Debian Bug report logs - #752084
Debian lists need a plan to deal with messages from DMARC p=reject domains

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Thu, 19 Jun 2014 15:52:36 +0200

[Message part 1 (text/plain, inline)]

Package: lists.debian.org
Severity: important

Background on DMARC:
https://wordtothewise.com/2014/04/brief-dmarc-primer/

Official statements from Yahoo and AOL about their DMARC policy changes:
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/

Background on damage inflicted on mailing lists by inappropriate uses 
of a DMARC p=reject policy and possible solutions:
http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail


Short summary: a p=reject DMARC policy is not compatible with mailing 
lists (because their messages come from a different source IP and the 
body usually is modified).
Some large freemail domains implemented a p=reject policy to fix 
significant phishing attacks on their customers, but when their users 
send mail to Debian lists the signatures on the messages become invalid 
and they are rejected by the mail servers of the lists subscribers 
receiving them.
The bounces may cause these innocent receivers to be unsubscribed from 
the lists.


Yahoo and AOL explained in no uncertain terms that they will not revert 
this change.
We have not suffered too much from this so far because few users post to 
our lists from yahoo.com and aol.com domains, but at least another very 
large freemail provider (used by a significant fraction of Debian lists 
subscribers) has privately announced that they plan to switch to 
p=reject as well.


I propose that our priorities should be, in this order:
- prevent damage to third party receivers
- properly support posts from users from p=reject domains


I propose that:
- we immediately start rejecting mails to our lists sent from domains 
  with a p=reject policy to prevent unsubscribing innocent third parties
- we start discussing a long term solution which will allow posts from 
  p=reject domains as well

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Thu, 19 Jun 2014 16:10:01 +0200

[Message part 1 (text/plain, inline)]

On Jun 19, Marco d'Itri <md@linux.it> wrote:

> I propose that:
> - we immediately start rejecting mails to our lists sent from domains 
>   with a p=reject policy to prevent unsubscribing innocent third parties
This requires installing opendmarc and its dependencies and verifying 
the results in smartlist.

> - we start discussing a long term solution which will allow posts from 
>   p=reject domains as well
The possible solutions are:

a) keep rejecting mail from these domains
"Soon" it will apply to too many users, so I do not believe that this 
can be a long term approach.

b) rewrite the From headers of messages from these domains
The least annoying solution could be to rewrite p=reject domains with 
something like s/$/.rewritten-by.lists.debian.org/ (and maybe add the
original domain to the Reply-To header).
We could even setup a MX for *.rewritten-by.lists.debian.org and reject 
mail sent to it with instructions about how to reconstruct the original 
header.
This can be intrusive and annoying for readers, but if the impact on 
the usability for the readers is considered acceptable then it is still 
better than just rejecting the messages.

c) implement a permanent and elegant solution like http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server
This solves the problem for all sides, but requires writing some 
non-trivial code and forces us to store the SMTPAUTH credentials of the 
submitters, which would be a big security risk for them.
(A possible alternative to phishing the submitters' credentials would be 
to use some not yet specified OAUTH authentication scheme.)

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Thu, 19 Jun 2014 17:40:43 +0200

[Message part 1 (text/plain, inline)]

On Thu, 19 Jun 2014, Marco d'Itri wrote:

> On Jun 19, Marco d'Itri <md@linux.it> wrote:
> 
> > I propose that:
> > - we immediately start rejecting mails to our lists sent from domains 
> >   with a p=reject policy to prevent unsubscribing innocent third parties
> This requires installing opendmarc and its dependencies and verifying 
> the results in smartlist.
I would implement that at smtp time with a postfix policyd. 

> > - we start discussing a long term solution which will allow posts from 
> >   p=reject domains as well
> The possible solutions are:
> 
> a) keep rejecting mail from these domains
> "Soon" it will apply to too many users, so I do not believe that this 
> can be a long term approach.
in my eyes this is the only solution, that we have in the moment. I am not
happy with it, but DMARC is total broken by design and there are no
satisfying solutions.

