[Mailman-Users] DMARC Wrap Message doesn't preserve addressees

[Matthew Pounsett]

We've noticed that with DMARC moderation set to "Wrap Message", the
rewritten header doesn't preserve the original addressee list.  In the
particular case that I'm looking at right now, the list address itself
is removed from the Cc header.  We've had a few complaints that this
results in responses not going back to the list, as intended.

I don't see a related config option, but I'm wondering if I've missed
something.  Is this possibly the side-effect of, or an undesirable
interaction with, some other configuration option we might have set?

We're running v2.1.38.

Thanks
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] DMARC mitigation failing on one list

[Philip Paeps]

We have DMARC "munge from" configured on all mailing lists on 
lists.freebsd.org.


This week, I learned that one of our lists is not actually munging 
though.


I've done a `config_list -o` and compared the output to a list that does 
munge correctly and I'm not seeing anything that would explain the 
problem.


When a poster from a DMARC-crippled domain tries to post to this list, I 
see a line in vette that the DMARC policy has been found.  There are no 
messages in the error log.


Any idea what could explain this?  And how I could go about fixing it?

Many thanks.

Philip

--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

Re: [Mailman-Users] DMARC message wrapping not working

[Matthew Pounsett]

On Tue, 21 May 2019 at 20:21, Mark Sapiro  wrote:

> On 5/21/19 6:41 AM, Matthew Pounsett wrote:
> >
> > Ah, I see.  I think that would be worth calling out in the documentation.
> > I think the way it's currently written strongly implies that it will
> bring
> > all lists up to a minimum behaviour.
>
>
> I have updated that text. It now says:
>
> > # Default action for posts whose From: address domain has a DMARC policy
> of
> > # reject or quarantine.  See DEFAULT_FROM_IS_LIST below.  Whatever is
> set as
> > # the default here precludes the list owner from setting a lower value,
> however
> > # an existing list won't be changed until the first time "Submit Your
> Changes"
> > # is pressed on the list's Privacy options... -> Sender filters page.
>

Thanks!  I think that will make it perfectly clear.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC message wrapping not working

[Mark Sapiro]

On 5/21/19 6:41 AM, Matthew Pounsett wrote:
> 
> Ah, I see.  I think that would be worth calling out in the documentation.
> I think the way it's currently written strongly implies that it will bring
> all lists up to a minimum behaviour.


I have updated that text. It now says:

> # Default action for posts whose From: address domain has a DMARC policy of
> # reject or quarantine.  See DEFAULT_FROM_IS_LIST below.  Whatever is set as
> # the default here precludes the list owner from setting a lower value, 
> however
> # an existing list won't be changed until the first time "Submit Your Changes"
> # is pressed on the list's Privacy options... -> Sender filters page.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC message wrapping not working

[Matthew Pounsett]

On Mon, 20 May 2019 at 11:35, Mark Sapiro  wrote:

> On 5/19/19 1:13 PM, Matthew Pounsett wrote:
> > I've got a mailman 2.1.26 install I've taken over.  I've attempted to
> turn
> > on DMARC message wrapping by setting DEFAULT_DMARC_MODERATION_ACTION in
> my
> > mm_cfg.py file, but it doesn't seem to have had the desired effect.  I'm
> > still seeing messages from p=reject domains going out with their original
> > headers, and subscribers being blocked as a result of the bounces.
>
>
> Setting that in mm_cfg.py only affects lists created after you make the
> change. For existing lists, you have to change the list's configuration.
>

Ah, I see.  I think that would be worth calling out in the documentation.
I think the way it's currently written strongly implies that it will bring
all lists up to a minimum behaviour.


> Or, I just created 
> (mirrored at ) which
> you can copy to Mailman's bin/ directory and run via Mialman's
>

Thanks.  Knowing what the issue is, I can whip up something like that in a
few minutes.

Thanks for the clue!
   Matt
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC message wrapping not working

[Mark Sapiro]

On 5/19/19 1:13 PM, Matthew Pounsett wrote:
> I've got a mailman 2.1.26 install I've taken over.  I've attempted to turn
> on DMARC message wrapping by setting DEFAULT_DMARC_MODERATION_ACTION in my
> mm_cfg.py file, but it doesn't seem to have had the desired effect.  I'm
> still seeing messages from p=reject domains going out with their original
> headers, and subscribers being blocked as a result of the bounces.


Setting that in mm_cfg.py only affects lists created after you make the
change. For existing lists, you have to change the list's configuration.

> The docs say this sets a minimum bar for the per-list configurations, but
> when I go to look at those they're all still set to 0/Accept, and in the
> web UI the full range of options is still available.


The doc says "Whatever is set as the default here precludes the list
owner from setting a lower value." It doesn't say that if you set a
value here, existing list settings will be increased automatically.

If you go to the web UI for a list and just click Submit Your Changes,
you will get "Error: dmarc_moderation_action must be >= the configured
default value." at the top of the page and the setting will be changed.

Or, I just created 
(mirrored at ) which
you can copy to Mailman's bin/ directory and run via Mialman's

  bin/withlist -r set_dmarc -a

and it will increase dmarc_moderation_action to
DEFAULT_DMARC_MODERATION_ACTION if necessary for all lists.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC message wrapping not working

[Matthew Pounsett]

I've got a mailman 2.1.26 install I've taken over.  I've attempted to turn
on DMARC message wrapping by setting DEFAULT_DMARC_MODERATION_ACTION in my
mm_cfg.py file, but it doesn't seem to have had the desired effect.  I'm
still seeing messages from p=reject domains going out with their original
headers, and subscribers being blocked as a result of the bounces.

These are the (non-comment) contents of my mm_cfg.py, with the mail domain
anonymized:

from Defaults import *
DEFAULT_URL_HOST = 'lists.example.com'
VIRTUAL_HOSTS.clear()
add_virtualhost('lists.example.com', 'lists.example.com')
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
DEFAULT_DMARC_MODERATION_ACTION = 2

The docs say this sets a minimum bar for the per-list configurations, but
when I go to look at those they're all still set to 0/Accept, and in the
web UI the full range of options is still available.

There is a distinct possibility I've got my hands on the wrong config
file.  This install isn't using the version from the system package
manager.. it's a manually compiled install that looks like it has an
install prefix of /usr/local/mailman.  This file is
/usr/local/mailman/Mailman/mm_cfg.py.  I don't see an obvious way to get
mailman to spit out the full path it's actually checking for the file, but
the output of mailman-config suggests it's probably looking in the right
place.

% ./mailman-config -h
Configuration and build information for Mailman
Mailman version: 2.1.26
Build Date:  Wed May  2 13:10:19 UTC 2018
prefix:  /usr/local/mailman
var_prefix:  /usr/local/mailman
mailman_user:mailman
mailman_group:   mailman
mail_group:  mail
cgi_group:   www-data
configure_opts: "--with-mail-gid=mail --with-cgi-gid=www-data"

I see no mention of mm_cfg.py in the mailman logs.. so nothing clearly
indicating it's failing to find the file (nor positive feedback that it has
found the file).

But I'm not convinced that's the problem anyway, since mailman clearly is
picking up the virtual host and list URL settings.   Any suggestions for
what else I should be looking at to get Mailman to pick up this config
change?

Thanks!
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation failure

[Jayson Smith]

Hi,

That did the trick, thanks!

Jayson

On 11/14/2018 6:09 PM, Mark Sapiro wrote:

On 11/14/18 2:35 PM, Jayson Smith wrote:

Hi,

The error in /var/lib/mailman/log/error is as follows:

Nov 14 10:24:29 2018 (1063) DNS lookup for dmarc_moderation_action for
list (Redacted) not available


That says Mailman couldn't import dns.resolver.

You need to have the dnspython package installed for Python. Get it from
 or 
or just do

pip install dnspython



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation failure

[Mark Sapiro]

On 11/14/18 2:35 PM, Jayson Smith wrote:
> Hi,
> 
> The error in /var/lib/mailman/log/error is as follows:
> 
> Nov 14 10:24:29 2018 (1063) DNS lookup for dmarc_moderation_action for
> list (Redacted) not available


That says Mailman couldn't import dns.resolver.

You need to have the dnspython package installed for Python. Get it from
 or 
or just do

pip install dnspython

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation failure

[Jayson Smith]

Hi,

The error in /var/lib/mailman/log/error is as follows:

Nov 14 10:24:29 2018 (1063) DNS lookup for dmarc_moderation_action for 
list (Redacted) not available


I recently upgraded a lot of packages on my Debian system. I compiled 
Mailman from source since Debian didn't have the version I wanted. Do I 
need to recompile and reinstall?


Thanks,

Jayson

On 11/14/2018 5:25 PM, Mark Sapiro wrote:

On 11/14/18 11:53 AM, Jayson Smith wrote:

Did my server fail to retrieve the DMARC information for AOL for some
transient reason, or could there be another problem? I have double
checked that the list is set to munge the From: of such messages, but it
didn't this time.


What's in Mailman's vette and error logs? and what Mailman version is this?

Errors in retrieving DMARC policy should be logged in 'error'. Also,
since Mailman 2.1.25, if the policy can't be retrieved, mitigations will
be applied as if the policy were reject.



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation failure

[Mark Sapiro]

On 11/14/18 11:53 AM, Jayson Smith wrote:
> 
> Did my server fail to retrieve the DMARC information for AOL for some
> transient reason, or could there be another problem? I have double
> checked that the list is set to munge the From: of such messages, but it
> didn't this time.


What's in Mailman's vette and error logs? and what Mailman version is this?

Errors in retrieving DMARC policy should be logged in 'error'. Also,
since Mailman 2.1.25, if the policy can't be retrieved, mitigations will
be applied as if the policy were reject.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC mitigation failure

[Jayson Smith]

Hi all,


I have a weird one. This morning an AOL user posted to one of my lists. 
Normally this is no problem, since I have the list in question set to 
munge the From: of messages from problematic domains (AOL, Yahoo, etc). 
For some reason it didn't work this time. Naturally, I received bounce 
reports left and right, complaining about unauthenticated Email from AOL.



Did my server fail to retrieve the DMARC information for AOL for some 
transient reason, or could there be another problem? I have double 
checked that the list is set to munge the From: of such messages, but it 
didn't this time.



Thanks for any help,


Jayson


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and gmail

[Richard Damon]

On 7/19/17 9:13 AM, Kevin Nowaczyk via Mailman-Users wrote:

I've recently been hearing that some subscribers to a club mailing list who use gmail are having 
all messages pushed to their spam folder. One user said it's only an issue when the sender is a 
gmail user as well. I'm running mailman 2.1.23 and had dmarc_moderation_action set to the default 
value..which I think was Accept. I recently changed it to "Munge From". The 
dmarc_quarantine_moderation_action is set to yes, and dmarc_none_moderation_action is No. When 
using the old settings gmail listed messgaes as: SPF PASS, DKIM "Neutral with domain 
null", and DMARC FAIL, but when a non-gmail user sent a message the DMARC was not listed.
After changing to "Munge From" it still has a DMARC fail. What are the 
differences that I should be seeing after changing the dmarc_moderation_action? Here is 
an authentication header of a message from a gmail user to a gmail user.
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@gmail.com 
header.b=dAmiQOEo;
spf=pass (google.com: domain of bockbrew-boun...@lists.bockbrew.com 
designates 65.181.121.110 as permitted sender) 
smtp.mailfrom=bockbrew-boun...@lists.bockbrew.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Thanks for any help,Kevin Nowaczyk
My experience with GMail is that a message with a broken DKIM signature 
(because of list modification of the message) will cause the message to 
be put into the spam folder unless you have your list resign the message 
or establish a SPF setting for the domain.


One warning, if you do establish SPF for your domain, then anyone who 
sets up a 'forwarding' for your list emails to gmail (or someone who 
checks SPF records) will start to bounce.


--
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and gmail

[Mark Sapiro]

On 07/19/2017 06:13 AM, Kevin Nowaczyk via Mailman-Users wrote:
> ... dmarc_none_moderation_action is No. ...
> After changing to "Munge From" it still has a DMARC fail. What are the 
> differences that I should be seeing after changing the 
> dmarc_moderation_action? Here is an authentication header of a message from a 
> gmail user to a gmail user.

gmail.com publishes DMARC p=none

_dmarc.gmail.com.   399 IN  TXT "v=DMARC1; p=none;
rua=mailto:mailauth-repo...@google.com";

Thus, you will see no differences in mail From: gmail.com unless you
also set dmarc_none_moderation_action to Yes. (Note that this setting is
not really recommended and is not available in Mailman 3's DMARC
mitigations.)

The underlying issue may be (speculating here) that Gmail doesn't like
mail From: gmail.com with broken gmail.com DKIM signatures. If so, this
is contrary to the recommendation of the DKIM standard RFC 6376. Section
6.3 of that RFC says in part:

   If the email cannot be verified, then it SHOULD be treated the same
   as all unverified email, regardless of whether or not it looks like
   it was signed.


-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and gmail

[Christian F Buser via Mailman-Users]

Hi Kevin

GMAIL is a problem itself. On another mailing list (which is not a
Mailman list and I am not a moderator or something like that), messages
seem even to be held back by GMAIL and not delivered at all to the
subscribers.

I am not sure whether a GMAIL user can "educate" the mail server to not
consider certain messages as spam/junk by unmarking them and moving them
into the normal inbox.

