[Mailman-Users] non-subscribers getting through--email address in "Real Name"

Grant Taylor gtaylor at tnetconsulting.net
Tue Jul 24 23:47:03 EDT 2018 

On 07/24/2018 08:11 PM, Richard Damon wrote:
> Do you understand how DMARC works?

Yes, I do believe that I do understand how DMARC works.

I have yet to have someone show me something (else) about DMARC that I'm 
not aware of.

> Yahoo.com has an entry in their DNS that says they want DMARC protection, 
> and if you can’t verify that the message came from them unmodified to 
> reject it.

Yep.

I'm doing exactly that.

> Unless the mailing list claims authorship of the message by changing the 
> From: of the message (and thus making it hard to tell who really said the 
> words), the list relaying the message with the slightest modification 
> of the Subject or Body will cause it to fail DMARC, as DMARC says that 
> the From: header is the king for verification.

I am talking about modifying the From: header such that the message no 
longer had any conflict with the original published DMARC records.

I.e.

      From: Grant Taylor <gtaylor at tnetconsulting.net>

Becomes:

      From: Grant Taylor via Mailman-Users <mailman-users at python.org>

Thus removing any conflict with any DMARC records published by 
tnetconsulting.net

Since the message is now from the Mailman-Users mailing list, it's 
perfectly possible to insert a line at the start of the message like the 
following:

      Grant Taylor <gtaylor at tnetconsulting.net> wrote the following:

> Only if you think that mailman-users is the author of your message here, 
> and that your mailing list is the proper author of every message that 
> goes through your mailing list.

I believe that the Mailman-Users mailing list is the entity responsible 
for sending the message to each and every subscriber.  I believe the 
content that the Mailman-Users mailing list is sending is strongly based 
on content provided by someone that sent a message to said mailing list.

I know that the mailing list did not generate the content.  I also know 
that it is sending content heavily based on content from someone else.

> Base SPF isn’t an issue. All messages leaving my mailing list pass 
> SPF because I publish a SPF record, and the message have an envelope 
> From of my mailing list.

What is (was) your (original) motivation for munging the envelope to be 
from the mailing list?  Are (were) you (originally) doing it because you 
want to take advantage of V.E.R.P.?  Or are (were) you (originally) 
doing it to avoid SPF issues?

I know a number of people that only started munging the envelope from 
address because of SPF issues.

You may also run into issues with SPF alignment with DMARC if you don't 
also modify the From: header.

(I can't tell what domain you are referring to.  I don't see SPF / TXT 
records for damon-family.org and I don't know if you are referring to 
some other domain.)

> Again, I can verify the DMARC of the incoming message, but unless I want 
> to claim authorship by changing the From, I can not send it and have it 
> pass DMARC.

Which, IMHO, is what DMARC is supposed to be able to enforce.

> Only if you consider the mailing list the Author of every message relayed 
> by it.

I do consider the MLM as being the author / creator / submitter of the 
SMTP message.

I view the person that sent the message as being the author / creator / 
submitter of the body content in said SMTP message.

> The MLM DOES change the Envelope from, it really wants to so it gets the 
> bounces back so it can process it. That means the outgoing message can 
> pass SPF as SPF is written. What it doesn’t pass is the modification 
> to SPF that DMARC specifies that says that the only domain to validate 
> in the inside From: Header, the Envelope doesn’t count.

Yep, VERP.

> So you REALY want to see your view of the mailing list as EVERY message 
> is ‘From’ Mailman-users, with no indication of who wrote really 
> wrote the message? Thus you lose the ability to easily block

Not quite.

I would much rather have the human friendly portion of the address 
remain what was originally sent.

I.e.

      From: Grant Taylor <gtaylor at tnetconsulting.net>

Becomes:

      From: Grant Taylor via Mailman-Users <mailman-users at python.org>

I would also be interested in something like the following.

      From: Grant Taylor gtaylor at tnetconsulting dot net via 
Mailman-Users <mailman-users at python.org>

I believe that retains the attribution that I believe you (and many 
others) want to retain.

Seeing as how the new outgoing message is completely new, it's perfectly 
possible to add something like the following as the first two lines of 
the message:

      Grant Taylor <gtaylor at tnetconsulting.net> wrote the following:

> So you don’t think mailing list should do any modifications to the 
> message, or they need to claim authorship.

"DMARC says that if you get a message from me, it MUST have come 
straight from me"

The key being "it MUST have come straight from me".

Thus messages that pass through a mailing list (or forwarded in any way) 
fail the "come straight from me" portion.

> So you see this thread as the mailing list arguing with itself?

I see this thread as a friendly / academic discussion from many 
different mailing list subscribers who send messages to and receive 
messages from said mailing list.

> Only if the TELL ALL there users that they have effectively should not 
> use virtually any of the existing mailing lists (except of course for 
> yahoo users using yahoo groups, as yahoo knows enough to be able to make 
> those pass)

I disagree.

> Should they also be given new message-ids (as they are new messages) 
> and thus threaded views not work anymore?  But DMARC is allowed to damage 
> the Email system

I am (currently) about 70/30 on if messages from the mailing list should 
get new Message-IDs or not.

If all messages pass through and everybody replies to the mailing list 
manager, then the new Message-ID from the MLM will work perfectly fine.

Original message:

      From: Grant Taylor <gtaylor at tnetconsulting.net>
      To: Mailman-Users <mailman-users at python.org>
      Message-ID: <68fd1dbf-eca3-4924-9531-cbf84d3f3bec at tnetconsulting.net>

Message from MLM:

      From: Grant Taylor via Mailman-Users <mailman-users at python.org>
      To: $Subscriber
      Message-ID: 
<ad933a76-faaf-41b3-bc36-2b5ac527ec2c at mailman-users.python.org>

Reply back to MLM:

      From: Grant Taylor <gtaylor at tnetconsulting.net>
      To: Mailman-Users <mailman-users at python.org>
      Message-ID: <70ef8f26-dcc2-48e7-a45e-be6fef4ea4fe
@tnetconsulting.net>
      References: 
<ad933a76-faaf-41b3-bc36-2b5ac527ec2c at mailman-users.python.org>

The only problem that I see is other people that are explicitly listed 
on the To: or CC lines.  (I'm ignoring BCCs.)

Allow me to restate:

I believe that ALL messages to / from a /discussion/ mailing list should 
go through said mailing list.



-- 
Grant. . . .
unix || die

More information about the Mailman-Users mailing list