> b) rewrite the From headers of messages from these domains
> The least annoying solution could be to rewrite p=reject domains with 
> something like s/$/.rewritten-by.lists.debian.org/ (and maybe add the
> original domain to the Reply-To header).
> We could even setup a MX for *.rewritten-by.lists.debian.org and reject 
> mail sent to it with instructions about how to reconstruct the original 
> header.
> This can be intrusive and annoying for readers, but if the impact on 
> the usability for the readers is considered acceptable then it is still 
> better than just rejecting the messages.
I have some experience with such rewrites from other lists (they all reverted
such settings) and they are annoying as hell. So I would object against
implementing such a scheme.

> 
> c) implement a permanent and elegant solution like http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server
> This solves the problem for all sides, but requires writing some 
> non-trivial code and forces us to store the SMTPAUTH credentials of the 
> submitters, which would be a big security risk for them.
> (A possible alternative to phishing the submitters' credentials would be 
> to use some not yet specified OAUTH authentication scheme.)
to be honest I can't see what is elegant with collecting SMTP Auth
credentials. I don't want to collect such credentials (and users should not
encouraged in handing out credentials to third partys).

The whole DMARC thing is a nightmare for every mailinglist.

unsatisfied

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 00:17:52 +0100

Hi,

DMARC is so obviously broken in this regard.  I tried but couldn't find
anyone with influence on the DMARC working group who cared about this
issue.  It was 'outside of scope' or something.

I think Debian and other communities should really use their influence
here;  simply go with option 1 (the easiest) and encourage users to
register another email account elsewhere to use the lists.  Some people
do that anyway for list email to avoid spam or as an alternative to
filtering into separate mailboxes.

Besides, we've heard plenty of other reasons recently why users should
be looking to avoid certain email services, or to consider setting up
their own.  And I suppose it's never been easier;  there is good
software for this, many excellent tutorials now, and a wave of cheap
low-powered devices that could run email services on a home broadband
connection unobtrusively, for yourself and friends/family.

Or maybe this would pressure a few providers to forget about using
p=reject, or the DMARC standard to finally address this problem, any of
which would still be forward progress.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #25 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Don Armstrong <don@debian.org>

To: Steven Chamberlain <steven@pyro.eu.org>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Thu, 19 Jun 2014 18:42:26 -0700

On Fri, 20 Jun 2014, Steven Chamberlain wrote:
> DMARC is so obviously broken in this regard.  I tried but couldn't find
> anyone with influence on the DMARC working group who cared about this
> issue.  It was 'outside of scope' or something.

Would you mind pointing to the mails in the archives of the DMARC IETF
group where this was proposed? Want to try to address this if at all
possible, but don't want to re-hash things which have been addressed.

-- 
Don Armstrong                      http://www.donarmstrong.com

I learned really early the difference between knowing the name of
something and knowing something
 -- Richard Feynman "What is Science" Phys. Teach. 7(6) 1969

Message #30 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>

To: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 10:25:49 +0200

[Message part 1 (text/plain, inline)]

Marco d'Itri, 2014-06-19 16:10+0200:
>The possible solutions are:
>
>a) keep rejecting mail from these domains
>
>b) rewrite the From headers of messages from these domains
>
>c) implement a permanent and elegant solution like http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server

d) set up lists so DKIM-signed messages are not modified in any way
Mailing lists break SPF and solutions to that are heavy, but DMARC 
relies on /either/ SPF /or/ DKIM, and mailing-lists do not necessarily 
break DKIM: they only do when the message is altered, often to add a 
footer explaining how to unsubscribe. Now, there has been a standard 
mail header for that for some time, which should now be recognized by 
all serious mail user agents, so altering messages to add such a footer 
could be avoided now, at least for DKIM-signed messages.