Christian


> Kevin Nowaczyk via Mailman-Users 
> 19. Juli 2017 um 15:13
> I've recently been hearing that some subscribers to a club mailing
> list who use gmail are having all messages pushed to their spam
> folder. One user said it's only an issue when the sender is a gmail
> user as well. I'm running mailman 2.1.23 and had
> dmarc_moderation_action set to the default value..which I think was
> Accept. I recently changed it to "Munge From". The
> dmarc_quarantine_moderation_action is set to yes, and
> dmarc_none_moderation_action is No. When using the old settings gmail
> listed messgaes as: SPF PASS, DKIM "Neutral with domain null", and
> DMARC FAIL, but when a non-gmail user sent a message the DMARC was not
> listed.
> After changing to "Munge From" it still has a DMARC fail. What are the
> differences that I should be seeing after changing the
> dmarc_moderation_action? Here is an authentication header of a message
> from a gmail user to a gmail user.
> ARC-Authentication-Results: i=1; mx.google.com;
> dkim=neutral (body hash did not verify) header.i=@gmail.com
> header.b=dAmiQOEo;
> spf=pass (google.com: domain of bockbrew-boun...@lists.bockbrew.com
> designates 65.181.121.110 as permitted sender)
> smtp.mailfrom=bockbrew-boun...@lists.bockbrew.com;
> dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
> Thanks for any help,Kevin Nowaczyk
>
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
> https://mail.python.org/mailman/options/mailman-users/luscheina%40yahoo.de

-- 
Christian F. Buser, Hohle Gasse 6, CH-5507 Mellingen (Switzerland)  
Hilfe für Strassenkinder in Ghana: http://www.chance-for-children.org
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC and gmail

[Kevin Nowaczyk via Mailman-Users]

I've recently been hearing that some subscribers to a club mailing list who use 
gmail are having all messages pushed to their spam folder. One user said it's 
only an issue when the sender is a gmail user as well. I'm running mailman 
2.1.23 and had dmarc_moderation_action set to the default value..which I think 
was Accept. I recently changed it to "Munge From". The 
dmarc_quarantine_moderation_action is set to yes, and 
dmarc_none_moderation_action is No. When using the old settings gmail listed 
messgaes as: SPF PASS, DKIM "Neutral with domain null", and DMARC FAIL, but 
when a non-gmail user sent a message the DMARC was not listed.
After changing to "Munge From" it still has a DMARC fail. What are the 
differences that I should be seeing after changing the dmarc_moderation_action? 
Here is an authentication header of a message from a gmail user to a gmail user.
ARC-Authentication-Results: i=1; mx.google.com;
   dkim=neutral (body hash did not verify) header.i=@gmail.com 
header.b=dAmiQOEo;
   spf=pass (google.com: domain of bockbrew-boun...@lists.bockbrew.com 
designates 65.181.121.110 as permitted sender) 
smtp.mailfrom=bockbrew-boun...@lists.bockbrew.com;
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Thanks for any help,Kevin Nowaczyk

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC issue with Mailman List

[Stephen J. Turnbull]

Mark Sapiro writes:

 > > Our configuration is that our web site integration with PayPal has PayPal
 > > sending confirmation emails to a mailman list called treasurer-alias, so
 > > that multiple people are aware of the PayPal transaction.
 > 
 > PayPal.com publishes DMARC p=reject. Your treasurer-alias list makes
 > some message transformation such as adding a footer or subject prefix
 > that breaks PayPal's DKIM signature. Therefore recipient list member's
 > ISPs that honor DMARC will reject the message.
 > 
 > See  items 1) and 2) for ways to deal
 > with this. If your Mailman is 2.1.18+, I suggest setting Privacy
 > options... -> Sender filters -> dmarc_moderation_action to Munge From.

I recommend against that, since this is exactly the transactional
mailflow that DMARC "p=reject" was designed for.  Munge From makes it
difficult-to-impossible to verify mail apparently from PayPal without
ARC, which probably is not available on your site yet.

On the other hand, I suppose that there are few members of
treasurer-alias, and they would probably be willing to accept this
mailflow without the usual Subject tags and footer.  So the annoyance
level should not be huge if they were omitted.  So, I recommend that
you configure your list not to touch the Subject and body instead.

Steve
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC issue with Mailman List

[Mark Sapiro]

On 03/16/2017 06:20 AM, Terry Lund wrote:
> We are getting the following error for one of our users in one of our
> mailman lists. I've tried to figure out if one of the configuration options
> in Privacy Rules can be used to address this issue, but I am afraid I am
> not real clear on the implications of the relevent DMARC related
> parameters. Any insight or assistance would be much appreciated.
> 
> Our configuration is that our web site integration with PayPal has PayPal
> sending confirmation emails to a mailman list called treasurer-alias, so
> that multiple people are aware of the PayPal transaction.


PayPal.com publishes DMARC p=reject. Your treasurer-alias list makes
some message transformation such as adding a footer or subject prefix
that breaks PayPal's DKIM signature. Therefore recipient list member's
ISPs that honor DMARC will reject the message.

See  items 1) and 2) for ways to deal
with this. If your Mailman is 2.1.18+, I suggest setting Privacy
options... -> Sender filters -> dmarc_moderation_action to Munge From.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC issue with Mailman List

[Terry Lund]

We are getting the following error for one of our users in one of our
mailman lists. I've tried to figure out if one of the configuration options
in Privacy Rules can be used to address this issue, but I am afraid I am
not real clear on the implications of the relevent DMARC related
parameters. Any insight or assistance would be much appreciated.

Our configuration is that our web site integration with PayPal has PayPal
sending confirmation emails to a mailman list called treasurer-alias, so
that multiple people are aware of the PayPal transaction.

-- Forwarded message --
From: mailer-dae...@bounce.mail.unifiedlayer.com
To: treasurer-alias-boun...@catoctinareaturners.org
Cc:
Bcc:
Date: 16 Mar 2017 02:55:28 -
Subject: failure notice
Hi. This is the qmail-send program at bounce.mail.unifiedlayer.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<28blc...@gmail.com>:
74.125.28.27 failed after I sent the message.
Remote host said: 550-5.7.1 Unauthenticated email from paypal.com is not
accepted due to domain's
550-5.7.1 DMARC policy. Please contact the administrator of paypal.com
 domain
550-5.7.1 if this was a legitimate mail. Please visit
550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
550 5.7.1 DMARC initiative. j61si3837935plb.86 - gsmtp

--- Enclosed are the original headers of the message.


-- Forwarded message --
From:
To:
Cc:
Bcc:
Date:
Subject:
(Body supressed)


Regards, and thanks in advance for any assistance.

-- 
Terry Lund
terry.l...@gmail.com
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC-related bounces due to AOL sender; from_is_list or anonymous_list?

[Mark Sapiro]

On 11/23/2016 08:53 AM, Matt Morgan wrote:
> 
> I understand that my choices for fixing this are either from_is_list or
> anonymous_list, and since this is an old server (2.1.12) that I recently
> took over (I have to stop using that excuse soon, I know), I can't do
> from_is_list.


Actually, in 2.1.18+ dmarc_moderation_action is more often than not
preferable to from_is_list.

See  for other possible mitigations
some of which apply to older Mailman versions.


> I need to update desperately. In other recent discussions, though, I seen
> that Microsoft in particular is starting to make trouble even with
> from_is_list, i.e., when the sender and reply-to don't match, with the
> expectation being that one day their warnings will become rejections.


Actually, the current Microsoft warning is issued when the From: and To:
(or Cc:) addresses are the same. This affects anonymous_list as well as
DMARC mitigations.

It seems the (partial) way around all of this is to apply DMARC
mitigations when necessary or always (via dmarc_moderation_action or
from_is_list) and to set personalize to Full personalization so that To:
is the recipient, not the list.

Without better knowledge of Microsoft's rule, it's difficult to know how
to deal with it, and I'm sure Microsoft would consider such information
to be proprietary.


> In that light, should I just be moving to anonymous_list anyway? Training
> users to identify themselves in the body of their messages seems like the
> potential big issue there. Anything else?


As noted above, anonymous_list is not a solution in general. You might
consider anonymous_list as a DMARC mitigation in pre-2.1.16 only, but
better to upgrade.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC-related bounces due to AOL sender; from_is_list or anonymous_list?

[Matt Morgan]

On one of our lists, we are recently getting a lot of bounces related to
AOL's DMARC policy. We're probably getting them on all our lists, actually,
it's just that this list had a pretty stiff bounce-disabling config, so we
noticed it more there.

I understand that my choices for fixing this are either from_is_list or
anonymous_list, and since this is an old server (2.1.12) that I recently
took over (I have to stop using that excuse soon, I know), I can't do
from_is_list.

I need to update desperately. In other recent discussions, though, I seen
that Microsoft in particular is starting to make trouble even with
from_is_list, i.e., when the sender and reply-to don't match, with the
expectation being that one day their warnings will become rejections.

In that light, should I just be moving to anonymous_list anyway? Training
users to identify themselves in the body of their messages seems like the
potential big issue there. Anything else?

Thanks,
Matt
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Stephen J. Turnbull]

(catching up on mail)

Mark Sapiro writes:

 > possibly also setting dmarc_quarantine_moderation_action to Yes

If you use the dmarc_* settings, I recommend doing this.

"p=quarantine" is not very common as far as I know, but (1) sites like
GMail[1] do not promote "quarantine" to "safe", so mail *will* end up
in Spam folders, and (2) experience shows that many users ignore their
Spam folders for extended periods.  It's not worth the minor
beautification of the From address to have any mail end up in Spam
folders.

Steve



Footnotes: 
[1]  Which takes "reject" as advice rather than a command, and often
promotes From mismatches to the Spam folder rather than simply
deleting them, based on lack of spam-like or phishing content.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Mark Sapiro]

On 07/15/2016 05:22 PM, Richard Johnson wrote:
> This is described as:
> 
>> Action to take when anyone posts to the list from a domain with a
>> DMARC Reject/Quarantine Policy.
> 
> but the problem I'm getting is:
> 
> https://help.yahoo.com/kb/postmaster/SLN7253.html
> 
> which seems to be caused by the "From" address not matching the
> domain name wince the message was sent.


That link discusses mail rejected by Yahoo which may or may not have
anything to do with DMARC. The typical DMARC issue is mail From: a
yahoo.com user is bounced by multiple recipient ISPs including, but not
limited to Yahoo.


> I think in order to satisfy
> this, I need to simply apply "from_is_list"="Munge From".  When I
> apply this along with "reply_goes_to_list"="This list", then the
> original sender's address appears in the "CC" list, which is ok,
> since most people just hit "reply" and not "reply all".  I created a
> test list and played with it, looking at the SMTP interaction to
> verify that yahoo seems to think this is fine.


I think you'll find that setting from_is_list to No and
dmarc_moderation_action to Munge From and possibly also setting
dmarc_quarantine_moderation_action to Yes will also work, but will only
apply the Munge From action to posts From: domains such as yahoo.com
that publish DMARC p=reject policies and optionally domains that publish
p=quarantine.

As far as the original poster's address in Cc: is concerned, we try to
make Munge From result in mail which will be dealt with by MUA reply and
reply all the same as unmunged mail.

Thus, if reply_goes_to_list is Poster, we put the original poster's
address in Reply-To: so with compliant MUAs at least, 'reply' goes to
the OP and 'reply-all' goes to the OP and the list address in To:.

For reply_goes_to_list = This list, we put the OP's address in Cc:
rather than Reply-To: so 'reply' will go to only the list, but 'reply
all' will go to the list and the OP.

In all cases, we want the OP's address somewhere in visible headers.

Here are our goals (from comments in the handler that does this):

# We need to do some things with the original From: if we've munged
# it for DMARC mitigation.  We have goals for this process which are
# not completely compatible, so we do the best we can.  Our goals are:
# 1) as long as the list is not anonymous, the original From: address
#should be obviously exposed, i.e. not just in a header that MUAs
#don't display.
# 2) the original From: address should not be in a comment or display
#name in the new From: because it is claimed that multiple domains
#in any fields in From: are indicative of spamminess.  This means
#it should be in Reply-To: or Cc:.
# 3) the behavior of an MUA doing a 'reply' or 'reply all' should be
#consistent regardless of whether or not the From: is munged.
# Goal 3) implies sometimes the original From: should be in Reply-To:
# and sometimes in Cc:, and even so, this goal won't be achieved in
# all cases with all MUAs.  In cases of conflict, the above ordering of
# goals is priority order.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Richard Johnson]

This is described as:

> Action to take when anyone posts to the list from a domain with a DMARC 
> Reject/Quarantine Policy.

but the problem I'm getting is:

https://help.yahoo.com/kb/postmaster/SLN7253.html

which seems to be caused by the "From" address not matching the domain name 
wince the message was sent.  I think in order to satisfy this, I need to simply 
apply "from_is_list"="Munge From".  When I apply this along with 
"reply_goes_to_list"="This list", then the original sender's address appears in 
the "CC" list, which is ok, since most people just hit "reply" and not "reply 
all".  I created a test list and played with it, looking at the SMTP 
interaction to verify that yahoo seems to think this is fine.

/raj



> On Jul 15, 2016, at 5:00 PM, Mark Sapiro  wrote:
> 
> On 07/15/2016 03:15 PM, Richard Johnson wrote:
>> I have now upgraded to 2.1.22.  Thanks!
> 
> 
> And in 2.1.22, dmarc_moderation_action is generally preferable to
> from_is_list because it is only applied to those post that need it.
> 
> See Privacy options... -> Sender filters
> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Mark Sapiro]

On 07/15/2016 03:15 PM, Richard Johnson wrote:
> I have now upgraded to 2.1.22.  Thanks!


And in 2.1.22, dmarc_moderation_action is generally preferable to
from_is_list because it is only applied to those post that need it.

See Privacy options... -> Sender filters

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Richard Johnson]

I have now upgraded to 2.1.22.  Thanks!

/raj


> On Jul 15, 2016, at 2:37 PM, Mark Sapiro  wrote:
> 
> On 07/15/2016 01:45 PM, Richard Johnson wrote:
>> 
>>> In 2.1.16 a from_is_list feature was implemented ...
> 
>> I'm running 2.1.17 and the only thing I see which seems related to this is 
>> the "anonymous list" option under General Options.  Is this what's being 
>> referred to here, or is there some other "site configuration" (i.e., 
>> per-site configuration?) method somewhere?
> 
> 
> You really should upgrade. There have been ongoing changes in this area
> through 2.1.22. See
> .
> However, to answer your question, in 2.1.16 and 2.1.17 the from_is_list
> feature had to be enabled by putting
> 
> ALLOW_FROM_IS_LIST = Yes
> 
> in mm_cfg.py.
> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/raj%40mischievous.us

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC problems

[Mark Sapiro]

On 07/15/2016 01:45 PM, Richard Johnson wrote:
> 
>> In 2.1.16 a from_is_list feature was implemented ...

> I'm running 2.1.17 and the only thing I see which seems related to this is 
> the "anonymous list" option under General Options.  Is this what's being 
> referred to here, or is there some other "site configuration" (i.e., per-site 
> configuration?) method somewhere?


