subject:"Re\: offtopic\: rant about thoughtless enabling DMARC checks \[was\: Re\: Bounces\?\]"

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-10 Thread Aki Tuomi via dovecot



> On 10 February 2019 at 00:28 "A. Schulze via dovecot"  
> wrote:
> 
> 
> 
> 
> Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> > I'll review the settings when we manage to upgrade to mailman3
> 
> Hello Aki,
> 
> before updating to mailman3 consider an simpler update to latest mailman2.
> 
> you're using 2.1.15, current mailman2 is 2.1.29
> Your missing an /significant amount/ of DMARC fixes!
> 
> and: more off-topic:
> while my messages *to* the dovecot list are sent using STARTTLS,
> messages *from*  wursti.dovecot.fi are sent without encryption.
> any reason to stay on unencrypted SMTP?
> 
> Andreas
>

Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159])
by mail.dovecot.fi (Postfix) with ESMTPS id 7EE3B2B3C9C;
Sun, 10 Feb 2019 00:29:15 +0200 (EET)

ESMTPS indicates that TLS was used. Also I took the trouble to check the 
maillogs from talvi to verify that your mail was delivered using TLS.

Aki

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Benny Pedersen via dovecot


A. Schulze via dovecot skrev den 2019-02-09 23:28:

Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:

I'll review the settings when we manage to upgrade to mailman3


before updating to mailman3 consider an simpler update to latest 
mailman2.


will any of this implement openarc sealing ? :=)


you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!


we all missing the point of missing opendmarc that can test for openarc 
sealing and be done with all the mess :(


or add a wiki to opendkim to make it autodetect maillists just like cpan 
Mail::Milter::Authenticated does it


if it cant be done in opendkim lua we loose all


and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?


maybe same reason dovecot have a mx record ? :=)

but good catch if in ip is same as out ip

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread A. Schulze via dovecot




Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
> I'll review the settings when we manage to upgrade to mailman3

Hello Aki,

before updating to mailman3 consider an simpler update to latest mailman2.

you're using 2.1.15, current mailman2 is 2.1.29
Your missing an /significant amount/ of DMARC fixes!

and: more off-topic:
while my messages *to* the dovecot list are sent using STARTTLS,
messages *from*  wursti.dovecot.fi are sent without encryption.
any reason to stay on unencrypted SMTP?

Andreas

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Juri Haberland via dovecot

On 09/02/2019 20:13, Michael A. Peters via dovecot wrote:
> On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.
> 
> can you please let me know where to find those patches?

https://sourceforge.net/p/opendmarc/tickets/180/

Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/.

I have an Ubuntu-PPA where you can get a package with all of the above
patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc).

Cheers,
  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Michael A. Peters via dovecot


On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:

On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

*snip*


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.




What I wanted to do, was sniff mailman in headers and if it was sent by 
mail, reject if reverse DNS didn't match HELO/EHLO and white list from 
OpenDMARC enforcement if it did. That would prevent most spoofed that 
tried to look like Mailman since spoofed mail rarely has reverseDNS 
properly set up but Mailman admins tend to.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Michael A. Peters via dovecot


On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:

For some reason mailman failed to "munge from" for senders with dmarc policy ;(

It's now configured to always munge to avoid this again.


I'd say, let Mailman throw all people off the list that have enabled DMARC
checking without using exceptions for the lists they are on. It's a known
fact that DMARC does not cope well with mailing lists. Blindly enabling
DMARC checks without thinking about the consequences for themselves should
not be the problem of other well behaving participants.

Most people use OpenDMARC and there are patches to mark certain hosts as
mailing lists senders, so it is possible.


can you please let me know where to find those patches?

I ran DMARC in testing on one domain and had to disable it because over 
95% of the reports were false positives from mailing lists, and the few 
that were genuine spoofed would have easily been caught by spam/malware 
filters anyway.


However a project I am working on, DMARC is highly desired. Designing a 
white-list for known mailing lists is something I want to do.


Honestly I was sort of tempted to try and create my own DMARC validator 
(I was thinking one daemon that does both DKIM and DMARC - for postfix, 
Exim has DKIM native but I only use Exim for submission) that tried to 
sniff Mailman and not enforce it but it looks like it would be very time 
consuming.

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Juri Haberland via dovecot

On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:
>> On 09 February 2019 at 20:48 Juri Haberland via dovecot < 
>> dovecot@dovecot.org 
>> > wrote:

>> Most people use OpenDMARC and there are patches to mark certain hosts as
>> mailing lists senders, so it is possible.

> Wonder how many would do this though?

Yeah, unfortunately not enough...

>> And everyone using p=reject should think about it as well - as I said,
>> DMARC does not play well with mailing lists, so setting p=reject on a
>> domain used to participate on mailing lists is not wise, to say the least.
>> You should not follow Yahoo and AOL - you know, why they did it, don't you?

> Unfortunately this is usually required by many common providers such as 
> microsoft and google, otherwise they refuse your mail.

That is definitely not true. They might require you to have DKIM and/or SPF
and maybe even a DMARC policy, but they definitely don't require p=reject!
Most of my domains have p=none and our mails are accepted by all major
providers...

> Hope you understand .

Understood. Had to write that mail anyway ;-)

  Juri

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

2019-02-09 Thread Aki Tuomi via dovecot

On 09 February 2019 at 20:48 Juri Haberland via dovecot <
dovecot@dovecot.org> wrote:

On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:

For some reason mailman failed to "munge from" for senders with dmarc policy ;(

It's now configured to always munge to avoid this again.

I'd say, let Mailman throw all people off the list that have enabled DMARC

checking without using exceptions for the lists they are on. It's a known

fact that DMARC does not cope well with mailing lists. Blindly enabling

DMARC checks without thinking about the consequences for themselves should

not be the problem of other well behaving participants.

The problem is that it would drop all gmail users for a start, which there are plenty of. Also judging from the amount of bounces ww got it seemed like half the subscribers would drop out.

Most people use OpenDMARC and there are patches to mark certain hosts as

mailing lists senders, so it is possible.

Wonder how many would do this though?

And everyone using p=reject should think about it as well - as I said,

DMARC does not play well with mailing lists, so setting p=reject on a

domain used to participate on mailing lists is not wise, to say the least.

You should not follow Yahoo and AOL - you know, why they did it, don't you?

Unfortunately this is usually required by many common providers such as microsoft and google, otherwise they refuse your mail.

And Aki, please go back to "munge only if needed" - munging all messages

leads to a really bad "user experience".

It does not seem to work correctly. I'll review the settings when we manage to upgrade to mailman3

Thanks.

Hope you understand .

Aki

Back to lurking,

Juri

---
Aki Tuomi

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]

8 matches

Site Navigation

Mail list logo

Footer information