-- 
 ,--.
: /` )   Tanguy Ortolo      <xmpp:tanguy@ortolo.eu>
| `-'    Debian Developer   <irc://irc.oftc.net/Tanguy>
 \_

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Tanguy Ortolo <tanguy+debian@ortolo.eu>, 752084@bugs.debian.org

Cc: Marco d'Itri <md@linux.it>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 10:41:49 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Tanguy Ortolo wrote:

> Marco d'Itri, 2014-06-19 16:10+0200:
> >The possible solutions are:
> >
> >a) keep rejecting mail from these domains
> >
> >b) rewrite the From headers of messages from these domains
> >
> >c) implement a permanent and elegant solution like http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server
> 
> d) set up lists so DKIM-signed messages are not modified in any way
> Mailing lists break SPF and solutions to that are heavy, but DMARC relies on
> /either/ SPF /or/ DKIM, and mailing-lists do not necessarily break DKIM:
> they only do when the message is altered, often to add a footer explaining
> how to unsubscribe. Now, there has been a standard mail header for that for
> some time, which should now be recognized by all serious mail user agents,
> so altering messages to add such a footer could be avoided now, at least for
> DKIM-signed messages.
This has nothing to do with DKIM. d) is not a solution for our problem.

If a user from a p=reject domain posts to our mailinglist, every subscriber
from a domain checking dmarc will get a bounce.

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #40 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Alexander Wirt <formorer@debian.org>

Cc: Tanguy Ortolo <tanguy+debian@ortolo.eu>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 11:44:11 +0200

[Message part 1 (text/plain, inline)]

On Jun 20, Alexander Wirt <formorer@debian.org> wrote:

> If a user from a p=reject domain posts to our mailinglist, every subscriber
> from a domain checking dmarc will get a bounce.
No, he is right: if the message is not modified then the DKIM signature 
will be valid. This is one of the solutions implemented by mailman.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org

Cc: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 11:59:49 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Marco d'Itri wrote:

> On Jun 20, Alexander Wirt <formorer@debian.org> wrote:
> 
> > If a user from a p=reject domain posts to our mailinglist, every subscriber
> > from a domain checking dmarc will get a bounce.
> No, he is right: if the message is not modified then the DKIM signature 
> will be valid. This is one of the solutions implemented by mailman.
what in detail means unmodified? body? headers?

Does that mean if we only add some headers and let everything as it is, we
will be fine?

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #50 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Alexander Wirt <formorer@debian.org>

Cc: 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:03:17 +0200

[Message part 1 (text/plain, inline)]

On Jun 20, Alexander Wirt <formorer@debian.org> wrote:

> > No, he is right: if the message is not modified then the DKIM signature 
> > will be valid. This is one of the solutions implemented by mailman.
> what in detail means unmodified? body? headers?
The body and the DKIM-signed headers. E.g. gmail by default signs:

h=mime-version:date:message-id:subject:from:to:content-type

and Yahoo:

h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type

> Does that mean if we only add some headers and let everything as it is, we
> will be fine?
Yes.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Marco d'Itri <md@linux.it>

Cc: 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:06:05 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Marco d'Itri wrote:

> On Jun 20, Alexander Wirt <formorer@debian.org> wrote:
> 
> > > No, he is right: if the message is not modified then the DKIM signature 
> > > will be valid. This is one of the solutions implemented by mailman.
> > what in detail means unmodified? body? headers?
> The body and the DKIM-signed headers. E.g. gmail by default signs:
> 
> h=mime-version:date:message-id:subject:from:to:content-type
Ok, that seams possible.
> 
> and Yahoo:
> 
> h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type
Received? That probably means we cann add new received headers without
modifying the existing ones.

> 
> > Does that mean if we only add some headers and let everything as it is, we
> > will be fine?
> Yes.
Good to know. I think THAT is a solution we are able to manage for most
mailinglists (except for things like *-announce where reply-to headers get
changed).