You really should upgrade. There have been ongoing changes in this area
through 2.1.22. See
.
However, to answer your question, in 2.1.16 and 2.1.17 the from_is_list
feature had to be enabled by putting

ALLOW_FROM_IS_LIST = Yes

in mm_cfg.py.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC problems

[Richard Johnson]

I've been running a number of mailing lists for quite a while and never noticed 
any problems until I setup one which has some yahoo and hotmail addresses on 
it.  Now I have to deal with the DMARC problem.  :(

Looking at:

https://wiki.list.org/DEV/DMARC

I see it says:

> In 2.1.16 a from_is_list feature was implemented which if enabled by a site 
> configuration option would offer a list admin the ability to either:
> 
>   • Rewrite (Munge) the From: header with the posters name 'via the list' 
> and the list's address and merge the poster's address into Reply-To: or
>   • Wrap the message as a message/rfc822 sub-part in a MIME format outer 
> message with From: and Reply-To: as above.

I'm running 2.1.17 and the only thing I see which seems related to this is the 
"anonymous list" option under General Options.  Is this what's being referred 
to here, or is there some other "site configuration" (i.e., per-site 
configuration?) method somewhere?

/raj

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC bouncing of yahoo and hotmail users

[Stephen J. Turnbull]

Mark Sapiro writes:

 > There have been workarounds for this issue since 2.1.16, but they didn't
 > get serious until 2.1.18 and have seen continuous tweaking since
 > then.

In other words, Mark is too modest.  Get 2.1.latest (.20, I think?),
'cause Maintainer Markie kicks a--!

Technically, he's right, they're tweaks, but as a user experience life
is truly better.  If you need to upgrade, get the latest.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC bouncing of yahoo and hotmail users

[Mark Sapiro]

On 4/13/16 11:22 AM, Ricardo Kleemann wrote:
> 
> I've started noticing bounces to yahoo and hotmail users with this
> rejection message:
> 
>  Unfortunately, messages from (xxx) on behalf of (yahoo.com.br) could not
> be delivered due to domain owner policy restrictions. (in reply to end of
> DATA command))


Yahoo recently started applying DMARC p=reject to more domains. See
.


> In researching this problem I found this thread:
> 
> http://osgeo-org.1560.x6.nabble.com/OSGeo-1454-mailman-Mass-bouncing-of-yahoo-user-subscriptions-td5181289.html
> 
>>From the thread it seems to indicate that Mailman v2.1.19 would have a
> workaround for the issue.
> 
> First, does anyone know if the updates in Mailman do indeed address the
> issue?


There have been workarounds for this issue since 2.1.16, but they didn't
get serious until 2.1.18 and have seen continuous tweaking since then.

See the FAQ articles at  and



> Second, my server is running Ubuntu linux with Mailman v2.1.16 and I'm not
> able to update to a new version via the apt-get command since this version
> of Ubuntu has v2.1.16 as the "latest". Is it safe for me to update Mailman
> via a tarball and not mess up the packaged installation?


See the FAQ at .

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC bouncing of yahoo and hotmail users

[Ricardo Kleemann]

Hi,

I've started noticing bounces to yahoo and hotmail users with this
rejection message:

 Unfortunately, messages from (xxx) on behalf of (yahoo.com.br) could not
be delivered due to domain owner policy restrictions. (in reply to end of
DATA command))

In researching this problem I found this thread:

http://osgeo-org.1560.x6.nabble.com/OSGeo-1454-mailman-Mass-bouncing-of-yahoo-user-subscriptions-td5181289.html

>From the thread it seems to indicate that Mailman v2.1.19 would have a
workaround for the issue.

First, does anyone know if the updates in Mailman do indeed address the
issue?

Second, my server is running Ubuntu linux with Mailman v2.1.16 and I'm not
able to update to a new version via the apt-get command since this version
of Ubuntu has v2.1.16 as the "latest". Is it safe for me to update Mailman
via a tarball and not mess up the packaged installation?

thanks
Ricardo
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Mark Sapiro]

On 05/28/2015 08:25 AM, Allan Hansen wrote:
> Hi Stephen,
> 
> You’re right. AOL does not accept these messages with ‘invalid’ at the end.
> 
> You’re recommending this:
> 
>name, addr = parseadder(msg.get('from'))
>if addr.endswith('aol.com') or addr.endswith('yahoo.com'):
># I forget what happens if it's a bare address
>name = "%s (%s) via list" % (name if name else "Anonymous", addr)
>addr = 
>del msg['from’]
>msg['from'] = formataddr((name, addrs))
> 
> Can I copy this code directly into the file? 
> Is  valid syntax? (I have 40+ lists)


No, it is meant to be replaced with the actual list posting address, but
is there some reasone you don't want to do what I posted at
?

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Allan Hansen]

Hi Stephen,

You’re right. AOL does not accept these messages with ‘invalid’ at the end.

You’re recommending this:

   name, addr = parseadder(msg.get('from'))
   if addr.endswith('aol.com') or addr.endswith('yahoo.com'):
   # I forget what happens if it's a bare address
   name = "%s (%s) via list" % (name if name else "Anonymous", addr)
   addr = 
   del msg['from’]
   msg['from'] = formataddr((name, addrs))

Can I copy this code directly into the file? 
Is  valid syntax? (I have 40+ lists)

Yours,

Allan


> On May 24, 2015, at 6:10 , Stephen J. Turnbull  wrote:
> 
> Allan Hansen writes:
> 
>> 69,74d68
>> < 
>> < # Added to deal with DMARC issuej
>> < name, addrs = parseaddr(msg.get('from'))
>> < addrs += '.invalid'
> 
> This is known to be a bad idea, as it increases the spam score at many
> sites (because the author's mail domain doesn't resolve).  Subscribers
> at such sites may have trouble receiving mail, and your list(s) may be
> tagged as suspicious.
> 
> I would recommend the From-munging approach:
> 
>name, addr = parseadder(msg.get('from'))
>if addr.endswith('aol.com') or addr.endswith('yahoo.com'):
># I forget what happens if it's a bare address
>name = "%s (%s) via list" % (name if name else "Anonymous", addr)
>addr = 
>del msg['from']
>msg['from'] = formataddr((name, addr))
> 
> Mark (or you) probably have better code, and in some cases you may
> want to add the addr to the Reply-To field.
> 
>> < del msg['from']
>> < msg['from'] = formataddr((name, addrs))
>> \ No newline at end of file
> 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Mark Sapiro]

On 05/24/2015 03:19 PM, Allan Hansen wrote:
> 
> $ host -t TXT _dmarc.btopenworld.com
> _dmarc.btopenworld.com descriptive text "v=DMARC1\; p=none\; fo=1\; 
> rua=mailto:dmarc...@btinternet.com, mailto:dmarc_...@auth.returnpath.net\;";


The domain publishes DMARC p=none. Thus, no ISP should treat a message
From: some...@btopenworld.com any differently than the same message
From: some...@elsewhere.com.


> Here is the reject notice:
> 
> Final-Recipient: rfc822; subscri...@aol.com
> Original-Recipient: rfc822;subscri...@aol.com
> Action: failed
> Status: 5.2.1
> Remote-MTA: dns; mailin-04.mx.aol.com
> Diagnostic-Code: smtp; 521 5.2.1 :  AOL will not accept delivery of this
>message.


I see this exact rejection reliably from AOL. When an AOL user posts to
a list, the list post sent back to that user is rejected in this way,
even though AOL accepts the same post for delivery to other AOL users.

I have experimented with this using my own AOL address to send and
reflecting various versions of the message back. I munged a lot of
headers including I think Message-Id:, and I always got rejected. I gave
up trying to figure out what AOL is looking at, but this reject occurs
to list posts from aol.com, even though the From: is munged to the list
address.

In any case, that's not the reject reason uses for a reject due to DMARC
policy.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Allan Hansen]

I wonder why then I got a bunch of issues with btopenworld.com, which 
apparently is Yahoo based.
I just checked btopenworld.com with the ‘host’ command and as you say, it has 
no ‘reject’:

$ host -t TXT _dmarc.btopenworld.com
_dmarc.btopenworld.com descriptive text "v=DMARC1\; p=none\; fo=1\; 
rua=mailto:dmarc...@btinternet.com, mailto:dmarc_...@auth.returnpath.net\;";
$ host -t TXT _dmarc.yahoo.com  
_dmarc.yahoo.com descriptive text "v=DMARC1\; p=reject\; sp=none\; pct=100\; 
rua=mailto:dmarc-yahoo-...@yahoo-inc.com, mailto:dmarc_y_...@yahoo.com\;”

Here is the reject notice:

Final-Recipient: rfc822; subscri...@aol.com
Original-Recipient: rfc822;subscri...@aol.com
Action: failed
Status: 5.2.1
Remote-MTA: dns; mailin-04.mx.aol.com
Diagnostic-Code: smtp; 521 5.2.1 :  AOL will not accept delivery of this
   message.

Date: May 13, 2015 at 07:52:17 PDT
From: 
To: 
Subject: subject
Reply-To: sen...@btopenworld.com



And yes, as I just wrote, I have good reasons for keeping this as simple as I 
possibly can. Upgrading is not simple, I suspect, though I’d love to move to 
3.0, as I have a lot of lists, with subscribers on many lists simulteneously.

Yours,

Allan


> On May 24, 2015, at 11:14 , Stephen J. Turnbull  wrote:
> 
> Allan Hansen writes:
> 
>> Checking for aol.com and yahoo.com here alone will not work. I have
>> a bunch of other subscribers that have  accounts with providers
>> that are owned by Yahoo (mostly) and AOL, but whose addresses are
>> not of this form.
> 
> Oddly enough, it turns out that they only use DMARC p=reject at their
> principal domain (aol.com and yahoo.com).  You can check for any given
> domain by prepending _dmarc. and checking the TXT record.  For
> example, for aol.com it would be "host -t TXT _dmarc.aol.com" if you
> have the host utility for doing DNS lookups.
> 
>> I would have to do this for all addresses, to be safe.
> 
> If you're worried about safety and care about conforming to standards,
> you really should upgrade to at least Mailman 2.1.18-1.  That allows
> you to be nonconformant only for authors whose addresses are in
> troublesome domains, and handles the reply-to issue as well as
> possible (making everybody happy isn't quite possible).  I'm sure you
> have good reason for not doing so *right* *now*, but keep it in mind.
> 
>> If I do this and add the bit about the Reply-To, what would the
>> code look like?
> 
> If you do it for all mail, you just delete the "if" line and shift
> everything left one dedent.
> 
>name, addr = parseaddr(msg.get('from'))
>name = "%s (%s) via list" % (name if name else "Anonymous", addr)
>fromaddr = mlist.GetListEmail()
>del msg['from']
>msg['from'] = formataddr((name, addr))
># reply-to handling goes here
> 
> I'm not comfortable trying to say what to do about reply-to, because
> it's quite complicated depending on how you want to handle each of a
> large number of variations: what to do with a preexisting Reply-To and
> whether to put the list and/or the from address there.  See the
> Mailman/Handlers/CookHeaders.py file in the Mailman distribution.
> 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Stephen J. Turnbull]

Allan Hansen writes:

 > Checking for aol.com and yahoo.com here alone will not work. I have
 > a bunch of other subscribers that have  accounts with providers
 > that are owned by Yahoo (mostly) and AOL, but whose addresses are
 > not of this form.

Oddly enough, it turns out that they only use DMARC p=reject at their
principal domain (aol.com and yahoo.com).  You can check for any given
domain by prepending _dmarc. and checking the TXT record.  For
example, for aol.com it would be "host -t TXT _dmarc.aol.com" if you
have the host utility for doing DNS lookups.

 > I would have to do this for all addresses, to be safe.

If you're worried about safety and care about conforming to standards,
you really should upgrade to at least Mailman 2.1.18-1.  That allows
you to be nonconformant only for authors whose addresses are in
troublesome domains, and handles the reply-to issue as well as
possible (making everybody happy isn't quite possible).  I'm sure you
have good reason for not doing so *right* *now*, but keep it in mind.

 > If I do this and add the bit about the Reply-To, what would the
 > code look like?

If you do it for all mail, you just delete the "if" line and shift
everything left one dedent.

name, addr = parseaddr(msg.get('from'))
name = "%s (%s) via list" % (name if name else "Anonymous", addr)
fromaddr = mlist.GetListEmail()
del msg['from']
msg['from'] = formataddr((name, addr))
# reply-to handling goes here

I'm not comfortable trying to say what to do about reply-to, because
it's quite complicated depending on how you want to handle each of a
large number of variations: what to do with a preexisting Reply-To and
whether to put the list and/or the from address there.  See the
Mailman/Handlers/CookHeaders.py file in the Mailman distribution.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Allan Hansen]

Hi Stephen,

Yes, there is a good reason. I’m using Mailman as it came with the OS X Server 
and am not prepared to replace it. Also, Mailman no longer comes pre-installed 
on the Apple platform, so I’m basically stuck. This is why I tried the simplest 
hack I could find. I have 44 busy lists and I’m weary of messing anything up, 
as I have basically no
time or background to fix it.

Yours,

Allan

> On May 24, 2015, at 11:06 , Andrew Hodgson  wrote:
> 
> Allan Hansen wrote:
> 
>> Stephen,
> 
>> Much appreciated. 
>> Checking for aol.com and yahoo.com here alone will not work. I have a bunch 
>> of other subscribers that have accounts with providers that are owned by 
>> Yahoo (mostly) and AOL, but whose addresses are not of this form.
>> I would have to do this for all addresses, to be safe.
> 
> Probably a good reason why you can't do this, but is there any way you can 
> upgrade to the latest 2.1.20?  It means the code for doing this is already 
> there for you and will work by looking up the relevant domain's DMARC policy 
> in DNS.  I use it on all the lists here by default now by munging the From: 
> header and it works when it needs to.
> 
> Thanks.
> Andrew. 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Andrew Hodgson]

Allan Hansen wrote:

>Stephen,

>Much appreciated. 
>Checking for aol.com and yahoo.com here alone will not work. I have a bunch of 
>other subscribers that have accounts with providers that are owned by Yahoo 
>(mostly) and AOL, but whose addresses are not of this form.
>I would have to do this for all addresses, to be safe.

Probably a good reason why you can't do this, but is there any way you can 
upgrade to the latest 2.1.20?  It means the code for doing this is already 
there for you and will work by looking up the relevant domain's DMARC policy in 
DNS.  I use it on all the lists here by default now by munging the From: header 
and it works when it needs to.

Thanks.
Andrew. 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Allan Hansen]

Stephen,

Much appreciated. 
Checking for aol.com and yahoo.com here alone will not work. I have a bunch of 
other subscribers that have
accounts with providers that are owned by Yahoo (mostly) and AOL, but whose 
addresses are not of this form.
I would have to do this for all addresses, to be safe.

