openssh unix dev - Jul 2024 - openssh-unix-dev DMARC-related settings (was Re: scattered thoughts on connection sharing)

On Thu, Jul 18, 2024 at 5:14?AM Stuart Henderson <stu at spacehopper.org>
wrote:
> The mail admins can choose what is covered by the DKIM signature.
> In the case of barclays.com there are various headers (which I think
> make it through the mailing list untouched) but also the body, which
> does not; a footer with the list URL is added.
The real issue here is that the Mailman configuration for the
openssh-unix-dev list does not appear to set `dmarc_moderation_action`
(in `Privacy options` - `Sender filters`) to either `Munge From` or
`Wrap Message`, which is necessary for lists where either of the
following is true:

1. The list accepts posts from senders whose domain applies DMARC
   policy (`p=reject` or `p=quarantine`) but only implements SPF, not
   DKIM.  (Resending a message through a mailing list will always
   invalidate SPF unless SRS (1) is used, and almost no one bothers
   with SRS.)

2. The list accepts posts from senders whose domain applies DMARC
   policy (`p=reject` or `p=quarantine`), and the list is configured
   to modify messages sent to the list (add a Subject: header tag, add
   a footer, et. al.).  (Modifying messages will invalid the DKIM
   signature.)

When affected senders (either group #1 or group #2) post to the list,
all list subscribers whose MTAs apply/obey DMARC policy will take the
action the sender?s domain?s DMARC policy declares (reject outright,
or quarantine / flag as spam).

Damien, is there any possibility of updating the Mailman
`dmarc_moderation_action` setting (2)?  DMARC isn?t going anywhere;
the big mail providers are either already requiring it to some
degree (3), or have said they will start requiring it soon.

(1) https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
(2) https://wiki.list.org/DEV/DMARC
(3) https://support.google.com/a/answer/81126

On 2024-07-20 at 16:30 -0400, James Ralston wrote:
> The real issue here is that the Mailman configuration for the
> openssh-unix-dev list does not appear to set
> `dmarc_moderation_action`
> (in `Privacy options` - `Sender filters`) to either `Munge From` or
> `Wrap Message`, which is necessary for lists where ...
"Necessary" if the client machines re going to penalize DMARC that
way.

If the clients recognised that the user is subscribed to that mailing
list and thus wouldn't penalise it as a forged mail, we wouldn't need
to change the mails to show a fake sender on From:

On Sat, 20 Jul 2024, James Ralston wrote:
> On Thu, Jul 18, 2024 at 5:14?AM Stuart Henderson <stu at
spacehopper.org> wrote:
> > The mail admins can choose what is covered by the DKIM signature.
> > In the case of barclays.com there are various headers (which I think
> > make it through the mailing list untouched) but also the body, which
> > does not; a footer with the list URL is added.
> 
> The real issue here is that the Mailman configuration for the
> openssh-unix-dev list does not appear to set `dmarc_moderation_action`
> (in `Privacy options` - `Sender filters`) to either `Munge From` or
> `Wrap Message`, which is necessary for lists where either of the
> following is true:
> 
> 1. The list accepts posts from senders whose domain applies DMARC
>    policy (`p=reject` or `p=quarantine`) but only implements SPF, not
>    DKIM.  (Resending a message through a mailing list will always
>    invalidate SPF unless SRS (1) is used, and almost no one bothers
>    with SRS.)
> 
> 2. The list accepts posts from senders whose domain applies DMARC
>    policy (`p=reject` or `p=quarantine`), and the list is configured
>    to modify messages sent to the list (add a Subject: header tag, add
>    a footer, et. al.).  (Modifying messages will invalid the DKIM
>    signature.)
> 
> When affected senders (either group #1 or group #2) post to the list,
> all list subscribers whose MTAs apply/obey DMARC policy will take the
> action the sender?s domain?s DMARC policy declares (reject outright,
> or quarantine / flag as spam).
> 
> Damien, is there any possibility of updating the Mailman
> `dmarc_moderation_action` setting (2)?  DMARC isn?t going anywhere;
> the big mail providers are either already requiring it to some
> degree (3), or have said they will start requiring it soon.
Thanks, I've set this option and will trial it for a couple of weeks.
If nothing breaks then I'll make it permanent.

-d