Re: [mailop] Mailing list with From header munging... and Outlook

[Jesse Thompson via mailop]

Yes! What you're saying about From header rewriting being necessary even in an 
ARC world, as well as what Jonathan says (in your link) about needing to 
swallow the bitter pill in regards to rewriting, is what I'm trying to convey.

BOD 18-01 put the line in the sand that 100% adoption of p=reject for .gov is 
the goal, even if the people who designed DMARC didn't anticipate mailbox 
hosters would be able to get there.  EDUs and enterprises are starting to 
follow suit.

Jesse

From: Alessandro Vesely
Sent: Saturday, March 16, 12:50 PM
Subject: Re: [mailop] Mailing list with From header munging... and Outlook
To: Brandon Long, Jesse Thompson
Cc: mailop@mailop.org


On Fri 15/Mar/2019 23:46:13 +0100 Brandon Long via mailop wrote:
> On Fri, Mar 15, 2019 at 2:54 PM Jesse Thompson via mailop wrote:
>>
>> As it stands now, these "conditional" issues are cropping up as unforeseen
>> or "poorly planned by IT".
>>>> Conditional rewriting seems to give a signal that 100% DMARC adoption by
>> all domain is not the intended goal.>
>
> From header rewriting for mailing lists is not without its draw backs, nor
> was it assumed at the start that DMARC was going to apply widely or have
> 100% adoption.  I'm still not sure if 100% adoption is the goal.>
> Also, we're working to mitigate the issue with mailing lists using ARC,
> though the path from here to there isn't completely clear. I'd say its less
> clear for mailing lists which start doing header rewriting, as at some point
> they'll have to determine whether or not its ok to stop rewriting, if ARC
> adoption is widespread enough... but those who jump straight to ARC,
> especially if they really really hate the rewriting, might maintain the
> status quo and be better off.

The issue with ARC is that it means nothing to small servers which don't track
domain reputation.  They can easily add ARC stuff on forwarding, but won't be
able to evaluate incoming chains which may be spoofed.  Hence, small servers
will have to lean on From: rewriting to honor DMARC.

Let me note that SPF and DKIM had the same "defect" of being meaningless
without assessments based on reputation tracking.  Wasn't that the reason why
DMARC was contrived?


> Its a matter of what pain is best.  No perfect solutions.


p=reject; pct=0;[*]

[*] http://lists.dmarc.org/pipermail/dmarc-discuss/2018-October/004183.html
(and the following thread)


Best
Ale
--







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Grant Taylor via mailop]

On 3/16/19 11:50 AM, Alessandro Vesely wrote:
The issue with ARC is that it means nothing to small servers which don't 
track domain reputation.  They can easily add ARC stuff on forwarding, 
but won't be able to evaluate incoming chains which may be spoofed. 
Hence, small servers will have to lean on From: rewriting to honor DMARC.


I think the same size problem is going to render ARC from small players 
equally useless.


At least it's my understanding that receiving systems have to have 
enough information (reputation) about a sending system to decide if they 
want to trust the ARC information or not.


I see now way that my small server will ever have enough information / 
reputation for it's ARC information to ever be trusted.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Alessandro Vesely]

On Fri 15/Mar/2019 23:46:13 +0100 Brandon Long via mailop wrote:
> On Fri, Mar 15, 2019 at 2:54 PM Jesse Thompson via mailop wrote:
>> 
>> As it stands now, these "conditional" issues are cropping up as unforeseen
>> or "poorly planned by IT".
 Conditional rewriting seems to give a signal that 100% DMARC adoption by
>> all domain is not the intended goal.>
> 
> From header rewriting for mailing lists is not without its draw backs, nor
> was it assumed at the start that DMARC was going to apply widely or have
> 100% adoption.  I'm still not sure if 100% adoption is the goal.>
> Also, we're working to mitigate the issue with mailing lists using ARC,
> though the path from here to there isn't completely clear. I'd say its less
> clear for mailing lists which start doing header rewriting, as at some point
> they'll have to determine whether or not its ok to stop rewriting, if ARC
> adoption is widespread enough... but those who jump straight to ARC,
> especially if they really really hate the rewriting, might maintain the
> status quo and be better off.