If I do this and add the bit about the Reply-To, what would the code look like?

Yours,

Allan

> On May 24, 2015, at 6:10 , Stephen J. Turnbull  wrote:
> 
> Allan Hansen writes:
> 
>> 69,74d68
>> < 
>> < # Added to deal with DMARC issuej
>> < name, addrs = parseaddr(msg.get('from'))
>> < addrs += '.invalid'
> 
> This is known to be a bad idea, as it increases the spam score at many
> sites (because the author's mail domain doesn't resolve).  Subscribers
> at such sites may have trouble receiving mail, and your list(s) may be
> tagged as suspicious.
> 
> I would recommend the From-munging approach:
> 
>name, addr = parseadder(msg.get('from'))
>if addr.endswith('aol.com') or addr.endswith('yahoo.com'):
># I forget what happens if it's a bare address
>name = "%s (%s) via list" % (name if name else "Anonymous", addr)
>addr = 
>del msg['from']
>msg['from'] = formataddr((name, addr))
> 
> Mark (or you) probably have better code, and in some cases you may
> want to add the addr to the Reply-To field.
> 
>> < del msg['from']
>> < msg['from'] = formataddr((name, addrs))
>> \ No newline at end of file
> 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC hack

[Stephen J. Turnbull]

Allan Hansen writes:

 > 69,74d68
 > < 
 > < # Added to deal with DMARC issuej
 > < name, addrs = parseaddr(msg.get('from'))
 > < addrs += '.invalid'

This is known to be a bad idea, as it increases the spam score at many
sites (because the author's mail domain doesn't resolve).  Subscribers
at such sites may have trouble receiving mail, and your list(s) may be
tagged as suspicious.

I would recommend the From-munging approach:

name, addr = parseadder(msg.get('from'))
if addr.endswith('aol.com') or addr.endswith('yahoo.com'):
# I forget what happens if it's a bare address
name = "%s (%s) via list" % (name if name else "Anonymous", addr)
addr = 
del msg['from']
msg['from'] = formataddr((name, addr))

Mark (or you) probably have better code, and in some cases you may
want to add the addr to the Reply-To field.

 > < del msg['from']
 > < msg['from'] = formataddr((name, addrs))
 > \ No newline at end of file

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC hack

[Allan Hansen]

Never mind - it started working. I just had to leave the house and come back. 
Mayby the issues at work can be done that way, too. :-)
Allan



Hi,

I have waited almost a year for AOL and Yahoo to admit that they messed up and 
to remove their DMARC policy. My AOL and Yahoo subscribers are pretty upset at 
me because I won’t let them post. A number now have two subscriptions, one for 
posting (from GMail) and another for receiving the messages.

So against my better judgement, I included this hack in Cleanse.py;

22c22
< from email.Utils import formataddr, parseaddr
—
> from email.Utils import formataddr

69,74d68
< 
< # Added to deal with DMARC issuej
< name, addrs = parseaddr(msg.get('from'))
< addrs += '.invalid'
< del msg['from']
< msg['from'] = formataddr((name, addrs))
\ No newline at end of file

I found it in the discussion list.

I don’t get compile errors, but Cleanse.pyc is not being updated. I have 
stopped and restarted Mailman and I have also rebooted, but same non-action. I 
have not tried ‘compileall’ and am not eager to, either (permissions, where to 
invoke, etc). Any suggestions?

The host OS is Mac OS X Server 10.5.8 with Mailman 2.1.14

Yours,

Allan

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC hack

[Mark Sapiro]

On 05/23/2015 02:45 PM, Allan Hansen wrote:
> 
> So against my better judgement, I included this hack in Cleanse.py;
> 
> 22c22
> < from email.Utils import formataddr, parseaddr
> —
>>from email.Utils import formataddr
> 
> 69,74d68
> < 
> < # Added to deal with DMARC issuej
> < name, addrs = parseaddr(msg.get('from'))
> < addrs += '.invalid'
> < del msg['from']
> < msg['from'] = formataddr((name, addrs))
> \ No newline at end of filez-


It would help me understand what you did if you would post

diff -u Cleanse.py.original Cleanse.py.new

So that your patch is not reversed and I can see context, but it looks
like you replaced

del msg['x-pmrqc']

at the end of Cleanse.py with your added code. If that is what you did,
why delete the

del msg['x-pmrqc']

line?

In any case, I will refrain from discussing the merits of adding
.invalid to the domain, but why do it for all domains and not just
yahoo.com and aol.com or actually look up the From: domain's DMARC
policy and only do it for domains with DMARC p=reject.


> I don’t get compile errors, but Cleanse.pyc is not being updated. I have 
> stopped and restarted Mailman and I have also rebooted, but same non-action. 
> I have not tried ‘compileall’ and am not eager to, either (permissions, where 
> to invoke, etc). Any suggestions?


Does your hack do what you expect?

Cleanse.pyc will not be updated until Mailman processes at least one
post and then only if IncomingRunner can write to Cleanse.pyc. It may be
that Cleanse.pyc is in Mailman's group but not owned by the Mailman user
and is not group writable.

None of this matters. when Python imports the module, it will notice
that Cleanse.py is newer than Cleanse.pyc and will load and compile
Cleanse.py. Then it will write the byte-compiled result to Cleanse.pyc
if it can, but in any case, it will be using the code in Cleanse.py.

If there is a problem with permissions, you can compile Cleanse.py with
compileall as a user that can write the file, but it won't change the
results.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC hack

[Allan Hansen]

Hi,

I have waited almost a year for AOL and Yahoo to admit that they messed up and 
to remove their DMARC policy. My AOL and Yahoo subscribers are pretty upset at 
me because I won’t let them post. A number now have two subscriptions, one for 
posting (from GMail) and another for receiving the messages.

So against my better judgement, I included this hack in Cleanse.py;

22c22
< from email.Utils import formataddr, parseaddr
—
>from email.Utils import formataddr

69,74d68
< 
< # Added to deal with DMARC issuej
< name, addrs = parseaddr(msg.get('from'))
< addrs += '.invalid'
< del msg['from']
< msg['from'] = formataddr((name, addrs))
\ No newline at end of file

I found it in the discussion list.

I don’t get compile errors, but Cleanse.pyc is not being updated. I have 
stopped and restarted Mailman and I have also rebooted, but same non-action. I 
have not tried ‘compileall’ and am not eager to, either (permissions, where to 
invoke, etc). Any suggestions?

The host OS is Mac OS X Server 10.5.8 with Mailman 2.1.14

Yours,

Allan

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC documentation lacking

[Mark Sapiro]

On 04/22/2015 10:29 PM, Fil wrote:
> Hello,
> 
> just upgraded from 2.1.16 to 2.1.20, because I was fed up with the DMARC
> issue. I googled a bit and found http://wiki.list.org/DEV/DMARC but it
> lacks info, especially:


The wiki page is only intended to describe in general terms what is
available. It is not intended to be documentation of the settings. The
possible mm_cfg.py settings are all documented in Defaults.py. The
Defaults.py info for this setting is:

# Default action for posts whose From: address domain has a DMARC policy of
# reject or quarantine.  See DEFAULT_FROM_IS_LIST below.  Whatever is set as
# the default here precludes the list owner from setting a lower value.
# 0 = Accept
# 1 = Munge From
# 2 = Wrap Message
# 3 = Reject
# 4 = Discard
DEFAULT_DMARC_MODERATION_ACTION = 0


> (I would have updated http://wiki.list.org/DEV/DMARC but it's immutable.)


As it says in the first paragraph of the home page at


... to add or edit content you must sign up and log in, and you must
also request write permission for your user name by sending a note to
the Mailman Steering Committee . (sorry it's the only way
to control wiki spam).

You now have write permission on the wiki.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC documentation lacking

[Fil]

>   > > 1) how to add a default value in mm_cfg.py
>  > > from the release notes I guess it's something like
>  > > DEFAULT_DMARC_MODERATION_ACTION = 1 # Munge
>  > >
>  >
>  > just to be clear: this line doesn't seem to bring anything to
>  > exiting lists, which behave normal unless I go and set up
>  > /mailman/admin/${LISTNAME}/?VARHELP=general/from_is_list
>
> That's normal behavior for Mailman configuration.  The "DEFAULT_"
> variables are used at list creation time only, I beleve.
>
> I suppose the rationale is that you really don't want all your
> existing lists to suddenly *change* behavior because you change the
> default.  Perhaps we could have a DEFAULT (for creation time) and a
> FALLBACK (for lists without a specific setting).
>

OK, makes sense :)

I really did want to change all my 700+ lists, so I wrote the configuration
directive to a file, then applied it to all lists:

echo "dmarc_moderation_action = 1" > dmarc1.cfg
for i in $(bin/list_lists -b); do
   echo $i;
   bin/config_list -i dmarc1.cfg "$i";
done

Hope this can help someone else :)

-- Fil
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC documentation lacking

[Stephen J. Turnbull]

Fil writes:
 > On Thu, Apr 23, 2015 at 7:29 AM, Fil  wrote:
 > 
 > > 1) how to add a default value in mm_cfg.py
 > > from the release notes I guess it's something like
 > > DEFAULT_DMARC_MODERATION_ACTION = 1 # Munge
 > >
 > 
 > just to be clear: this line doesn't seem to bring anything to
 > exiting lists, which behave normal unless I go and set up
 > /mailman/admin/${LISTNAME}/?VARHELP=general/from_is_list

That's normal behavior for Mailman configuration.  The "DEFAULT_"
variables are used at list creation time only, I beleve.

I suppose the rationale is that you really don't want all your
existing lists to suddenly *change* behavior because you change the
default.  Perhaps we could have a DEFAULT (for creation time) and a
FALLBACK (for lists without a specific setting).


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC documentation lacking

[Fil]

On Thu, Apr 23, 2015 at 7:29 AM, Fil  wrote:

> 1) how to add a default value in mm_cfg.py
> from the release notes I guess it's something like
> DEFAULT_DMARC_MODERATION_ACTION = 1 # Munge
>

just to be clear: this line doesn't seem to bring anything to exiting
lists, which behave normal unless I go and set up
/mailman/admin/${LISTNAME}/?VARHELP=general/from_is_list

-- Fil
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC documentation lacking

[Fil]

Hello,

just upgraded from 2.1.16 to 2.1.20, because I was fed up with the DMARC
issue. I googled a bit and found http://wiki.list.org/DEV/DMARC but it
lacks info, especially:

1) how to add a default value in mm_cfg.py
from the release notes I guess it's something like
DEFAULT_DMARC_MODERATION_ACTION = 1 # Munge

2) what numbers correspond to each action
(I dug them out from a comment in SpamDetect.py)
# Note that for dmarc_moderation_action, 0 = Accept,
#1 = Munge, 2 = Wrap, 3 = Reject, 4 = Discard

(I would have updated http://wiki.list.org/DEV/DMARC but it's immutable.)

-- Fil
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation - was: Templates

[Lindsay Haisley]

On Sat, 2015-04-04 at 12:10 -0700, JB wrote:
> I can hardly believe I actually followed that whole post start to end!
> Thanks Mark.

You might find the full discussion last spring of the DMARC issue both
understandable and helpful.  It went on for quite a while and a lot of
very relevant points got coverage.  IMHO this is something about which
every mail and list admin should be aware.
> 
-- 
Lindsay Haisley   | "The only unchanging certainty
FMP Computer Services |is the certainty of change"
512-259-1190  |
http://www.fmp.com| - Ancient wisdom, all cultures

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation - was: Templates

[JB]

I can hardly believe I actually followed that whole post start to end!  Thanks 
Mark.

On Sat, 4/4/15, Mark Sapiro  wrote:

 Subject: Re: [Mailman-Users] DMARC mitigation - was: Templates
 To: mailman-users@python.org
 Date: Saturday, April 4, 2015, 1:38 PM
 
 On 04/04/2015 09:59 AM,
 Laura Creighton wrote:
 > 
 > ps -- anybody know why all mail I see from
 people on yahoo.com (including JB
 > here)
 arrives to me as from yahoo.com.dmarc.invalid.
 > 
 > It very much seems
 to be a python.org thing, but, ah, why is python.org
 > seeing fit to add this stuff?
 
 
 It's
 DMARC mitigation. Mailman has features for this, but on this
 list
 at least they are turned off. See
 <http://wiki.list.org/DEV/DMARC>
 for
 something about DMARC in general and
 Mailman's mitigation features.
 
 The problem is yahoo.com, aol.com and a few
 other domains publish DMARC
 policies of
 'reject'. For our purposes, this means that a
 message with a
 From: address in one of those
 domains that is not validly DKIM signed by
 that domain will be rejected by a lot of ISPs.
 List transformations will
 break the incoming
 DKIM sig so the only way to get such a message
 accepted by many large ISPs is to munge the
 From: domain in some way.
 
 See the archives of this list from last April
 at
 <https://mail.python.org/pipermail/mailman-users/2014-April/>
 for much
 discussion of this.
 
 Mailman's From: address
 munging will replace, e.g.
 
 From: Mark 
 
 with, e.g.
 
 From: Mark via Mailman-Users 
 
 and add the original From: to
 Reply-To:, but that doesn't happen with
 python.org mailing lists because the incoming
 MTA at mail.python.org
 deals with this
 differently by just appending .dmarc.invalid to From:
 addresses @yahoo.com, @aol.com and a couple of
 other domains.
 
 Some people
 think this approach is less disruptive than Mailman's
 way -
 i.e. users when replying are astute
 enough to just remove the
 .dmarc.invalid, or
 if not, maybe they'll figure it out after seeing the
 bounce DSN.
 
 --
 
 Mark Sapiro  
       The highway is for gamblers,
 San
 Francisco Bay Area, California    better use your sense -
 B. Dylan
 --
 Mailman-Users mailing list Mailman-Users@python.org
 https://mail.python.org/mailman/listinfo/mailman-users
 Mailman FAQ: http://wiki.list.org/x/AgA3
 Security Policy: http://wiki.list.org/x/QIA9
 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
 Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/jebva%40yahoo.com
 
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC mitigation - was: Templates

[Mark Sapiro]

On 04/04/2015 09:59 AM, Laura Creighton wrote:
> 
> ps -- anybody know why all mail I see from people on yahoo.com (including JB
> here) arrives to me as from yahoo.com.dmarc.invalid.
> 
> It very much seems to be a python.org thing, but, ah, why is python.org
> seeing fit to add this stuff?