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #60 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Alexander Wirt <formorer@debian.org>

Cc: 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:09:24 +0200

[Message part 1 (text/plain, inline)]

On Jun 20, Alexander Wirt <formorer@debian.org> wrote:

> > h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type
> Received? That probably means we cann add new received headers without
> modifying the existing ones.
No, it means that you cannot modify the Received headers earlier than
the DKIM header (or the signature would never be valid after the first 
hop).

> Good to know. I think THAT is a solution we are able to manage for most
> mailinglists (except for things like *-announce where reply-to headers get
> changed).
I am not attached to it at all (MIME signatures hide it anyway...), but 
currently all of our mailing lists have a footer.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #65 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Marco d'Itri <md@linux.it>

Cc: 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:15:37 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Marco d'Itri wrote:

> On Jun 20, Alexander Wirt <formorer@debian.org> wrote:
> 
> > > h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type
> > Received? That probably means we cann add new received headers without
> > modifying the existing ones.
> No, it means that you cannot modify the Received headers earlier than
> the DKIM header (or the signature would never be valid after the first 
> hop).
Which - in practise - should be the same.

> > Good to know. I think THAT is a solution we are able to manage for most
> > mailinglists (except for things like *-announce where reply-to headers get
> > changed).
> I am not attached to it at all (MIME signatures hide it anyway...), but 
> currently all of our mailing lists have a footer.
That is something I can change for DKIM signed mails, and that is something I
am willing to change. Information about unsubscribing is also in the header. 

So, do you think too that we have a way to go here?
That means:

- don't add the footer for DKIM signed mails
- add DKIM on our own for outgoing mails to improve our own reputation

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #70 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Alexander Wirt <formorer@debian.org>

Cc: 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:17:07 +0200

[Message part 1 (text/plain, inline)]

On Jun 20, Alexander Wirt <formorer@debian.org> wrote:

> So, do you think too that we have a way to go here?
> That means:
> 
> - don't add the footer for DKIM signed mails
> - add DKIM on our own for outgoing mails to improve our own reputation
Yes (but these are unrelated goals).
But I think that it would be better to always add or not add the footer.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #75 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org

Cc: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:26:27 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Marco d'Itri wrote:

> On Jun 20, Alexander Wirt <formorer@debian.org> wrote:
> 
> > So, do you think too that we have a way to go here?
> > That means:
> > 
> > - don't add the footer for DKIM signed mails
> > - add DKIM on our own for outgoing mails to improve our own reputation
> Yes (but these are unrelated goals).
indeed, but the discussions are a little bit related, so I posted the summary
here.

> But I think that it would be better to always add or not add the footer.
I see the footer as a service to our users and I would like to keep it as
long as possible.

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #80 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org, Alexander Wirt <formorer@debian.org>

Cc: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:02:16 +0100

[Message part 1 (text/plain, inline)]

On 20/06/14 10:44, Marco d'Itri wrote:
> No, he is right: if the message is not modified then the DKIM signature 
> will be valid. This is one of the solutions implemented by mailman.

If it is viable and not too difficult to do this, then I'd ask the
listmasters to please consider it as a last resort to excluding users of
p=reject domains.

Fortunately the main lists.d.o do not rewrite the subject, which would
have been the most inconvenient change to make.  Still awkward for the
BTS and alioth lists.

I guess some of the added list headers might need to be moved to precede
instead of follow existing headers?

The footer is something I could personally live without.  The rare
message doesn't include the footer anyway (HTML?), so I'm used to
getting its Message-ID from the headers.  The unsubscribe instructions
in the footer are still not always followed.

And doesn't the footer already negatively affect PGP/MIME or inline PGP
signatures?  I think it causes signed mails to become only 'partially
signed'?