The issue with ARC is that it means nothing to small servers which don't track
domain reputation.  They can easily add ARC stuff on forwarding, but won't be
able to evaluate incoming chains which may be spoofed.  Hence, small servers
will have to lean on From: rewriting to honor DMARC.

Let me note that SPF and DKIM had the same "defect" of being meaningless
without assessments based on reputation tracking.  Wasn't that the reason why
DMARC was contrived?


> Its a matter of what pain is best.  No perfect solutions.


p=reject; pct=0;[*]

[*] http://lists.dmarc.org/pipermail/dmarc-discuss/2018-October/004183.html
(and the following thread)


Best
Ale
-- 






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Brandon Long via mailop]

On Fri, Mar 15, 2019 at 2:54 PM Jesse Thompson via mailop 
wrote:

> On 3/13/2019 10:53 PM, Paul Gear via mailop wrote:
> > On 12/3/19 11:48 pm, Jesse Thompson via mailop wrote:
> >> On 3/12/2019 1:50 AM, Benjamin BILLON wrote:
> >>> So, the question is rather why Jesse and Michael's messages contain a
> >>> Reply-To: header, and not yours.
> >>>
> >>> (What will my contain? Surprise surprise! Using Outlook)
> >> Well, splio.com publishes p=none, so this list isn't munging it, as
> >> expected.
> >>
> >> This is why I'm not a fan of conditional rewriting by mailing lists.  It
> >> just makes it confusing to troubleshoot issues like this, and ends up
> >> undermining DMARC stakeholder communication and complicating end-user
> >> support.
> >
> >
> > Are you saying that you'd rather have a mailing list always rewrite
> > DMARC, regardless of whether it's sending on behalf of a sender in a
> > DMARC-enabled domain, or something else?
>
> Yes.  It would allow the larger community to address these issues well
> in advance of each domain's DMARC adoption.
>
> As it stands now, these "conditional" issues are cropping up as
> unforeseen or "poorly planned by IT".
>
> Conditional rewriting seems to give a signal that 100% DMARC adoption by
> all domain is not the intended goal.
>

>From header rewriting for mailng lists is not without its draw backs, nor
was it assumed at the start that DMARC was going to
apply widely or have 100% adoption.  I'm still not sure if 100% adoption is
the goal.

Also, we're working to mitigate the issue with mailing lists using ARC,
though the path from here to there isn't completely clear.
I'd say its less clear for mailing lists which start doing header
rewriting, as at some point they'll have to determine whether or not
its ok to stop rewriting, if ARC adoption is widespread enough... but those
who jump straight to ARC, especially if they really really
hate the rewriting, might maintain the status quo and be better off.

Its a matter of what pain is best.  No perfect solutions.

There are those who are  implementing DMARC and intend to go to
p=quarantine/reject who would prefer maliing lists munged at p=none, so that
they have a cleaner signal.  OTOH, there are domains (*cough* gmail) which
don't have a plan to move beyond p=none at this point, so 

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Bill Cole]

On 15 Mar 2019, at 17:52, Jesse Thompson via mailop wrote:

Conditional rewriting seems to give a signal that 100% DMARC adoption 
by

all domain is not the intended goal.


Rewriting "From" headers for domains that publish a p=none DMARC record 
is needlessly user-hostile AND DMARC-hostile.


Of course, one could also argue that allowing Sendmail and Outlook in 
the same mail universe is DMARC-hostile...


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Jesse Thompson via mailop]

On 3/13/2019 10:53 PM, Paul Gear via mailop wrote:
> On 12/3/19 11:48 pm, Jesse Thompson via mailop wrote:
>> On 3/12/2019 1:50 AM, Benjamin BILLON wrote:
>>> So, the question is rather why Jesse and Michael's messages contain a
>>> Reply-To: header, and not yours.
>>>
>>> (What will my contain? Surprise surprise! Using Outlook)
>> Well, splio.com publishes p=none, so this list isn't munging it, as
>> expected.
>>
>> This is why I'm not a fan of conditional rewriting by mailing lists.  It
>> just makes it confusing to troubleshoot issues like this, and ends up
>> undermining DMARC stakeholder communication and complicating end-user
>> support.
> 
> 
> Are you saying that you'd rather have a mailing list always rewrite
> DMARC, regardless of whether it's sending on behalf of a sender in a
> DMARC-enabled domain, or something else?

