[Mailman-Users] Authenticated Received Chain in Mailman?

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Thu Jun 8 02:48:33 EDT 2017 

[My apologies, I drafted this a couple days ago, but never finished
it.]

Brett Delmage writes:

 > Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC) 
 > http://arc-spec.org/ ?

We will be doing so in Mailman 3, probably by mid-July for the Gitlab
trunk, and planned for release in Mailman 3.2.

However, configuring ARC in Mailman is a not-great idea if you can
avoid it.  instead, use an ARC-enabled MTA on your boundary MX.  There
is no need based on the protocol itself to do this in Mailman; we're
providing the feature only for experimentation and because it seems
likely many virtual hosting services will take a while to update their
MTAs.  (Of course, they're even more likely to take a while to update
from Mailman 2.1 to Mailman 3.)

In detail:

(1) Mailman cannot do ARC by itself.  It requires help from the DNS
    for the distribution of the public key needed to verify the
    signatures.  So you already need somebody with sensitive access to
    sensitive hosts, you can't delegate to Mailman list/site admins.

(2) In many configurations, the private signing key will be the key
    used for DKIM.  You don't want anybody but root to have access to
    that.

(3) The ARC host should be a boundary host (ie, the first host in your
    administrative domain to receive the post on the way in, and the
    last host to touch it on the way out).  In many configurations,
    the Mailman host will not be a boundary host.  This is especially
    likely in the current state of Mailman 3, as there are strong
    reasons to put all of the services (Mailman itself, Postorius, and
    HyperKitty) on the same host.  On the other hand, because the
    Mailman component communicates with the MTA by LMTP and submission
    or SMTP, there's no need for Mailman to be on the MTA host.  This
    allows isolation of the MTA on a more secure host (recommended).

(4) Mailman cannot verify SPF because it does not have access to the
    SMTP connection.  Few important hosts are dependent on SPF (almost
    everybody with SPF also has DKIM configured), but this is a
    weakness of doing it in Mailman.

If you're running your own host and can configure your own DNS, you
can use the Mailman version, but I do have to recommend an MTA-based
implementation of ARC over ours.

In the next few days I'll follow up with Sendmail, Postfix, and Exim
to see what they're planning for ARC.  (We don't officially support
Qmail, but if there are Qmail fans out there, feel free to check and
let me know!)  I do know that the ARC developers are planning milters
(which would take care of Sendmail and Postfix).

Hope this helps,

Steve

-- 
Associate Professor              Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/     Faculty of Systems and Information
Email: turnbull at sk.tsukuba.ac.jp                   University of Tsukuba
Tel: 029-853-5175                 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN

More information about the Mailman-Users mailing list