2019 at 20:48 Juri Haberland via dovecot < dovecot at dovecot.org >> <mailto:dovecot at dovecot.org>> wrote:>> Most people use OpenDMARC and there are patches to mark certain hosts as >> mailing lists senders, so it is possible.> Wonder how many would do this though?Yeah, unfortunately not enough...>> And everyone using p=reject should think about it as well - as I said, >> DMARC does not play well with mailing lists, so setting p=reject on a >> domain used to participate on mailing lists is not wise, to say the least. >> You should not follow Yahoo and AOL - you know, why they did it, don't you?> Unfortunately this is usually required by many common providers such as > microsoft and google, otherwise they refuse your mail.That is definitely not true. They might require you to have DKIM and/or SPF and maybe even a DMARC policy, but they definitely don't require p=reject! Most of my domains have p=none and our mails are accepted by all major providers...> Hope you understand .Understood. Had to write that mail anyway ;-) Juri
Michael A. Peters
2019-Feb-09 19:13 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:> On 09/02/2019 10:44, Aki Tuomi via dovecot wrote: >> For some reason mailman failed to "munge from" for senders with dmarc policy ;( >> >> It's now configured to always munge to avoid this again. > > I'd say, let Mailman throw all people off the list that have enabled DMARC > checking without using exceptions for the lists they are on. It's a known > fact that DMARC does not cope well with mailing lists. Blindly enabling > DMARC checks without thinking about the consequences for themselves should > not be the problem of other well behaving participants. > > Most people use OpenDMARC and there are patches to mark certain hosts as > mailing lists senders, so it is possible.can you please let me know where to find those patches? I ran DMARC in testing on one domain and had to disable it because over 95% of the reports were false positives from mailing lists, and the few that were genuine spoofed would have easily been caught by spam/malware filters anyway. However a project I am working on, DMARC is highly desired. Designing a white-list for known mailing lists is something I want to do. Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I only use Exim for submission) that tried to sniff Mailman and not enforce it but it looks like it would be very time consuming.
Michael A. Peters
2019-Feb-09 19:23 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:*snip*> > Honestly I was sort of tempted to try and create my own DMARC validator > (I was thinking one daemon that does both DKIM and DMARC - for postfix, > Exim has DKIM native but I only use Exim for submission) that tried to > sniff Mailman and not enforce it but it looks like it would be very time > consuming. >What I wanted to do, was sniff mailman in headers and if it was sent by mail, reject if reverse DNS didn't match HELO/EHLO and white list from OpenDMARC enforcement if it did. That would prevent most spoofed that tried to look like Mailman since spoofed mail rarely has reverseDNS properly set up but Mailman admins tend to.
Juri Haberland
2019-Feb-09 19:25 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 20:13, Michael A. Peters via dovecot wrote:> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:>> Most people use OpenDMARC and there are patches to mark certain hosts as >> mailing lists senders, so it is possible. > > can you please let me know where to find those patches?https://sourceforge.net/p/opendmarc/tickets/180/ Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/. I have an Ubuntu-PPA where you can get a package with all of the above patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc). Cheers, Juri
Ralph Seichter
2019-Feb-09 21:38 UTC
offtopic: rant about thoughtless enabling DMARC checks
* Juri Haberland via dovecot:> Blindly enabling DMARC checks without thinking about the consequences > for themselves should not be the problem of other well behaving > participants.Can you judge if DMARC is enabled "blindly"? No, I thought not. Also, the issue was not on the receiving end, but the reject policy for the originating domain. Personally, I choose to treat "reject" as if it was "quarantine", i.e. affected mail is rerouted to a specific folder.> And Aki, please go back to "munge only if needed" - munging all > messages leads to a really bad "user experience".Only speak for yourself please. -Ralph
A. Schulze
2019-Feb-09 22:28 UTC
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:> I'll review the settings when we manage to upgrade to mailman3Hello Aki, before updating to mailman3 consider an simpler update to latest mailman2. you're using 2.1.15, current mailman2 is 2.1.29 Your missing an /significant amount/ of DMARC fixes! and: more off-topic: while my messages *to* the dovecot list are sent using STARTTLS, messages *from* wursti.dovecot.fi are sent without encryption. any reason to stay on unencrypted SMTP? Andreas
On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:> * Juri Haberland via dovecot: > >> Blindly enabling DMARC checks without thinking about the consequences >> for themselves should not be the problem of other well behaving >> participants. > > Can you judge if DMARC is enabled "blindly"? No, I thought not. Also, > the issue was not on the receiving end, but the reject policy for the > originating domain. > > Personally, I choose to treat "reject" as if it was "quarantine", > i.e. affected mail is rerouted to a specific folder. > >> And Aki, please go back to "munge only if needed" - munging all >> messages leads to a really bad "user experience". > > Only speak for yourself please. > > -Ralph+1 (for entire post) ... and surely he does not expect those with a million plus users sit here and whitelist the million plus mailing lists that exist around the world, heh, like thats going to happen :) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: ------ [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190210/733d2b8b/attachment.html>
Possibly Parallel Threads
- offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
- offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
- offtopic: rant about thoughtless enabling DMARC checks
- CentOS 7/8s EOL : infrastructure impacts (please read)
- [Infra] - Planned outage : lists.centos.org (migration to mailman3) : please read