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, attachment)]

Message #85 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Steven Chamberlain <steven@pyro.eu.org>

Cc: Marco d'Itri <md@linux.it>, 752084@bugs.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 13:05:00 +0200

[Message part 1 (text/plain, inline)]

On Fri, 20 Jun 2014, Steven Chamberlain wrote:

> On 20/06/14 10:44, Marco d'Itri wrote:
> > No, he is right: if the message is not modified then the DKIM signature 
> > will be valid. This is one of the solutions implemented by mailman.
> 
> If it is viable and not too difficult to do this, then I'd ask the
> listmasters to please consider it as a last resort to excluding users of
> p=reject domains.
> 
> Fortunately the main lists.d.o do not rewrite the subject, which would
> have been the most inconvenient change to make.  Still awkward for the
> BTS and alioth lists.
> 
> I guess some of the added list headers might need to be moved to precede
> instead of follow existing headers?
> 
> The footer is something I could personally live without.  The rare
> message doesn't include the footer anyway (HTML?), so I'm used to
> getting its Message-ID from the headers.  The unsubscribe instructions
> in the footer are still not always followed.
> 
> And doesn't the footer already negatively affect PGP/MIME or inline PGP
> signatures?  I think it causes signed mails to become only 'partially
> signed'?
See <20140620101537.GD7799@lisa.snow-crash.org> for my proposed plan.

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #90 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Steven Chamberlain <steven@pyro.eu.org>

Cc: 752084@bugs.debian.org, Alexander Wirt <formorer@debian.org>, Tanguy Ortolo <tanguy+debian@ortolo.eu>

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 13:06:56 +0200

[Message part 1 (text/plain, inline)]

On Jun 20, Steven Chamberlain <steven@pyro.eu.org> wrote:

> Fortunately the main lists.d.o do not rewrite the subject, which would
> have been the most inconvenient change to make.  Still awkward for the
> BTS and alioth lists.
Right, I forgot that this is relevant for the BTS as well since it 
rewrites Subject and Reply-To.

> I guess some of the added list headers might need to be moved to precede
> instead of follow existing headers?
Only if there are multiple headers IIRC, so it should not matter.

> And doesn't the footer already negatively affect PGP/MIME or inline PGP
> signatures?  I think it causes signed mails to become only 'partially
> signed'?
In mutt the footer is just hidden for signed messages.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #95 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: listmaster@lists.debian.org, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 12:31:18 +0100

On 20/06/14 02:42, Don Armstrong wrote:
> Would you mind pointing to the mails in the archives of the DMARC IETF
> group where this was proposed? Want to try to address this if at all
> possible, but don't want to re-hash things which have been addressed.

It wasn't a fun experience, it reminded me of the systemd tech-ctte bug
thread, except *without* the Wiki debate position pages, so everything
went around in circles.

Since then I got the impression 10% of threads on dmarc-discuss@ were
reprising the same issue.

Mine was this thread, but below are some highlights:
http://lists.dmarc.org/pipermail/dmarc-discuss/2012-June/000945.html

Ironically, this was from zwicky at yahoo-inc.com :
> Don't use quarantine or reject policies on domains that contain real users; use them on transactional domains.
> Mailing lists and forwarding  are both heavily used by real people and will break DMARC

msk at fb.com wrote:
> Still, the question remains: Why is trying to ensure list traffic passes
> DMARC something that should be in scope?  Do big brands actually get
> phished via mailing lists?

I answered that and proposed there be some 'p=reject, but please accept
my mail if forwarded' policy:
http://lists.dmarc.org/pipermail/dmarc-discuss/2012-June/001045.html

It would be enough if the published DMARC record could optionally turn
off the 'alignment' requirement;  accept a DKIM signature from a
listserver in lieu of a valid author signature.  A further whitelist
lookup or reputation scoring by the sender could then decide if it was
valid list mail or not.

Then it would work as DKIM and ADSP do already (and DomainKeys did);  if
a list adds a Sender: header it could do DKIM signing without too much
effort, then DKIM validators would still pass it.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #100 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 22:13:12 +0200 (CEST)

On Fri, 20 Jun 2014, Tanguy Ortolo wrote:

> Marco d'Itri, 2014-06-19 16:10+0200:
> > The possible solutions are:
> > 
> > a) keep rejecting mail from these domains
> > 
> > b) rewrite the From headers of messages from these domains
> > 
> > c) implement a permanent and elegant solution like
> > http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server
> 
> d) set up lists so DKIM-signed messages are not modified in any way

I already proposed this as a simple and effective solution in another
bug report against lists.debian.org and Don Armstrong already seemed
to be willing to stop the footer for any type of signed email.