Yes.  It would allow the larger community to address these issues well 
in advance of each domain's DMARC adoption.

As it stands now, these "conditional" issues are cropping up as 
unforeseen or "poorly planned by IT".

Conditional rewriting seems to give a signal that 100% DMARC adoption by 
all domain is not the intended goal.

Jesse
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Paul Gear via mailop]

On 12/3/19 11:48 pm, Jesse Thompson via mailop wrote:
> On 3/12/2019 1:50 AM, Benjamin BILLON wrote:
>> So, the question is rather why Jesse and Michael's messages contain a 
>> Reply-To: header, and not yours.
>>
>> (What will my contain? Surprise surprise! Using Outlook)
> Well, splio.com publishes p=none, so this list isn't munging it, as 
> expected.
>
> This is why I'm not a fan of conditional rewriting by mailing lists.  It 
> just makes it confusing to troubleshoot issues like this, and ends up 
> undermining DMARC stakeholder communication and complicating end-user 
> support.


Are you saying that you'd rather have a mailing list always rewrite
DMARC, regardless of whether it's sending on behalf of a sender in a
DMARC-enabled domain, or something else?

Thanks,
Paul



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Jesse Thompson via mailop]

On 3/11/2019 5:44 PM, Michael Wise wrote:
> It does appear that it did it correctly with my first reply, … but this 
> reply has it just to you. Initially.

So, the behavior is inconsistent for you, as well?

Jesse


> 
> A screenshot of a cell phone Description automatically generated
> 
> Aloha,
> 
> Michael.
> 
> -- 
> 
> *Michael J Wise*
> MicrosoftCorporation| Spam Analysis
> 
> "Your Spam Specimen Has Been Processed."
> 
> Got the Junk Mail Reporting Tool 
> <http://www.microsoft.com/en-us/download/details.aspx?id=18275>?
> 
> *From:* mailop  *On Behalf Of *Jesse Thompson 
> via mailop
> *Sent:* Monday, March 11, 2019 3:24 PM
> *To:* mailop@mailop.org
> *Subject:* [mailop] Mailing list with From header munging... and Outlook
> 
> Hi all,
> 
> We're making a push to get mailing lists to implement header munging 
> because of gov domains adopting DMARC p=reject.
> 
> Does anyone know what's up with Outlook (Office 365 Pro Plus) when 
> "Reply All" is used?  When someone reply-alls to a munged message it 
> only composes a message to the Reply-to and the Cc, but ignores the From 
> (the list address is munged into the From header).  So, people need to 
> manually add the list address back if they want to reply-all back to the 
> list.  Outlook on the Web seems to currently work as expected (event 
> though I have a recollection that I triggered the problematic behavior 
> last week.)
> 
> Is there anything that can be done to trick Outlook into acting in the 
> way someone would expect with "Reply All"?  Munge the list address into 
> an additional Reply-to (I'm fairly certain that multiple Reply-to 
> headers are allowed)?  Munge it into the Cc header?
> 
> cid:61087ee7-0af8-4ce1-96a9-9e87d092fb64
> 
> Thanks,
> 
> Jesse
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Jesse Thompson via mailop]

On 3/12/2019 3:36 AM, Alessandro Vesely wrote:
> On Tue 12/Mar/2019 02:43:38 +0100 Neil Jenkins wrote:
>> On Tue, 12 Mar 2019, at 09:26, Jesse Thompson via mailop wrote:
>>> When someone reply-alls to a munged message it only composes a message to 
>>> the
>>> Reply-to and the Cc, but ignores the From (the list address is munged into
>>> the From header).
>>
>> That sounds exactly what I would expect for "Reply All"; it's certainly 
>> what's
>> implemented at FastMail.
>>
>>* Reply => message is "to" either the Reply-To address if specified,
>>  otherwise the From address.
>>* Reply All => Contents of To/Cc of message being replied to are also 
>> added
>>  to the new email (except for your address).
> 
> 
> I don't use Outlook, but most recent MUA interfaces also have:
> 
> * Reply-To-List => message is sent to the list, possibly after the
>   rfc2369 List-Post: header field.