It's DMARC mitigation. Mailman has features for this, but on this list
at least they are turned off. See  for
something about DMARC in general and Mailman's mitigation features.

The problem is yahoo.com, aol.com and a few other domains publish DMARC
policies of 'reject'. For our purposes, this means that a message with a
From: address in one of those domains that is not validly DKIM signed by
that domain will be rejected by a lot of ISPs. List transformations will
break the incoming DKIM sig so the only way to get such a message
accepted by many large ISPs is to munge the From: domain in some way.

See the archives of this list from last April at
 for much
discussion of this.

Mailman's From: address munging will replace, e.g.

From: Mark 

with, e.g.

From: Mark via Mailman-Users 

and add the original From: to Reply-To:, but that doesn't happen with
python.org mailing lists because the incoming MTA at mail.python.org
deals with this differently by just appending .dmarc.invalid to From:
addresses @yahoo.com, @aol.com and a couple of other domains.

Some people think this approach is less disruptive than Mailman's way -
i.e. users when replying are astute enough to just remove the
.dmarc.invalid, or if not, maybe they'll figure it out after seeing the
bounce DSN.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC

[Larry Finch]

I've gotten a dozen or more similar phishing messages. Shows how effective 
DMARC is - NOT

Regards
Larry

Sent from my iPad

> On Jun 24, 2014, at 9:51 PM, "Barry S. Finkel"  wrote:
> 
> I have in one of my mailboxes a scam from June 10 that has
> 
> From: Chase Notification 
> 
> In the web MUA I use for this account, only the display name
> 
> Chase Notification
> 
> is shown on the screen as the sender.  DMARC obviously will not
> help in this case.  I have no idea if the scammers are now
> avoiding using an e-mail address ".@chase.com" because
> the address is not shown as the sender in some MUAs.
> 
> --Barry Finkel
> 
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/finches%40portadmiral.org
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Stephen J. Turnbull]

Ron Guerin writes:

 > I would really like to do, as someone said earlier, just say "Friends
 > don't let Friends use Yahoo or AOL Mail."  But count me in with those
 > expecting Gmail to be next.  That's nearly half the subscribers of the
 > list I've been asking in regard to.

I think GMail would have to consider using "p=reject" if they suffered
a security breach like those at AOL and Yahoo!.  However, so far
they've kept their own counsel about respecting others' "p=reject",
and the way the attackers went directly from Yahoo! to AOL, and then
stopped, suggests they found GMail and Hotmail more difficult to
crack.  This may not just be an accident.  The business models differ
more or less, and GMail and Hotmail may be able to maintain a stronger
security profile vs. "management" business initiatives.

A second consideration is that the DMARC discussion group at IETF is
working on ways to allow mailing lists to sign the posts they
distribute, instead of depending only on the Author Domain's signature
for authentication in case of an Author Domain's "p=reject".  This is
a very difficult problem involving certain risks (in particular, it's
clearly ineffective against what are called "spear-phishing attacks"),
but in GMail's user profile those risks might be acceptable to GMail.

This does require that your MTA sign the posts you distribute after
any list modifications, but IMO it's quite possible that GMail will
allow lists to control their own destiny in that way, at least until
proven ineffective.  Of course that assumes that a draft gets
widespread support and GMail decides to implement it.


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC

[Barry S. Finkel]

I have in one of my mailboxes a scam from June 10 that has

 From: Chase Notification 

In the web MUA I use for this account, only the display name

 Chase Notification

is shown on the screen as the sender.  DMARC obviously will not
help in this case.  I have no idea if the scammers are now
avoiding using an e-mail address ".@chase.com" because
the address is not shown as the sender in some MUAs.

--Barry Finkel

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Ron Guerin]

On 6/21/2014 8:24 PM, Mark Sapiro wrote:
> On 06/21/2014 04:04 PM, Ron Guerin wrote:
>> I'm struggling to find a palatable solution to the configuration of a
>> list, and the new Yahoo-style DMARC problem.
>>
>> The list has mung on, as well as Reply-To: set to the list.  The end
>> result is nowhere does the original sender's address appear in the
>> messages, when having them readily visible is the desired behavior.
> 
> 
> In Mailman 2.1.18-1, the posters address will also be in Reply-To: with
> Reply-To: set to the list. In Mailman 2.1.16 and 2.1.17, this wasn't the
> case (I think only if first_strip_reply_to was Yes).
> 
> 
>> I was wondering about asking someone to make a Mailman handler that
>> would re-write the From: address after munging to:
>>
>>  Jane Doe (j...@example.com) via listname 
>>
>> My question now is, is there any reason why re-writing it this way would
>> be a bad idea?
> 
> 
> Yes. According to
> :
> 
> The inclusion of more than one domain in the RFC5322.From field is
> dangerous.  Recent studies by two major senders show that ~95% of all
> cases in which there is one domain in the RFC5322.From "display name"
> and different domain in the RFC5322.From "address-spec" are fraudulent.
>  This practice should be discouraged as there are efforts underway to
> increase "spam scores" within inbound filtering when this is detected.

I've been absorbing a lot of input about this and while the part of me
that just wants to get things done still likes the idea of putting the
address into the comment field, I'm finding the argument persuasive that
as soon as people /expect/ to find a valid address in the comment field,
the cold clammy hands of DMARC will choke that off too.  I don't find
the argument /valid/ mind you, as the comment field is the comment
field, and no MUA (save ones with a very specific bug) are ever going to
treat it as anything but a commment, but I completely believe that
anything that reduces the pain of DMARC will eventually run afoul of DMARC.

Now you tell me that it's actually a useful indicator of spamminess.
That feels like the last nail in the coffin.

> But, on the other hand, that's exactly what Yahoo Groups is doing, so
> take your pick.
> 
> If having the poster's address in Reply-To: would be satisfactory, try
> setting first_strip_reply_to to No.

That may be the least objectionable solution that's still
"DMARC-friendly", but then I'm probably annoying subscribers who aren't
using DMARC to reject mail their users asked for.

> Changing CookHeaders to munge the from as you suggest is a very simple
> patch. I have attached a 2.1.16/17 version. Note that even with this
> patch, the bug at  is
> not completely fixed. Also note John's objection won't apply as this
> will be formatted as
> 
>   "Jane Doe  via listname" 

I had it in my mind before he mentioned it that I'd have to look into
what triggers quoting of the comment field, but his input reassures me
that it's not likely to cause other problems from a technical
standpoint.  From a social standpoint though, it seems to be an idea
living on borrowed time.

I would really like to do, as someone said earlier, just say "Friends
don't let Friends use Yahoo or AOL Mail."  But count me in with those
expecting Gmail to be next.  That's nearly half the subscribers of the
list I've been asking in regard to.

And thanks for sending code again, you're the best!

- Ron

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[John Levine]

>> Yahoo Groups also add something like this in a footer:
>> "Posted by: a real name a-n...@a-domain.co.uk"
>> and a series of mailto links below that for replying to the original sender 
>> or to the group.
>
>Well, won't this break DKIM?

Yes, but if it also takes the real author address out of the From:
line, it'll avoid DMARC problems.

Lists should put their own DKIM signature on outgoing mail, so
recipient systems can recognize it as being from the list.  That's how
it's supposed to work.

R's,
John


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Stephen J. Turnbull]

Bjoern Franke writes:
 > Am Sonntag, den 22.06.2014, 13:33 +1000 schrieb Peter Shute:
 > > Yahoo Groups also add something like this in a footer:
 > > "Posted by: a real name a-n...@a-domain.co.uk"
 > > and a series of mailto links below that for replying to the original 
 > > sender or to the group.
 > 
 > Well, won't this break DKIM?

No.

DKIM provides *no* policy, except that verifiers should draw the same
conclusions from an invalid signature that they would from the absence
of that signature.  So this question really means "Will there be a
valid DKIM signature?"  And the answer is "Yes -- the signature by
Yahoo! Groups' own MTA will be valid".[1]  Other signatures may be
invalid, but according to DKIM they should be ignored.

Perhaps you meant "won't this break DMARC?" and again the answer is
(perhaps more surprisingly), "no"!  The reason is that the mailbox in
From: is @yahoo (or @yahoo-groups or something like that), and that
MTA will DKIM sign after corrupting From: and adding that footer.
This signature will be valid, and the domain in the mailbox in From:
and the signing domain will be the same, and thus will accepted by a
recipient participating in DMARC.

The only problem is that anything Yahoo! Groups can do, the spammers
and phishers can do too.  (And of course that it violates RFC 5322.)

Footnotes: 
[1]  There are caveats to this, of course -- we *are* talking about
*Internet mail*, where *anything* can happen and eventually does.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Richard Damon]

On 6/22/14, 8:12 AM, Bjoern Franke wrote:

Am Sonntag, den 22.06.2014, 13:33 +1000 schrieb Peter Shute:

Yahoo Groups also add something like this in a footer:
"Posted by: a real name a-n...@a-domain.co.uk"
and a series of mailto links below that for replying to the original sender or 
to the group.

Well, won't this break DKIM?

Regards
Bjoern

If they didn't break DKIM already, they wouldn't need to do this, as 
they could leave From: unchanged and pass DMARC!

"


--
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Bjoern Franke]

Am Sonntag, den 22.06.2014, 13:33 +1000 schrieb Peter Shute:
> Yahoo Groups also add something like this in a footer:
> "Posted by: a real name a-n...@a-domain.co.uk"
> and a series of mailto links below that for replying to the original sender 
> or to the group.

Well, won't this break DKIM?

Regards
Bjoern

-- 
xmpp b...@schafweide.org 
bjo.nord-west.org | nord-west.org

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Peter Shute]

Yahoo Groups also add something like this in a footer:
"Posted by: a real name a-n...@a-domain.co.uk"
and a series of mailto links below that for replying to the original sender or 
to the group.

I find the former useful for telling who sent the message, because my iPad only 
displays the list address in From. The latter would be useful for those who 
find replying directly to the original sender difficult, but they don't include 
any quoted text, which is annoying at times.

Peter Shute

>> On 22 Jun 2014, at 11:50 am, "Mark Rousell"  wrote:
>> 
>> On 22/06/2014 00:04, Ron Guerin wrote:
>> I'm struggling to find a palatable solution to the configuration of a
>> list, and the new Yahoo-style DMARC problem.
>> 
>> The list has mung on, as well as Reply-To: set to the list.  The end
>> result is nowhere does the original sender's address appear in the
>> messages, when having them readily visible is the desired behavior.
>> 
>> I was wondering about asking someone to make a Mailman handler that
>> would re-write the From: address after munging to:
>> 
>>  Jane Doe (j...@example.com) via listname 
>> 
>> My question now is, is there any reason why re-writing it this way would
>> be a bad idea?
> 
> Notwithstanding the three comments above mine, all of which point out
> that this is a bad thing, there is a certain irony that what you suggest
> here is very similar to what Yahoo Groups does for its mail lists.
> 
> Here are the relevant lines from two recent Yahoo Groups mail list
> posts, one with a name in the email's From field, one without (both
> edited to be generic):
> 
> 
> X-Original-From: original-aut...@authordomain.com
> From: "original-aut...@authordomain.com [a-yahoo-group-list]"
>  
> Reply-To: a-yahoo-group-l...@yahoogroups.com
> 
> 
> X-Original-From: a real name 
> From: "a real name a-n...@a-domain.co.uk [a-yahoo-group-list]"
>  
> Reply-To: a-yahoo-group-l...@yahoogroups.com
> 
> 
> As you can see, they don't put the original author's email address in
> brackets but they do put the list name in square brackets, and enclose
> the comment section in quotes.
> 
> They have also added the X-Original-From header.
> 
> Yahoo Groups always seems to (and always did) set the Reply-To back to
> the list address.
> 
> I have to say that this approach reads well to the human eye in my
> opinion, even though it still results in two email addresses ending up
> in the new From field.
> 
> But if Yahoo does it that makes it ok, doesn't it? ;-)
> 
> -- 
> Mark Rousell
> 
> PGP public key: http://www.signal100.com/markr/pgp
> Key ID: C9C5C162
> 
> 
> 
> 
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe: 
> https://mail.python.org/mailman/options/mailman-users/pshute%40nuw.org.au
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Mark Rousell]

On 22/06/2014 00:04, Ron Guerin wrote:
> I'm struggling to find a palatable solution to the configuration of a
> list, and the new Yahoo-style DMARC problem.
> 
> The list has mung on, as well as Reply-To: set to the list.  The end
> result is nowhere does the original sender's address appear in the
> messages, when having them readily visible is the desired behavior.
> 
> I was wondering about asking someone to make a Mailman handler that
> would re-write the From: address after munging to:
> 
>   Jane Doe (j...@example.com) via listname 
> 
> My question now is, is there any reason why re-writing it this way would
> be a bad idea?

Notwithstanding the three comments above mine, all of which point out
that this is a bad thing, there is a certain irony that what you suggest
here is very similar to what Yahoo Groups does for its mail lists.

Here are the relevant lines from two recent Yahoo Groups mail list
posts, one with a name in the email's From field, one without (both
edited to be generic):


X-Original-From: original-aut...@authordomain.com
From: "original-aut...@authordomain.com [a-yahoo-group-list]"

Reply-To: a-yahoo-group-l...@yahoogroups.com


X-Original-From: a real name 
From: "a real name a-n...@a-domain.co.uk [a-yahoo-group-list]"

Reply-To: a-yahoo-group-l...@yahoogroups.com


As you can see, they don't put the original author's email address in
brackets but they do put the list name in square brackets, and enclose
the comment section in quotes.

They have also added the X-Original-From header.

Yahoo Groups always seems to (and always did) set the Reply-To back to
the list address.

I have to say that this approach reads well to the human eye in my
opinion, even though it still results in two email addresses ending up
in the new From field.

But if Yahoo does it that makes it ok, doesn't it? ;-)

-- 
Mark Rousell

PGP public key: http://www.signal100.com/markr/pgp
Key ID: C9C5C162
 
 
 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC handler

[Stephen J. Turnbull]

Ron Guerin writes:

 >  Jane Doe (j...@example.com) via listname 
 > 
 > My question now is, is there any reason why re-writing it this way
 > would be a bad idea?

First, the DMARC proponents themselves say "don't do that!"  (Mostly
for the reasons given below.)