(Personally, I also think that doing that would be ugly and it would
be much better to drop the footer for all email).

Please do not reject this possibility so lightly. From all the
proposed solutions to this problem, I don't think this one is a
solution to laught at.

With great sadness I read from Alexander Wirt blog that you are
planning to (basically) boycott lists.debian.org usage for any user
whose email provider has a p=reject dmark policy.

But, if I'm not mistaken, everything we would need to support such
users in most cases (I'm not talking about bugs.debian.org here) is to
stop adding footers to our messages.

Alexander, the footer may be "useful" and "a service to our users",
but IMHO in no way it is reasonable to consider the footer so much
important that we have to forbid or boycott lists.debian.org usage for
a lot of already existing users.

Thanks.

Message #105 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Santiago Vila <sanvila@unex.es>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 22:19:45 +0200

On Fri, 20 Jun 2014, Santiago Vila wrote:

> On Fri, 20 Jun 2014, Tanguy Ortolo wrote:
> 
> > Marco d'Itri, 2014-06-19 16:10+0200:
> > > The possible solutions are:
> > > 
> > > a) keep rejecting mail from these domains
> > > 
> > > b) rewrite the From headers of messages from these domains
> > > 
> > > c) implement a permanent and elegant solution like
> > > http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Relay_one_copy_through_author_domain_server
> > 
> > d) set up lists so DKIM-signed messages are not modified in any way
> 
> I already proposed this as a simple and effective solution in another
> bug report against lists.debian.org and Don Armstrong already seemed
> to be willing to stop the footer for any type of signed email.
> 
> (Personally, I also think that doing that would be ugly and it would
> be much better to drop the footer for all email).
> 
> Please do not reject this possibility so lightly. From all the
> proposed solutions to this problem, I don't think this one is a
> solution to laught at.
> 
> With great sadness I read from Alexander Wirt blog that you are
> planning to (basically) boycott lists.debian.org usage for any user
> whose email provider has a p=reject dmark policy.
read the bugreport again. at all.


Alex

Message #110 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Alexander Wirt <formorer@debian.org>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 22:33:33 +0200

El 20/06/14 22:19, Alexander Wirt escribió:
> read the bugreport again. at all.

Hmm. What makes you think I didn't?

Maybe you refer to the fact that your blog entry is dated from yesterday 
and solutions for this problem which are acceptable for you have been 
proposed in the bug report after that? (If that's the case, I celebrate).

Thanks.

Message #115 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Santiago Vila <sanvila@unex.es>

Cc: 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 22:37:34 +0200

On Fri, 20 Jun 2014, Santiago Vila wrote:

> El 20/06/14 22:19, Alexander Wirt escribió:
> >read the bugreport again. at all.
> 
> Hmm. What makes you think I didn't?
> 
> Maybe you refer to the fact that your blog entry is dated from yesterday and
> solutions for this problem which are acceptable for you have been proposed
> in the bug report after that? (If that's the case, I celebrate).
exactly.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752084#65

Alex

Message #120 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Alexander Wirt <formorer@debian.org>

Cc: 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Fri, 20 Jun 2014 22:47:13 +0200

El 20/06/14 22:37, Alexander Wirt escribió:
> On Fri, 20 Jun 2014, Santiago Vila wrote:
>
>> El 20/06/14 22:19, Alexander Wirt escribió:
>>> read the bugreport again. at all.
>>
>> Hmm. What makes you think I didn't?
>>
>> Maybe you refer to the fact that your blog entry is dated from yesterday and
>> solutions for this problem which are acceptable for you have been proposed
>> in the bug report after that? (If that's the case, I celebrate).
> exactly.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752084#65

Ok. Thanks for the clarification.