That, in addition to being to reply in-line, are reasons are why I use 
Thunderbird when replying to mailing lists.

But I can't expect 150,000 normal end users to keep multiple clients 
running.  Mailing lists are prevalent in EDU, and most EDUs have been 
convinced to adopt Microsoft and Google's SaaS services, so our users 
are just along for the client experience that is given.


>> I would be very surprised to see a client add both the From and Reply-To
>> address as recipients on reply-all. Let's see what RFC5322 says
> 
> 
> Rfc5322 doesn't even mention List-* header fields, so it cannot say that it
> would be common sense if reply-all included all of the reply possibilities.
> 
> This topic is currently underspecified. A possibility could be to put multiple
> email addresses in the Reply-To: field, as noted in rfc7960:
> 
> 
>Use of the RFC5322.Reply-To
>header field can alleviate this problem depending on whether the
>Mailing List is configured to reply-to-list, reply-to-author, or
>reply-to-fixed-address; however, it is important to note that this
>header field can take multiple email addresses.
> https://tools.ietf.org/html/rfc7960#section-4.1.3.3

So, the solution is to convince Mailman and Google Groups (and every 
other mailing list server) to change their munging behavior to append to 
the Reply-to so that the Reply-to contains (1) the list address, (2) the 
original From address(es), and (3) the original Reply-to(s)?

I guess that seems less likely to happen than convincing Microsoft to 
add the Reply-to-list functionality.

Jesse
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Alessandro Vesely]

On Tue 12/Mar/2019 02:43:38 +0100 Neil Jenkins wrote:
> On Tue, 12 Mar 2019, at 09:26, Jesse Thompson via mailop wrote:
>> When someone reply-alls to a munged message it only composes a message to the
>> Reply-to and the Cc, but ignores the From (the list address is munged into
>> the From header).
> 
> That sounds exactly what I would expect for "Reply All"; it's certainly what's
> implemented at FastMail.
> 
>   * Reply => message is "to" either the Reply-To address if specified,
> otherwise the From address.
>   * Reply All => Contents of To/Cc of message being replied to are also added
> to the new email (except for your address).


I don't use Outlook, but most recent MUA interfaces also have:

   * Reply-To-List => message is sent to the list, possibly after the
 rfc2369 List-Post: header field.


> I would be very surprised to see a client add both the From and Reply-To
> address as recipients on reply-all. Let's see what RFC5322 says


Rfc5322 doesn't even mention List-* header fields, so it cannot say that it
would be common sense if reply-all included all of the reply possibilities.

This topic is currently underspecified. A possibility could be to put multiple
email addresses in the Reply-To: field, as noted in rfc7960:


  Use of the RFC5322.Reply-To
  header field can alleviate this problem depending on whether the
  Mailing List is configured to reply-to-list, reply-to-author, or
  reply-to-fixed-address; however, it is important to note that this
  header field can take multiple email addresses.
   https://tools.ietf.org/html/rfc7960#section-4.1.3.3


Best
Ale
-- 








___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Benjamin BILLON]

So, the question is rather why Jesse and Michael's messages contain a Reply-To: 
header, and not yours.
(What will my contain? Surprise surprise! Using Outlook)

While we're here blaming Outlook for things it might or might not do properly, 
it's simply insane that it let senders be impersonated in such an easy way:

[cid:image001.png@01D4D8A8.4D8A1F70]
(Subject's prefix and body's banner are due to a custom Exchange Transfer Rules 
in 0365, without it the message would have gone straight to inbox)

The headers are:

From: "no-re...@sharepointonline.com" 
To: 

There's no option in Outlook to display the sender's address along with (or 
instead of) the sender's name.

