[My apologies, I drafted this a couple days ago, but never finished it.] Brett Delmage writes:
> Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) > http://arc-spec.org/ ? We will be doing so in Mailman 3, probably by mid-July for the Gitlab trunk, and planned for release in Mailman 3.2. However, configuring ARC in Mailman is a not-great idea if you can avoid it. instead, use an ARC-enabled MTA on your boundary MX. There is no need based on the protocol itself to do this in Mailman; we're providing the feature only for experimentation and because it seems likely many virtual hosting services will take a while to update their MTAs. (Of course, they're even more likely to take a while to update from Mailman 2.1 to Mailman 3.) In detail: (1) Mailman cannot do ARC by itself. It requires help from the DNS for the distribution of the public key needed to verify the signatures. So you already need somebody with sensitive access to sensitive hosts, you can't delegate to Mailman list/site admins. (2) In many configurations, the private signing key will be the key used for DKIM. You don't want anybody but root to have access to that. (3) The ARC host should be a boundary host (ie, the first host in your administrative domain to receive the post on the way in, and the last host to touch it on the way out). In many configurations, the Mailman host will not be a boundary host. This is especially likely in the current state of Mailman 3, as there are strong reasons to put all of the services (Mailman itself, Postorius, and HyperKitty) on the same host. On the other hand, because the Mailman component communicates with the MTA by LMTP and submission or SMTP, there's no need for Mailman to be on the MTA host. This allows isolation of the MTA on a more secure host (recommended). (4) Mailman cannot verify SPF because it does not have access to the SMTP connection. Few important hosts are dependent on SPF (almost everybody with SPF also has DKIM configured), but this is a weakness of doing it in Mailman. If you're running your own host and can configure your own DNS, you can use the Mailman version, but I do have to recommend an MTA-based implementation of ARC over ours. In the next few days I'll follow up with Sendmail, Postfix, and Exim to see what they're planning for ARC. (We don't officially support Qmail, but if there are Qmail fans out there, feel free to check and let me know!) I do know that the ARC developers are planning milters (which would take care of Sendmail and Postfix). Hope this helps, Steve -- Associate Professor Division of Policy and Planning Science http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information Email: turnb...@sk.tsukuba.ac.jp University of Tsukuba Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org