While we are at it: Please consider moving the Archive: information in 
the footer to the headers in either case (i.e. regardless of the message 
being DKIM signed or not).

I've already seen cases where the message-id (and therefore the URL 
shown) contains the equal sign (=) and the message is MIME invalid 
because the header declares the body as being quoted-pritable. This 
makes the = sign in the body not to be interpreted as an = sign.

Message #125 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Scott Kitterman <debian@kitterman.com>

To: 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Sat, 21 Jun 2014 09:31:20 -0400

[Message part 1 (text/plain, inline)]

On Thursday, June 19, 2014 17:40:43 Alexander Wirt wrote:
> On Thu, 19 Jun 2014, Marco d'Itri wrote:
> > On Jun 19, Marco d'Itri <md@linux.it> wrote:
> > > I propose that:
> > > - we immediately start rejecting mails to our lists sent from domains
> > > 
> > >   with a p=reject policy to prevent unsubscribing innocent third parties
> > 
> > This requires installing opendmarc and its dependencies and verifying
> > the results in smartlist.
> 
> I would implement that at smtp time with a postfix policyd.

You can't, not completely anyway.  The lookup key for the DNS record is the 
body From.  The sender exposed in the Postfix policy interface is the envelope 
From (Mail From).  In most cases for a submission to a list, they will be the 
same, but it's not a 100% solution.

It should not be too hard to us a milter to do this.  I doesn't need all the 
functionality of opendmarc, it just has to pull out the body from, do a DNS 
lookup and then then reject if there is a p=reject DMARC record.

> > > - we start discussing a long term solution which will allow posts from
> > > 
> > >   p=reject domains as well
> > 
> > The possible solutions are:
> > 
> > a) keep rejecting mail from these domains
> > "Soon" it will apply to too many users, so I do not believe that this
> > can be a long term approach.
> 
> in my eyes this is the only solution, that we have in the moment. I am not
> happy with it, but DMARC is total broken by design and there are no
> satisfying solutions.
> 
> > b) rewrite the From headers of messages from these domains
> > The least annoying solution could be to rewrite p=reject domains with
> > something like s/$/.rewritten-by.lists.debian.org/ (and maybe add the
> > original domain to the Reply-To header).
> > We could even setup a MX for *.rewritten-by.lists.debian.org and reject
> > mail sent to it with instructions about how to reconstruct the original
> > header.
> > This can be intrusive and annoying for readers, but if the impact on
> > the usability for the readers is considered acceptable then it is still
> > better than just rejecting the messages.
> 
> I have some experience with such rewrites from other lists (they all
> reverted such settings) and they are annoying as hell. So I would object
> against implementing such a scheme.
> 
> > c) implement a permanent and elegant solution like
> > http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#R
> > elay_one_copy_through_author_domain_server This solves the problem for all
> > sides, but requires writing some
> > non-trivial code and forces us to store the SMTPAUTH credentials of the
> > submitters, which would be a big security risk for them.
> > (A possible alternative to phishing the submitters' credentials would be
> > to use some not yet specified OAUTH authentication scheme.)
> 
> to be honest I can't see what is elegant with collecting SMTP Auth
> credentials. I don't want to collect such credentials (and users should not
> encouraged in handing out credentials to third partys).
> 
> The whole DMARC thing is a nightmare for every mailinglist.
> 
> unsatisfied

I've been peripherally involved in DMARC development (which is why I packaged 
opendmarc).  Up until Yahoo and AOL went insane, the idea was that DMARC was 
mostly for corporate transactional mail and the mailing list issue wouldn't 
come up.

Scott K

[signature.asc (application/pgp-signature, inline)]

Message #130 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Scott Kitterman <debian@kitterman.com>, 752084@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Sat, 21 Jun 2014 17:17:48 +0200

[Message part 1 (text/plain, inline)]

On Sat, 21 Jun 2014, Scott Kitterman wrote:

> On Thursday, June 19, 2014 17:40:43 Alexander Wirt wrote:
> > On Thu, 19 Jun 2014, Marco d'Itri wrote:
> > > On Jun 19, Marco d'Itri <md@linux.it> wrote:
> > > > I propose that:
> > > > - we immediately start rejecting mails to our lists sent from domains
> > > > 
> > > >   with a p=reject policy to prevent unsubscribing innocent third parties
> > > 
> > > This requires installing opendmarc and its dependencies and verifying
> > > the results in smartlist.
> > 
> > I would implement that at smtp time with a postfix policyd.
> 
> You can't, not completely anyway.  The lookup key for the DNS record is the 
> body From.  The sender exposed in the Postfix policy interface is the envelope 
> From (Mail From).  In most cases for a submission to a list, they will be the 
> same, but it's not a 100% solution.
> 
> It should not be too hard to us a milter to do this.  I doesn't need all the 
> functionality of opendmarc, it just has to pull out the body from, do a DNS 
> lookup and then then reject if there is a p=reject DMARC record.
indeed, then a milter, but thats not a problem, I did milters in perl before.

Alex

[Message part 2 (application/pgp-signature, inline)]

Message #135 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: 752084@bugs.debian.org, owner@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#752084: Debian lists need a plan to deal with messages from DMARC p=reject domains

Date: Mon, 14 Jul 2014 16:24:16 +0200

[Message part 1 (text/plain, inline)]

clone 752084 -1
reassign -1 bugs.debian.org
retitle -1 The Debian BTS needs a plan to deal with messages from DMARC p=reject domains
thanks

Please see #752084 for the details.

The BTS too needs a solution to this, and it will be an harder problem 
since it does not have the option of not modifying the messages in 
transit.

The AOL/Yahoo address book spammers now switched to forging gmail.com, 
so Google could be very close to enabling p=reject as well.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #142 received at 752084@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: 752084@bugs.debian.org, Alexander Wirt <formorer@debian.org>

Cc: Marco d'Itri <md@linux.it>

Subject: Re: Upcoming changes for lists.debian.org

Date: Wed, 12 Aug 2015 18:07:01 +0200

[ Replying to the bug report where this was being discussed ]

On Tue, Aug 11, 2015 at 02:57:17PM +0200, Alexander Wirt wrote:
> we are currently destroying valid DKIM signatures with our footers. To fix
> that problem we will remove footers on mails going via lists.debian.org soon. 
> 
> You can still get unsubscription and archive information from the header of a
> listmail.

Finally! Thanks a lot!

I wonder if this bug is to be considered fixed at this point,
and if not, what would be left.

[ Marco has created a clone of this report specifically for the BTS ]

Message #147 received at 752084-done@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Santiago Vila <sanvila@unex.es>, 752084-done@bugs.debian.org

Cc: Marco d'Itri <md@linux.it>

Subject: Re: Bug#752084: Upcoming changes for lists.debian.org

Date: Fri, 14 Aug 2015 14:36:26 +0200

On Wed, 12 Aug 2015, Santiago Vila wrote:

> [ Replying to the bug report where this was being discussed ]
> 
> On Tue, Aug 11, 2015 at 02:57:17PM +0200, Alexander Wirt wrote:
> > we are currently destroying valid DKIM signatures with our footers. To fix
> > that problem we will remove footers on mails going via lists.debian.org soon. 
> > 
> > You can still get unsubscription and archive information from the header of a
> > listmail.
> 
> Finally! Thanks a lot!
You are welcome. 
> 
> I wonder if this bug is to be considered fixed at this point,
> and if not, what would be left.
Now that we don't destroy valid sigs anymore we can close that bug. After my
feature request for opendmarc is done, we will also start to check dkim sigs
later. p=reject domains with broken sigs will get rejected than too. But
thats an addon. Therefore I close this bug now.

Alex - Debian Listmaster

Send a report that this bug log contains spam.