[Mailman-Developers] Two more DMARC mitigations
John Levine
johnl at taugh.com
Sun Jun 15 00:15:37 CEST 2014
>>Honestly, Tough Noogies. Let list managers make their own security
>>decisions. AOL and Yahoo want all mail from their users to be authenticated.
>>Well, OK, this will do it.
>
>This is a really bad idea. In MM3, we've already eliminated the need for
>keeping clear text passwords, and almost gotten rid of any user passwords at
>all. OAUTH tokens are a little better, but no way do I want to hold a clear
>text password for users.
I agree it's a horrible idea. But at the moment it's the only
horrible idea I'm aware of that will let lists keep operating in the
way the managers and users want, with no From: munging and no bounces,
using existing facilities from the mail providers.
AOL and Yahoo both have OAUTH APIs, but they are not the same, and I
see no likelihood that the APIs will converge, or that the next large
webmail provider to DMARC us will be compatible with either. But
everyone has a SUBMIT server.
At least one of the large providers has told me they plan to do OAUTH
submission, presumably with long lived tokens, which would greatly
mitigate the security issues. It is my impression that if word got
back that lists were considering doing the submit trick, it would
motivate them to get OAUTH submission working sooner.
R's,
John
More information about the Mailman-Developers
mailing list