--
Benjamin

From: mailop  On Behalf Of Neil Jenkins
Sent: mardi 12 mars 2019 02:44
To: Mailop 
Subject: Re: [mailop] Mailing list with From header munging... and Outlook

On Tue, 12 Mar 2019, at 09:26, Jesse Thompson via mailop wrote:
When someone reply-alls to a munged message it only composes a message to the 
Reply-to and the Cc, but ignores the From (the list address is munged into the 
From header).

That sounds exactly what I would expect for "Reply All"; it's certainly what's 
implemented at FastMail.

  *   Reply => message is "to" either the Reply-To address if specified, 
otherwise the From address.
  *   Reply All => Contents of To/Cc of message being replied to are also added 
to the new email (except for your address).

I would be very surprised to see a client add both the From and Reply-To 
address as recipients on reply-all. Let's see what RFC5322 
says<https://tools.ietf.org/html/rfc5322#section-3.6.3>:


   When a message is a reply to another message, the mailboxes of the

   authors of the original message (the mailboxes in the "From:" field)

   or mailboxes specified in the "Reply-To:" field (if it exists) MAY

   appear in the "To:" field of the reply since these would normally be

   the primary recipients of the reply.  If a reply is sent to a message

   that has destination fields, it is often desirable to send a copy of

   the reply to all of the recipients of the message, in addition to the

   author.  When such a reply is formed, addresses in the "To:" and

   "Cc:" fields of the original message MAY appear in the "Cc:" field of

   the reply, since these are normally secondary recipients of the

   reply.

Yes, that sounds about right.

Neil.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mailing list with From header munging... and Outlook

[Neil Jenkins]

On Tue, 12 Mar 2019, at 09:26, Jesse Thompson via mailop wrote:
> When someone reply-alls to a munged message it only composes a message to the 
> Reply-to and the Cc, but ignores the From (the list address is munged into 
> the From header).

That sounds exactly what I would expect for "Reply All"; it's certainly what's 
implemented at FastMail.
 * Reply => message is "to" either the Reply-To address if specified, otherwise 
the From address.
 * Reply All => Contents of To/Cc of message being replied to are also added to 
the new email (except for your address).

I would be very surprised to see a client add both the From and Reply-To 
address as recipients on reply-all. Let's see what RFC5322 says 
:

   When a message is a reply to another message, the mailboxes of the
   authors of the original message (the mailboxes in the "From:" field)
   or mailboxes specified in the "Reply-To:" field (if it exists) MAY
   appear in the "To:" field of the reply since these would normally be
   the primary recipients of the reply.  If a reply is sent to a message
   that has destination fields, it is often desirable to send a copy of
   the reply to all of the recipients of the message, in addition to the
   author.  When such a reply is formed, addresses in the "To:" and
   "Cc:" fields of the original message MAY appear in the "Cc:" field of
   the reply, since these are normally secondary recipients of the
   reply.

Yes, that sounds about right.

Neil.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Mailing list with From header munging... and Outlook

[Jesse Thompson via mailop]

Hi all,

We're making a push to get mailing lists to implement header munging because of 
gov domains adopting DMARC p=reject.

Does anyone know what's up with Outlook (Office 365 Pro Plus) when "Reply All" 
is used?  When someone reply-alls to a munged message it only composes a 
message to the Reply-to and the Cc, but ignores the From (the list address is 
munged into the From header).  So, people need to manually add the list address 
back if they want to reply-all back to the list.  Outlook on the Web seems to 
currently work as expected (event though I have a recollection that I triggered 
the problematic behavior last week.)

Is there anything that can be done to trick Outlook into acting in the way 
someone would expect with "Reply All"?  Munge the list address into an 
additional Reply-to (I'm fairly certain that multiple Reply-to headers are 
allowed)?  Munge it into the Cc header?

[cid:61087ee7-0af8-4ce1-96a9-9e87d092fb64]

Thanks,
Jesse
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop