On Jun 19, Marco d'Itri <m...@linux.it> wrote: > I propose that: > - we immediately start rejecting mails to our lists sent from domains > with a p=reject policy to prevent unsubscribing innocent third parties This requires installing opendmarc and its dependencies and verifying the results in smartlist.
> - we start discussing a long term solution which will allow posts from > p=reject domains as well The possible solutions are: a) keep rejecting mail from these domains "Soon" it will apply to too many users, so I do not believe that this can be a long term approach. b) rewrite the From headers of messages from these domains The least annoying solution could be to rewrite p=reject domains with something like s/$/.rewritten-by.lists.debian.org/ (and maybe add the original domain to the Reply-To header). We could even setup a MX for *.rewritten-by.lists.debian.org and reject mail sent to it with instructions about how to reconstruct the original header. This can be intrusive and annoying for readers, but if the impact on the usability for the readers is considered acceptable then it is still better than just rejecting the messages. c) implement a permanent and elegant solution like http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server This solves the problem for all sides, but requires writing some non-trivial code and forces us to store the SMTPAUTH credentials of the submitters, which would be a big security risk for them. (A possible alternative to phishing the submitters' credentials would be to use some not yet specified OAUTH authentication scheme.) -- ciao, Marco
signature.asc
Description: Digital signature