Re: [mlmmj] DMARC (corrected)

Re: [mlmmj] DMARC (corrected)

[A. Schulze]

Christof Thalhofer:

> They say, reject every mail that is supposed to come from casema.nl but
> was sent from a server not being part of this domain.

Hello,

I like to correct the wording:
p=reject aks the receiving MTA to reject messages with RFC5322.From =  
*@casema.nl
unless the message could be successful authenticated by SPF or DKIM.

That open two options
- auth by SPF
   usually happen for directly sent messages from the originators MTA
   unlikely to happen for messages sent via an MLM as such hosts  
aren't expected to be included in senders SPF

- auth by DKIM
   very common for MLM to break DKIM signatures by
   * adding a subject tag
   * adding a footer to mail body

So, as MLM operator you /may/ make your lists "dkim save": strictly  
avoid any message modification.
Then any subscriber could use your MLM even if the subscriber announce  
dmarc p=reject

Andreas

Re: [mlmmj] DMARC (corrected)

[Christof Thalhofer]

[-- Attachment #1.1: Type: text/plain, Size: 1174 bytes --]

Am 03.03.20 um 09:58 schrieb A. Schulze:

> I like to correct the wording

Thank you!

> So, as MLM operator you /may/ make your lists "dkim save": strictly  
> avoid any message modification.
> Then any subscriber could use your MLM even if the subscriber announce  
> dmarc p=reject

Mailman 2 offers these possibilities on "Action to take when anyone
posts to the list from a domain with a DMARC Reject/Quarantine Policy":

"Munge From: This action replaces the poster's address in the From:
header with the list's posting address and adds the poster's address to
the addresses in the original Reply-To: header."

"Wrap Message: Just wrap the message in an outer message with the From:
header containing the list's posting address and with the original From:
address added to the addresses in the original Reply-To: header and with
Content-Type: message/rfc822. This is effectively a one message MIME
format digest."

Is there any similar functionality in mlmmj?

If not:

How can any message modification be avoided  in mlmmj or is this the
default behavior of mlmmj?


Alles Gute

Christof Thalhofer

-- 
Dies ist keine Signatur


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [mlmmj] DMARC (corrected)

[jf-mlmmj]

On 2020-03-03 at 10:37+0100 Christof Thalhofer wrote:
> > So, as MLM operator you /may/ make your lists "dkim save": strictly  
> > avoid any message modification.
> > Then any subscriber could use your MLM even if the subscriber announce  
> > dmarc p=reject
> 
> Mailman 2 offers these possibilities on "Action to take when anyone
> posts to the list from a domain with a DMARC Reject/Quarantine Policy":
> 
> "Munge From: This action replaces the poster's address in the From:
> header with the list's posting address and adds the poster's address to
> the addresses in the original Reply-To: header."

[…]

> Is there any similar functionality in mlmmj?

I have implemented munge from for mlmmj. Some people disapprove
of munge from, but it works for the couple of mailing lists I
run (and has been doing since May 2017, rather longer ago than I
realised).

I don’t know the correct procedure for submitting this patch, so
would be grateful if someone would enlighten me.

 — Jón

Re: [mlmmj] DMARC (corrected)

[Richard Torrens (lists)]

In article
<20200303095859.Horde.WCHP_tNDxpm70b-4WXMAcYP@andreasschulze.de>,
   A. Schulze <sca@andreasschulze.de> wrote:

> Christof Thalhofer:

> > They say, reject every mail that is supposed to come from casema.nl but
> > was sent from a server not being part of this domain.

> Hello,

> I like to correct the wording:
> p=reject aks the receiving MTA to reject messages with RFC5322.From =  
> *@casema.nl
> unless the message could be successful authenticated by SPF or DKIM.

dig is a tool I was not aware of. Unfortunately the response is not
exactly clear so thanks fot the exp;anation.



> That open two options
> - auth by SPF
>    usually happen for directly sent messages from the originators MTA
>    unlikely to happen for messages sent via an MLM as such hosts  
> aren't expected to be included in senders SPF

> - auth by DKIM
>    very common for MLM to break DKIM signatures by
>    * adding a subject tag
>    * adding a footer to mail body

> So, as MLM operator you /may/ make your lists "dkim save": strictly  
> avoid any message modification.
> Then any subscriber could use your MLM even if the subscriber announce  
> dmarc p=reject

Yes - I got this much earlier: I used to add a footer and an i/d to the
subject. But removing them has not changed things. 

It seems to me that I need to remove the original From and insert subjects
such as

From: thelist
Original-sender: theposter

But there seems to be no way of inserting the original poster's email
address in a new header?

-- 
Richard Torrens.
http://www.Torrens.org for genealogy, natural history, wild food, walks, cats
and more!