[Mailman-Users] List DMARC compliance reconfiguration
Mark Sapiro
mark at msapiro.net
Mon Nov 4 19:49:57 EST 2019
On 11/4/19 7:42 AM, Andy Cravens wrote:
> Using mailman 2.1.26. I’m auditing the lists on my server for DMARC compliance I’ve found several list configs that do not have the DMARC action set to “munge_from.” It appears I need to edit all those list and fix that setting. I’ve also noticed that in mm_cfg.py there is no setting for REMOVE_DMIM_HEADERS. I just wanted to verify the proper order for fixing these issues. Seems like I need to correct the munge_from setting for all the affected lists and them as quickly as possible add REMOVE_DKIM_HEADERS = 1 to mm_cfg.py and restart. It appears that which ever task I complete first some messages will be undeliverable until both changes are complete. Maybe it would be best to stop mailman, complete both changes and then restart? Just looking for the best way to do this.
REMOVE_DMIM_HEADERS has nothing do do with and should not affect DMARC.
While it is true that DMARC action set to “munge_from will break DKIM,
DKIM is already broken by other list modifications to the message or you
wouldn't be having DMARC issues.
Best practice is to Munge the From: if necessary based on the DMARK
policy of the original From: domain and to DKIM sign the outgoing
message with a sig from your domain which is also the munged From: domain.
If you want Mailman to remove the older DKIM sigs, you can configure
that, but it should have no effect one way or the other. See
<https://tools.ietf.org/html/rfc6376#section-6.1>.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list