Second, it disrespects the wishes of Yahoo!  The reason that Yahoo! is
publishing "p=reject" is because it doesn't want the mailbox to appear
in From: in mail handled by third parties (mostly meaning "spammers"
but also including *you*), because users take that as a sign that the
mail is really from someone they know, making them vulnerable to
phishing and " recommends" spam.  Of course, Yahoo! Groups now
is doing exactly what you propose.  This sort of works for now because
the spammers aren't emulating it yet, and MUAs don't put Jane's
picture next to the address.

Third, I bet that "Your Friend  via 3rd Party "
phishing and spam will appear in short order, people will be
defrauded, and DMARC will be updated to reject on any appearance of a
protected mailbox in From:.  Then you'll be back in the same boat.  I
wouldn't be surprised if various MUAs (including Yahoo! itself) don't
start handling Yahoo! Groups (and perhaps your list as well) specially
by parsing the address out of the display name and prettifying
addresses in the user's contact list, exacerbating the "Yahoo! is
friendly to fraud" effect.

Fourth, Heaven only knows what Outlook (and other MUAs) will do with
that format of display name, but I bet it ain't pretty.

My take on this is "friends don't let friends use Yahoo!", YMMV.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[Mark Sapiro]

On 06/21/2014 04:04 PM, Ron Guerin wrote:
> I'm struggling to find a palatable solution to the configuration of a
> list, and the new Yahoo-style DMARC problem.
> 
> The list has mung on, as well as Reply-To: set to the list.  The end
> result is nowhere does the original sender's address appear in the
> messages, when having them readily visible is the desired behavior.


In Mailman 2.1.18-1, the posters address will also be in Reply-To: with
Reply-To: set to the list. In Mailman 2.1.16 and 2.1.17, this wasn't the
case (I think only if first_strip_reply_to was Yes).


> I was wondering about asking someone to make a Mailman handler that
> would re-write the From: address after munging to:
> 
>   Jane Doe (j...@example.com) via listname 
> 
> My question now is, is there any reason why re-writing it this way would
> be a bad idea?


Yes. According to
:

The inclusion of more than one domain in the RFC5322.From field is
dangerous.  Recent studies by two major senders show that ~95% of all
cases in which there is one domain in the RFC5322.From "display name"
and different domain in the RFC5322.From "address-spec" are fraudulent.
 This practice should be discouraged as there are efforts underway to
increase "spam scores" within inbound filtering when this is detected.

But, on the other hand, that's exactly what Yahoo Groups is doing, so
take your pick.

If having the poster's address in Reply-To: would be satisfactory, try
setting first_strip_reply_to to No.

Changing CookHeaders to munge the from as you suggest is a very simple
patch. I have attached a 2.1.16/17 version. Note that even with this
patch, the bug at  is
not completely fixed. Also note John's objection won't apply as this
will be formatted as

  "Jane Doe  via listname" 

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--- 2.1.16CookHeaders.py2014-06-21 17:09:21.713302870 -0700
+++ newCookHeaders.py   2014-06-21 17:13:04.553299051 -0700
@@ -129,7 +129,9 @@
 rt = msg['from']
 change_header('Reply-To', rt, mlist, msg, msgdata)
 change_header('From',
-  formataddr(('%s via %s' % (realname, mlist.real_name),
+  formataddr(('%s <%s> via %s' % (realname,
+  email,
+  mlist.real_name),
  mlist.GetListEmail())),
   mlist, msg, msgdata)
 if mlist.from_is_list != 2:
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC handler

[John Levine]

>I was wondering about asking someone to make a Mailman handler that
>would re-write the From: address after munging to:
>
>From: Jane Doe (j...@example.com) via listname 
>
>My question now is, is there any reason why re-writing it this way would
>be a bad idea?

Well, of course, it's a bad idea for all the reasons we know that
address munging in general is a bad idea.

By my reading of RFC 5322, this is syntactically valid, but it's
fairly unsusual to put a parenthesized comment into the display name
preceding the angle-addr.  Also, if Jane's name happens to have a dot
or other punctuation in it, that's not valid, e.g. this is wrong:

 From: Jane Q. Doe (j...@example.com) via listname 

You can quote the whole thing to make it OK:

 From: "Jane Q. Doe j...@example.com via listname" 

R's,
John
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC handler

[Ron Guerin]

I'm struggling to find a palatable solution to the configuration of a
list, and the new Yahoo-style DMARC problem.

The list has mung on, as well as Reply-To: set to the list.  The end
result is nowhere does the original sender's address appear in the
messages, when having them readily visible is the desired behavior.

I was wondering about asking someone to make a Mailman handler that
would re-write the From: address after munging to:

Jane Doe (j...@example.com) via listname 

My question now is, is there any reason why re-writing it this way would
be a bad idea?

- Ron
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC mung not munging in 2.1.16 (Debian)

[Stephen J. Turnbull]

Ron Guerin writes:

 > With great sadness, I'm trying to deal with the DMARC problem certain
 > providers have decided to create for everyone else, and for some reason,
 > even after turning the mung option on in the web interface, there's no
 > munging going on. (wrap doesn't wrap either)
 > 
 > I have ALLOW_FROM_IS_LIST = Yes in mm_cfg.py . I have restarted Mailman.

Debian has a habit of moving configuration files around.  On my
Debian system:

-rw-r--r-- 1 root root 4629 Apr 16 05:15 /etc/mailman/mm_cfg.py
lrwxrwxrwx 1 root root   22 Feb  3 22:33 /usr/lib/mailman/Mailman/mm_cfg.py -> 
/etc/mailman/mm_cfg.py

Figure out where your mm_cfg.py file or files are, make sure that the
one you're editing is the one that actually controls Mailman.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC mung not munging in 2.1.16 (Debian)

[Ron Guerin]

With great sadness, I'm trying to deal with the DMARC problem certain
providers have decided to create for everyone else, and for some reason,
even after turning the mung option on in the web interface, there's no
munging going on. (wrap doesn't wrap either)

I have ALLOW_FROM_IS_LIST = Yes in mm_cfg.py . I have restarted Mailman.

Am I doing something wrong?

- Ron
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Mark Sapiro writes:
 > On 05/12/2014 01:25 AM, Stephen J. Turnbull wrote:
 > > 
 > > How about multipart/alternative:
 > > 
 > > message header
 > > multipart/alternative
 > > 
 > > part header
 > > message/rfc822# original message in all its glory
 > > 
 > > part header
 > > 
 > 
 > 
 > Interesting idea, but I think the part order is reversed. The simplest,
 > most universally readable part is supposed to be first with parts of
 > increasing complexity coming later.

That's precisely the point.  Most MUAs choose to display the *last*
form that they understand, but there's no guarantee that they'll
understand earlier ones, so they should (but see below) keep trying.

As Bugs Bunny says, "Eh-he-he-eh, ain' I a stinka?!" ;-)

 > > Then amend the existing MIME RFCs to say that MUAs SHOULD (MAY?)
 > > simply display the original message in some appropriate way.  No?
 > 
 > I really wonder if that would help. Section 5.2 of RFC 2046 [...].
 > While this doesn't explicitly say MUAs SHOULD or MAY simply display the
 > original message in some appropriate way, it certainly conveys that
 > sentiment to me, yet here we are over 17 years later with apparently
 > some mainstream MUAs that don't do that.

I know, but what can we do?  There are very few of us who could get
away with telling our subscribers, "well, then, get a *real* MUA!!",
and even fewer who can do that, and want to.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/12/2014 01:25 AM, Stephen J. Turnbull wrote:
> 
> How about multipart/alternative:
> 
> message header
> multipart/alternative
> 
> part header
> message/rfc822# original message in all its glory
> 
> part header
> 


Interesting idea, but I think the part order is reversed. The simplest,
most universally readable part is supposed to be first with parts of
increasing complexity coming later.


>  > Perhaps a new Content-Type such as message/wrapped
> 
> AFAICS this is completely unnecessary?
> 
> message header
> Content-Type: message/rfc822
> 
> original message header
> original message body# or cooked if you prefer


Which is essentially what the Wrap Message action does now.


> Then amend the existing MIME RFCs to say that MUAs SHOULD (MAY?)
> simply display the original message in some appropriate way.  No?


I really wonder if that would help. Section 5.2 of RFC 2046 doesn't say
exactly that, but it does contain this note:

   NOTE:  It has been suggested that subtypes of "message" might be
   defined for forwarded or rejected messages.  However, forwarded and
   rejected messages can be handled as multipart messages in which the
   first part contains any control or descriptive information, and a
   second part, of type "message/rfc822", is the forwarded or rejected
   message.  Composing rejection and forwarding messages in this manner
   will preserve the type information on the original message and allow
   it to be correctly presented to the recipient, and hence is strongly
   encouraged.

A couple of things are significant in that. It basically agrees with
Stephen that message/wrapped is unnecessary, but it also says the
message/rfc822 type "will preserve the type information on the original
message and allow it to be correctly presented to the recipient".

While this doesn't explicitly say MUAs SHOULD or MAY simply display the
original message in some appropriate way, it certainly conveys that
sentiment to me, yet here we are over 17 years later with apparently
some mainstream MUAs that don't do that.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/09/2014 07:27 PM, Richard Damon wrote:

> But the wrapped message could pass the DMARC DKIM signature check, if it
> will exactly matchs the message that came from Yahoo/AOL. (which the
> phish won't). This says that the List Headers, modified subject, list
> headers and footers should be added to the wrapping message, not the
> wrapped message, which also says that the MUA shouldn't throw this away,
> but combine these with the original message (but in a way that makes it
> clear which is which).


Just for the record, this is how the Wrap Message action is implemented
in Mailman. I.e. all the stuff Richard mentions is done to the outer
message, not to the message/rfc822 part that is the original message.
The one exception that will break DKIM is content filtering which by
necessity is applied to the original message before it's wrapped. This
is a big one, because I suspect almost all messages from Yahoo users are
multipart/alternative to begin with (and has anyone else noticed what a
horrible job Yahoo does in making the text/plain alternative, but I
digress ...), and many lists collapse alternatives so the DKIM sig will
be broken.

That notwithstanding, as Stephen and others have mentioned, the MUAs to
deal with this are not here and are unlikely to be here anytime soon.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Richard Damon writes:
 > On 5/9/14, 10:13 PM, John Levine wrote:

 > > The correct response is either for senders to stop publishing DMARC
 > > policies that don't match the way their users use mail (fat chance),
 > > or for recipient systems to skip the DMARC checks on mail from sources
 > > that are known to send mail that recipients want but that doesn't
 > > match DMARC's narrow authentication model, e.g., mailing lists and the
 > > Wall Street Journal's mail-an-article button.

GMail is already doing this, although we don't know the algorithm
precisely.  If GMail continues and others join, ostracism of providers
who continue to use inflexible bouncing policies instead of smart
filters becomes more plausible.

I know that's not satisfactory for people whose lists are populated by
AOL and Yahoo users, but I don't know what to say to them.  Their
users are DoS'ing their mailing lists with their addresses, even if
they don't know it.

 > But the wrapped message could pass the DMARC DKIM signature check, if it
 > will exactly matchs the message that came from Yahoo/AOL. (which the
 > phish won't). This says that the List Headers, modified subject, list
 > headers and footers should be added to the wrapping message, not the
 > wrapped message, which also says that the MUA shouldn't throw this away,
 > but combine these with the original message (but in a way that makes it
 > clear which is which).

Sure (and that is what I intended when I suggested wrapping in the
first place), but (a) MUAs don't support DMARC yet, and all the signs
say that the yahoos will deliberately delay implementing MUAs that do,
and (b) many MUAs don't support wrapped messages well at all.

As John put it,

 >> Failing that, all we have left is hacks, none of which are
 >> satisfactory.

We'll see how the on-going talks at the IETF go.  Some results should
be forthcoming "shortly" (that's hearsay, and I can't say any more
because that's exactly what I was told by a source close to the center
of the process).

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Lindsay Haisley writes:

 > A nice fix, albeit probably total pie-in-the-sky, would be the
 > establishment of a MIME Content-Type: multipart/list-post, a variation
 > on (or extension of) mulpart/mixed.  MUAs SHOULD (in the RFC 2119 sense)
 > effectively hide the outermost enclosing MIME envelope with this
 > Content-Type and present the contents according to rules that would
 > apply were the enclosing MIME envelope not there.  As far as the mail
 > system is concerned, the headers on the envelope are the effective ones.
 > As far as the MUA is concerned, for presentation purposes, the envelope
 > content is what counts.

The problem is that the DMARC people don't give a damn about the mail
system (and the PHBs behind the actions at Yahoo and AOL could care
less in both senses, apparently).  They're entirely concerned with
presentation.

And the technicians who designed DMARC are *right* to be concerned
about presentation, because it is presentation that the crooks use to
hook their prey.  In other words, if we come up with a way to present
mail that doesn't bear their signature[1] "as if" it came straight
from one of their domains, that can be abused by the crooks.

When (not if!) that abuse happens, the forces behind DMARC will come
back and say "O no!  You can't do THAT!"  And they (the PHBs,
I mean) will break the system again ... and again ... and again.

So, unfortunately, I think there is *no* fix based on presentation.
The only real fix is users who are sophisticated enough to avoid
spammers, which can't be perfect (some people just aren't, and
everybody slips occasionally), but can certainly be enhanced by better
filters.

Well, there's that other fix, the one that involves lists as we love
them joining the dinosaurs. :-(

All-hail-Dave-Hayes-and-the-AI-newsreader!-ly y'rs,



Footnotes: 
[1]  Any list that isn't a pure address exploder will be unable to
maintain the signature.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Richard Damon]

On 5/9/14, 10:13 PM, John Levine wrote:
>> Arguably, the correct response to DMARC filtering _should_ be the MIME
>> encapsulation of list mail, with appropriate RFC 2369 headers added to
>> the enclosing MIME structure leaving the content un-munged, with all
>> information from the original poster intact.  Arguably, MUAs should be
>> transparent to this.  Arguably, this would have been the best design for
>> the operation of mailing lists in email-space from the git-go.
> Unfortunately, this argument falls over when you note that spammers
> and phishers can encapsulate their paypal.com phishes and add list
> headers, too.  
>
> The correct response is either for senders to stop publishing DMARC
> policies that don't match the way their users use mail (fat chance),
> or for recipient systems to skip the DMARC checks on mail from sources
> that are known to send mail that recipients want but that doesn't
> match DMARC's narrow authentication model, e.g., mailing lists and the
> Wall Street Journal's mail-an-article button.
>
> Failing that, all we have left is hacks, none of which are satisfactory.
>
> R's,
> John
>
But the wrapped message could pass the DMARC DKIM signature check, if it
will exactly matchs the message that came from Yahoo/AOL. (which the
phish won't). This says that the List Headers, modified subject, list
headers and footers should be added to the wrapping message, not the
wrapped message, which also says that the MUA shouldn't throw this away,
but combine these with the original message (but in a way that makes it
clear which is which).

-- 
Richard Damon

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[John Levine]

>Arguably, the correct response to DMARC filtering _should_ be the MIME
>encapsulation of list mail, with appropriate RFC 2369 headers added to
>the enclosing MIME structure leaving the content un-munged, with all
>information from the original poster intact.  Arguably, MUAs should be
>transparent to this.  Arguably, this would have been the best design for
>the operation of mailing lists in email-space from the git-go.

Unfortunately, this argument falls over when you note that spammers
and phishers can encapsulate their paypal.com phishes and add list
headers, too.  

The correct response is either for senders to stop publishing DMARC
policies that don't match the way their users use mail (fat chance),
or for recipient systems to skip the DMARC checks on mail from sources
that are known to send mail that recipients want but that doesn't
match DMARC's narrow authentication model, e.g., mailing lists and the
Wall Street Journal's mail-an-article button.

Failing that, all we have left is hacks, none of which are satisfactory.

R's,
John

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Lindsay Haisley]

On Sat, 2014-05-10 at 04:01 +0900, Stephen J. Turnbull wrote:
> Lindsay Haisley writes:
> 
>  > What goes into an address comment is, or should be, purely
>  > informational on a human level, and ignored on a computational
>  > level.
> 
> Unfortunately, we can't depend on that:

The operational term is "or should be" :/

> DMARC draft, sec. 15.2.  This is discussion of matters outside the
> scope of DMARC itself, not a normative specification, and the document
> itself says there are legitimate uses of email addresses in display
> names (or comments).  But that hasn't stopped the spam-fighters in the
> past; it may not stop them this time.  AFAICS, putting an address from
> a DMARC domain anywhere in the mail leaves you subject to a possible
> DMARC reject unless you satisfy "from alignment" for that domain
> exactly as specified in DMARC.
> 
> That's not implemented by anyone now, and may never be.  And
> obfuscating the address as in the OP may help, but for my previous
> work address that would be
> 
> stephen dot turnbull dot 1 at econ dot ohio-state dot edu
> 
> which is 57 characters.  You pays your money and you takes your
> choice, I guess.

DMARC is ugly, as AOL and Yahoo are using it.  From: header munging is
ugly.  Ugly begets ugly when agreements start to break down.  All we can
do is ride with it and hope that smart people with cool heads and a
sense of the real value of a smoothly working Internet to the larger
community will ultimately prevail.  I'm not overly optimistic at this
point.  AFAICS, this just another aspect of the general abandonment of
net neutrality, one which has come in under the radar of the nightly
news.

A nice fix, albeit probably total pie-in-the-sky, would be the
establishment of a MIME Content-Type: multipart/list-post, a variation
on (or extension of) mulpart/mixed.  MUAs SHOULD (in the RFC 2119 sense)
effectively hide the outermost enclosing MIME envelope with this
Content-Type and present the contents according to rules that would
apply were the enclosing MIME envelope not there.  As far as the mail
system is concerned, the headers on the envelope are the effective ones.
As far as the MUA is concerned, for presentation purposes, the envelope
content is what counts.

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  | - The Roadie
http://www.fmp.com|


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Lindsay Haisley writes:

 > What goes into an address comment is, or should be, purely
 > informational on a human level, and ignored on a computational
 > level.

Unfortunately, we can't depend on that:

   There are a few possible mechanisms that attempt mitigation of
   [display name] attacks, such as:

   o  If the display name is found to include an email address (as
  specified in [MAIL]), execute the DMARC mechanism on the domain
  name found there rather than the domain name discovered
  originally.

DMARC draft, sec. 15.2.  This is discussion of matters outside the
scope of DMARC itself, not a normative specification, and the document
itself says there are legitimate uses of email addresses in display
names (or comments).  But that hasn't stopped the spam-fighters in the
past; it may not stop them this time.  AFAICS, putting an address from
a DMARC domain anywhere in the mail leaves you subject to a possible
DMARC reject unless you satisfy "from alignment" for that domain
exactly as specified in DMARC.

That's not implemented by anyone now, and may never be.  And
obfuscating the address as in the OP may help, but for my previous
work address that would be

stephen dot turnbull dot 1 at econ dot ohio-state dot edu

which is 57 characters.  You pays your money and you takes your
choice, I guess.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Lindsay Haisley]

On Thu, 2014-05-08 at 15:42 -0400, Glenn Sieb wrote:
> If I felt what my users were asking for was unreasonable, I wouldn't
> have bothered to bring it here. They'd *like* to see who's posting so if
> they *choose* to reply privately they can. In the past, this was easy
> enough. The From: line was there with the OP's email address. Now, as
> far as I can tell, depending on the MUA the *poster* uses, there *might*
> be two Reply-Tos--one with the OP email, one with the list address. But
> that's not reliable, as it doesn't happen for ALL posters.
> 
> Hell, even a munged From: like:
> 
> "ges+lists at wingfoot dot org via Mailman-Users
> "
> 
> would be a vast improvement over:
> 
> "ges+lists--- via Mailman-Users "

I'm not as knowledgeable as Stephen or Mark, but I've been working with
Internet email since the early 90s or so and have read the founding
RFCs.  One of the principles underlying the design of the Internet email
system is that information should never be intentionally abandoned.
Nothing gets dumped into the cosmic bit bucket, neither header
information nor content, and NDRs and DSNs keep the sender appraised of
problems with delivery.  This has been a strong argument against munging
of Reply-To headers going back quite a few years.  Information may be
_added_ by a component in the delivery chain (and generally is) but not
deleted.

Arguably, the correct response to DMARC filtering _should_ be the MIME
encapsulation of list mail, with appropriate RFC 2369 headers added to
the enclosing MIME structure leaving the content un-munged, with all
information from the original poster intact.  Arguably, MUAs should be
transparent to this.  Arguably, this would have been the best design for
the operation of mailing lists in email-space from the git-go.

We're stuck in the Real World, however, where Apple and probably other
MUA authors and designers have cut corners in design and we're forced
into a corner where information loss of some sort is imposed on us.
From: header munging is decidedly ugly!  It's perhaps the least ugly
solution that still works reliably to deliver content to _everyone_ even
though the information loss limits choice on the receiving end.

Your suggested partial solution ("ges+lists at wingfoot dot org via
Mailman-Users ...") is also ugly, but given the situation we're in at
this point, IMHO it has merit and should be worth some consideration in
the design of Mailman.  What goes into an address comment is, or should
be, purely informational on a human level, and ignored on a
computational level.  Whether or not it would would confuse people is
another matter.  It ain't the kinder, gentler Internet I jumped into
back in 1994!

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  | - The Roadie
http://www.fmp.com|



--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Glenn Sieb writes:

 > Then please work on your phrasing.

That times time and effort, which I will start saving right now.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/08/2014 12:42 PM, Glenn Sieb wrote:
> 
> In the past, this was easy
> enough. The From: line was there with the OP's email address. Now, as
> far as I can tell, depending on the MUA the *poster* uses, there *might*
> be two Reply-Tos--one with the OP email, one with the list address. But
> that's not reliable, as it doesn't happen for ALL posters.


There will only be one Reply-To: header in outgoing mail from Mailman
per RFC 822/2822/5322.

With the DMARC mitigations, at least as of 2.1.18, this Reply-To: will
always contain the posters original From: address. Depending on the
first_strip_reply_to and reply_goes_to_list settings of the list and
whether or not there was a Reply-To: in the incoming mail, it may
contain other addresses too. It will never contain duplicate addresses.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Glenn Sieb]

It is not necessary to cc: me. I get list emails. Emails can go to the
list, unless you wish to take something private. Thank you.

On 5/7/14, 10:36 PM, Stephen J. Turnbull wrote:
> If you just want to vent, please say so.  I thought you were asking
> for help.

Then please work on your phrasing. You sounded very judgmental. "Are
you...*snip*...punishing them with a black hole" "They can always BCC
and you'll never know!"

They apparently set the max_num_recipients to 2 to help prevent spam
from making it onto the lists, as SA is fine and all, but is generally
crap for catching short URI spam.

And, again, what rules my list owners choose to have on their lists is
not my business, but frankly, I see nothing *wrong* with this, and it
makes a metric f*ckton of sense to me given the number of AOL and Yahoo
subscribers on some of the lists. Which makes this whole DMARC stuff
such an effing joke.

> If you want help, then the questions I asked are essential to doing a
> good job for your list owners.  There are two reasons for that.

If I felt what my users were asking for was unreasonable, I wouldn't
have bothered to bring it here. They'd *like* to see who's posting so if
they *choose* to reply privately they can. In the past, this was easy
enough. The From: line was there with the OP's email address. Now, as
far as I can tell, depending on the MUA the *poster* uses, there *might*
be two Reply-Tos--one with the OP email, one with the list address. But
that's not reliable, as it doesn't happen for ALL posters.

Hell, even a munged From: like:

"ges+lists at wingfoot dot org via Mailman-Users "

would be a vast improvement over:

"ges+lists--- via Mailman-Users "


Best,
--Glenn

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Jim Popovitch]

On Thu, May 8, 2014 at 11:44 AM, Stephen J. Turnbull  wrote:
> Joseph Brennan writes:
>  >
>  > "Stephen J. Turnbull"  wrote:
>  >
>  > >  > Honestly, they (one of the principal DMARC spec authors works for
>  > >  > Yahoo) ignored their own advice, imagine how well that would go
>  > >  > over in some other industries.
>
> I didn't write that, and I dissent from the implied sentiment.

I wrote it, and I have no idea why you need to sound like a lawyer
just to tell someone you didn't write something.  :-)   Or at least
you could have just said "Jim wrote that, not me"  :-)

-Jim P.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Joseph Brennan writes:
 > 
 > "Stephen J. Turnbull"  wrote:
 > 
 > >  > Honestly, they (one of the principal DMARC spec authors works for
 > >  > Yahoo) ignored their own advice, imagine how well that would go
 > >  > over in some other industries.

I didn't write that, and I dissent from the implied sentiment.

Cheers

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Joseph Brennan]

"Stephen J. Turnbull"  wrote:


 > Honestly, they (one of the principal DMARC spec authors works for
 > Yahoo) ignored their own advice, imagine how well that would go
 > over in some other industries.


Let's not overlook Agari, which has a financial stake in offering a 
solution to the problem they helped create. Notice how many dmarc domains 
direct the reports to agari, from which, for a fee, they will get nice 
reports and metrics for their CIO to show around, reports that will show 
how many times their domain was "faked". Agari has an interest in making 
those numbers big, and mailing lists help them do it. The Agari web page 
boasts how many users they "protect", and it features the kind of slick 
writing that impresses people who don't know nuts and bolts.


One of the great failings on Yahoo's part was introducing a Change without 
notice to those affected, not even their own customers (to my knowledge). 
Even sloppy business owners should know not to do that.


Agari introduced "Agari PRO" April 1. Dmarc was pulled from standards track 
April 2. Yahoo implemented dmarc April 4. What was the rush?




Let's have some perspective: nobody died this time.


So true. In 100 years who will know the difference.


Joseph Brennan
Manager, Email and Systems Applications
Columbia University Information Technology




--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Jim Popovitch writes:
 > On Wed, May 7, 2014 at 6:47 PM, Mark Sapiro  wrote:
 > > We are trying to talk with DMARC proponents,
 > 
 > You won't be successful until those people themselves figure out what
 > they are doing

That's true, but those folks (or, more accurately, their bosses) have
their shorts in a knot over the recent attacks.  I don't have a lot of
sympathy for the corporations which have a long history of half-baked
implementations, but our best bet is to help them figure it out.

 > (and then they agree to quit using the Internet as a testbed)  :-)

But there is no other.  I can't really blame them for eventually going
live, I just wish they tried harder to work and play well with others.

 > Honestly, they (one of the principal DMARC spec authors works for
 > Yahoo) ignored their own advice, imagine how well that would go
 > over in some other industries.

Happens all the time.  Ford Pinto gas tanks, space shuttle O-rings,
the list goes on.  Let's have some perspective: nobody died this time.
And I doubt the principal authors ignored their own advice; some PHB
did it.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Glenn Sieb writes:

 > What my list owners want out of my lists, and what rules they
 > decide on for their lists, is not my business. By extension, it is
 > not yours.

If you just want to vent, please say so.  I thought you were asking
for help.

If you want help, then the questions I asked are essential to doing a
good job for your list owners.  There are two reasons for that.

(1) Users often request a feature that they believe accomplishes a
certain goal, but it does not.  All too often implementing that
feature does not satisfy their need, with attendant frustration
all around.  Letting the developer design the feature to achieve
the goal often (although not always) does a better job of
satisfying needs.

(2) Often either the current implementation of the program or the
nature of the world means that not all needs can be satisfied, and
a compromise must be suggested.  Knowing the goals (reasons why)
can help the designer suggest a better (accomplishes more goals
more fully) or more palatable (emphasizes more important goals)
compromise.

See my dialog with Peter Shute for an example of how such design can
succeed.  It's rare that we get 95%[1] success that way because of (2),
but my lack of understanding of his lists' requirements displayed at
the start is the usual case.

 > I'm just trying to see if there are better options out there.

And I'm just trying to understand what "better" means to you and your
list owners and subscribers.


Footnotes: 
[1]  Not yet 100% success because of the increased resource
requirement, which can be a blocker.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Jim Popovitch]

On Wed, May 7, 2014 at 6:47 PM, Mark Sapiro  wrote:
> We are trying to talk with DMARC proponents,

You won't be successful until those people themselves figure out what
they are doing (and then they agree to quit using the Internet as a
testbed)  :-)   Honestly, they (one of the principal DMARC spec
authors works for Yahoo) ignored their own advice, imagine how well
that would go over in some other industries.

-Jim P.
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/07/2014 12:45 PM, Glenn Sieb wrote:
> 
> It's ridiculous. And I want to know why, exactly, Yahoo Groups isn't
> being affected by this. They're not doing the "via YahooGroup" bit, or
> wrapping their mails. :-\ I'm betting they're not even honoring the
> DMARC from other providers.


Yahoo groups doesn't have problems with mail From: yahoo.com because
they send the mail with envelope from ...@returns.groups.yahoo.com which
passes SPF and aligns with the domain in From:, but the interesting
question is what do they do with a post From: aol.com. I haven't had
time to test that yet.

Note that google groups does the same From: munging that Mailman does,
and only for From: domains that publish DMARC p=reject.


> *sigh* I hate this frustration.


So do we all. The Mailman development community resents as much as
anyone being forced into this "here's what *we're* doing, now *you* have
to figure out how to deal with it" bind, but that's where we are. We are
trying to talk with DMARC proponents, and we're trying to figure out how
to mitigate the effects with the least possible disruption to users and
to long term, established standards and practices.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Glenn Sieb]

On 5/7/14, 12:08 AM, Stephen J. Turnbull wrote:
> What is the intent of the restriction?  Are you trying to get the
> users to use "reply to author" by punishing them with a black hole if
> they don't, and then set Reply-To to list-post so that nobody ever
> gets a personal reply?  Or is this intended to prevent people from
> including 3rd parties in the OP (of course, you can't -- they can
> always BCC and you'll never know)?

What my list owners want out of my lists, and what rules they decide on
for their lists, is not my business. By extension, it is not yours. I
provide them email lists, they ask for things that seem reasonable to
me. When those things suddenly are yanked away, they complain, and I'm
left holding the bag of trying to answer "why."

Your attempt to "explain away" the request by making it sound like some
kind of absurd policy is disingenuous at best.

> I suppose your users would get upset if you used
> dmarc_moderation_action = 'Wrap Message' instead of whichever_option =
> 'Mung From'?

Some use mobile devices. So there's the answer to that question.

> Given Mark's reply, probably you'll need use a custom Handler,
> whatever the requirements.  Is that acceptable (ie, you have the
> necessary accesses)?  N.B. It's possible to restrict use of Handlers
> to particular lists by giving them list-specific pipelines.

I'm just trying to see if there are better options out there. This DMARC
stuff is ridiculous. The providers aren't being blamed for this, we (the
mailing-list providers) are. Doesn't help that the users on services
responsible for the DMARC p=reject stuff aren't getting the bounces,
it's other people whose ISPs are respecting it who are, and they're the
ones who get bounced off of lists because it's *their* bounce score that
gets increased.

It's ridiculous. And I want to know why, exactly, Yahoo Groups isn't
being affected by this. They're not doing the "via YahooGroup" bit, or
wrapping their mails. :-\ I'm betting they're not even honoring the
DMARC from other providers.

*sigh* I hate this frustration.

Best,
--Glenn
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Glenn Sieb writes:

 > So I updated to 2.1.18-1 today. Now we have a Reply-To that has the
 > poster's email and the list's email address.
 > 
 > A few of the lists I run block emails with more than one recipient, so
 > now this is going to be an adventure. (Ok, more like a nightmare, as
 > right now it appears my choices are "make reply-to only the list"
 > ("anonymous_list") or "make reply-to the poster and the list.")

What is the intent of the restriction?  Are you trying to get the
users to use "reply to author" by punishing them with a black hole if
they don't, and then set Reply-To to list-post so that nobody ever
gets a personal reply?  Or is this intended to prevent people from
including 3rd parties in the OP (of course, you can't -- they can
always BCC and you'll never know)?

I suppose your users would get upset if you used
dmarc_moderation_action = 'Wrap Message' instead of whichever_option =
'Mung From'?

Given Mark's reply, probably you'll need use a custom Handler,
whatever the requirements.  Is that acceptable (ie, you have the
necessary accesses)?  N.B. It's possible to restrict use of Handlers
to particular lists by giving them list-specific pipelines.

Steve
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Barry Warsaw]

On May 06, 2014, at 05:17 PM, Glenn Sieb wrote:

>Fair enough. So, basically I'm fsck'd. Set the lists to be
>"anonymous_list" or set an explicit reply-to to be the lists and hope
>that strips out the extraneous reply-to entry.

Yes, and sadly it's forced on us by external policies.

I must admit that I'm sympathetic to John Levine's solution over in
mailman-developers.  His implementation adds `.invalid` to the domain in the
From header.  Yes it breaks the standards and you'd still have to explicitly
modify the headers in the reply (the ease of which depends on your MUA), but
it avoids tricky interactions with the already fragile and overloaded Reply-To
header munging, and points the finger in the direction of the original problem.

I need to read that whole thread and think about it some more.  It's painfully
clear that DMARC as defined and implemented today is poison to mailing lists,
and it's a shame that you, our dear users, are the canaries.  I hope we can
have some constructive discussions with the DMARC advocates about how to
restore usability to mailing lists in a DMARC pervasive world.

Cheers,
-Barry


signature.asc
Description: PGP signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/06/2014 02:52 PM, Russell Clemings wrote:
> Is the existing change (making sure the poster's address is in the
> reply-to) available in a patch? I checked launchpad but if it's there I
> couldn't find it. I'd like to see if I can apply it to 2.1.17 while
> waiting for cPanel to upgrade to 2.1.18.


The actual change is the CookHeaders.py diff at
,
but there are other changes in CookHeaders.py and other modules since
2.1.17 that impact this as well so you can't just apply that patch. In
fact, the stuff that's being changed isn't even there in 2.1.17.

It's very convoluted and fragile and touches things like new list
settings as well, and I don't know how it plays with cPanel's mods. It
would almost turn into a full upgrade to 2.1.18.

I'm advising you to not try it.


> FWIW, I'd vote against a rollback to the earlier behavior. I got several
> complaints about the poster's email address going missing. So I ended up
> setting first_strip_reply_to to "No," which of course is also a problem
> because I have max_num_recipients set pretty low (4).


Thanks for voting.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Russell Clemings]

Is the existing change (making sure the poster's address is in the
reply-to) available in a patch? I checked launchpad but if it's there I
couldn't find it. I'd like to see if I can apply it to 2.1.17 while waiting
for cPanel to upgrade to 2.1.18.

FWIW, I'd vote against a rollback to the earlier behavior. I got several
complaints about the poster's email address going missing. So I ended up
setting first_strip_reply_to to "No," which of course is also a problem
because I have max_num_recipients set pretty low (4).

rac


On Tue, May 6, 2014 at 2:48 PM, Mark Sapiro  wrote:

> On 05/06/2014 02:36 PM, Glenn Sieb wrote:
> > On 5/6/14, 5:31 PM, Mark Sapiro wrote:
>
> >> I could always add yet another setting, but I hate that idea for
> >> multiple reasons.
> >>
> >
> > Can there be an option somewhere in between "anonymous_list" and
> > "reply_goes_to_list?" One where it can strip the poster's email from the
> > reply-to, but leave the other headers alone?
>
>
> That's covered in my sentence above.
>
> Anyway, that's a decision for the next release, which hopefully isn't
> 'imminent'.
>
> --
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
> https://mail.python.org/mailman/options/mailman-users/rclemings%40gmail.com
>
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/06/2014 02:36 PM, Glenn Sieb wrote:
> On 5/6/14, 5:31 PM, Mark Sapiro wrote:

>> I could always add yet another setting, but I hate that idea for
>> multiple reasons.
>>
> 
> Can there be an option somewhere in between "anonymous_list" and
> "reply_goes_to_list?" One where it can strip the poster's email from the
> reply-to, but leave the other headers alone?


That's covered in my sentence above.

Anyway, that's a decision for the next release, which hopefully isn't
'imminent'.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Lindsay Haisley]

On Tue, 2014-05-06 at 14:31 -0700, Mark Sapiro wrote:
> I am willing to consider changing this, either to treat Reply-To:
> differently for Wrap Message since the original headers are in the
> wrapped message in that case, or to just go back to not adding the
> poster's address to Reply-To: as in my initial paragraph above.
> 
> However, I need more feedback from the community before making changes.
> I could always add yet another setting, but I hate that idea for
> multiple reasons. 

It's ugly, but having yet another switch seems to me to be the only way
to handle this.  Having the poster's address in Reply-To: is the only
way to address the information loss implied by the necessary change to
the From: header, especially for MUAs that expose only the address
comment and not the actual address, and especially for subscribers who
are not technically inclined and wish to simply hit "reply" and get a
reply to the original author.

This _should_ be a matter of choice for list admins, even if it seems
that they're already overloaded with choices pursuant to addressing the
DMARC issue.  Until something better comes along, we're just going to
have to deal with it.

-- 
Lindsay Haisley   | "Everything works if you let it"
FMP Computer Services |
512-259-1190  |  --- The Roadie
http://www.fmp.com|

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Glenn Sieb]

On 5/6/14, 5:31 PM, Mark Sapiro wrote:
> I went back and forth with this. Initially, if first_strip_reply_to was
> Yes and reply_goes_to_list was This list or Explicit address, I didn't
> put the poster's address in Reply-To:
> 
> I finally decided it was of overriding importance to expose the posters
> address to enable off list (or non-list member) replies, and this
> warranted breaking the previous Reply-To: header munging options semantics.
> 
> I am willing to consider changing this, either to treat Reply-To:
> differently for Wrap Message since the original headers are in the
> wrapped message in that case, or to just go back to not adding the
> poster's address to Reply-To: as in my initial paragraph above.
> 
> However, I need more feedback from the community before making changes.
> I could always add yet another setting, but I hate that idea for
> multiple reasons.
> 

Can there be an option somewhere in between "anonymous_list" and
"reply_goes_to_list?" One where it can strip the poster's email from the
reply-to, but leave the other headers alone?

Best,
--Glenn

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/06/2014 02:17 PM, Glenn Sieb wrote:
> 
> Fair enough. So, basically I'm fsck'd. Set the lists to be
> "anonymous_list" or set an explicit reply-to to be the lists and hope
> that strips out the extraneous reply-to entry.


I went back and forth with this. Initially, if first_strip_reply_to was
Yes and reply_goes_to_list was This list or Explicit address, I didn't
put the poster's address in Reply-To:

I finally decided it was of overriding importance to expose the posters
address to enable off list (or non-list member) replies, and this
warranted breaking the previous Reply-To: header munging options semantics.

I am willing to consider changing this, either to treat Reply-To:
differently for Wrap Message since the original headers are in the
wrapped message in that case, or to just go back to not adding the
poster's address to Reply-To: as in my initial paragraph above.

However, I need more feedback from the community before making changes.
I could always add yet another setting, but I hate that idea for
multiple reasons.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Glenn Sieb]

On 5/6/14, 4:29 PM, Mark Sapiro wrote:
> Do you mean Privacy options... -> Recipient filters ->
> max_num_recipients = 2
> 
> If so, ouch, but what do you do now when people reply-all to posts.
> Don't those replies get held?

Indeed. They get rejected. Policy on a couple particular lists. No cc's,
no using the address on web-forms (i.e. "greeting card sites") etc.

> This is specifically advised against by the DMARC community. See the
> NOTE: in the Requirements: section at
> .

Fair enough. So, basically I'm fsck'd. Set the lists to be
"anonymous_list" or set an explicit reply-to to be the lists and hope
that strips out the extraneous reply-to entry.

Or, as you said above, "ouch" and having to deal with a metric crapton
of ID-10t users not cleaning up the To: line when they reply and dealing
with clearing the moderation queue since we can't edit posts held for
moderation easily.

Best,
--G.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Mark Sapiro]

On 05/06/2014 12:47 PM, Glenn Sieb wrote:
> 
> So I updated to 2.1.18-1 today. Now we have a Reply-To that has the
> poster's email and the list's email address.
> 
> A few of the lists I run block emails with more than one recipient,


Do you mean Privacy options... -> Recipient filters ->
max_num_recipients = 2

If so, ouch, but what do you do now when people reply-all to posts.
Don't those replies get held?


> I wonder if this solution might be more helpful here--something like
> what Google Groups is doing. Changing the From line to this:
> 
> 'First Last ' via List Title
> 


This is specifically advised against by the DMARC community. See the
NOTE: in the Requirements: section at
.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Glenn Sieb]

Greetings...

So I run a bunch of mailing lists, with a bunch of people who are not
technically adept whatsoever. ("I am not getting list posts! "That's
because you set yourself to no mail" "What's no mail?" "It means you set
yourself to be a member of the list, but not to get any email from it."
"Oh that's good." "So we're good then?" "But why am I not getting any
emails from the list?" *headdesk*--yes this was an actual conversation
with a user.)

People are, of course, bitching about the from_is_list setting removing
the email addresses of people who are sending email to the lists. (And
people aren't quite understanding that it's helpful to sign one's
emails, etc.

So I updated to 2.1.18-1 today. Now we have a Reply-To that has the
poster's email and the list's email address.

A few of the lists I run block emails with more than one recipient, so
now this is going to be an adventure. (Ok, more like a nightmare, as
right now it appears my choices are "make reply-to only the list"
("anonymous_list") or "make reply-to the poster and the list.")

I wonder if this solution might be more helpful here--something like
what Google Groups is doing. Changing the From line to this:

'First Last ' via List Title


This still shows the poster's email address (as the Real Name), which
makes it easier for people to reply privately if they choose, and still
addresses the DMARC issue.

Thoughts? Ideas?

Best,
--Glenn
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DMARC From munging: Keep original sender

[Ralf Jung]

Hi,

> On 05/01/2014 08:05 AM, Mark Sapiro wrote:
>> On 05/01/2014 07:54 AM, Ralf Jung wrote:
>>>
>>> I just noticed that stripping reply-to headers was enabled on the list
>>> in question, and that this is not the default (as I originally thought
>>> it was - I wasn't the one who initially set up these lists). Stripping
>>> happens after From munging, so this explains my issue. After disabling
>>> stripping, the original sender remains in the Reply-To.
>>
>> I *think* it works as you expect in 2.1.18rc3, but I'll have to double
>> check.
> 
> 
> In 2.1.18rc3 with first_strip_reply_to = Yes and reply_goes_to_list =
> Poster, the poster's From: address is in Reply-To:, but not for the
> other settings of reply_goes_to_list. I'm changing it for the final so
> the poster's From: address will always be in Reply-To: when from_is list
> is other than No.

Cool, thanks.

Kind regards
Ralf
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org