[conspire] (forw) DMARC munging (was: [GoLugTech] Gentoo's Github cracked)

Sat Jun 30 15:19:23 PDT 2018

Nick, you may be interested in these further details.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Sat, 30 Jun 2018 14:39:23 -0700
From: Rick Moen <rick at linuxmafia.com>
To: slitt at troubleshooters.com, jdlspeedyt500inc.com at linuxmafia.com
Subject: DMARC munging (was: [GoLugTech] Gentoo's Github cracked)
Organization: If you lived here, you'd be $HOME already.

Greetings, good people.

I have a suggestion.  This particular processing of my message suggests
a beneficial but suboptimal configuration in GNU Mailman to compensate
for the problem of DMARC/DKIM:

> From tech-bounces at golug.org Sat Jun 30 13: 6:56 2018
> From: Rick Moen via Tech <tech at golug.org>
> To: tech at golug.org
> Reply-To: Rick Moen <rick at linuxmafia.com>, tech at golug.org

GoLUG's listadmins have evidently changed admin WebUI item 'Replace the
From: header address with the list's posting address to mitigate issues
stemming from the original From: domain's DMARC or similar policies.'
(General Options) from the default 'No' to 'Munge From'.

This is one of Mailman's recent options to semi-fix the severe
collateral damage imposed on mailing lists by the Yahoo-originated (and,
IMO, severely botched) anti-forgery protocol DKIM and its superset
DMARC.  Electing 'Munge From' causes Mailman to _unconditionally_
rewrite the sender's 'From:' header, and append a 'Reply-To:' one, in
the manner shown.

My point:  This is the _wrong Mailman fix_ to elect for the DMARC shambles.
Mailman offers a much, much better one, which you probably missed
because General Options is the first page, and you assumed this was the 
fix to select.  (It's a very easy thing to miss.)

On Privacy options, Sender filters, you'll find the _right_ fix.  It's
called 'Action to take when anyone posts to the list from a domain with
a DMARC Reject/Quarantine Policy', default radio button 'Accept', but 
the optimal fix option is the next button, 'Munge From'.

Why is this different, since both are 'Munge From'?  Because it's a lot
more selective.  As the item's description says, it applies munging to 
postings from a domain _with a DMARC Reject/Quarantine Policy_.  Not to
other domains' messages, which thus won't get the sender's headers
disfigured just because some sending domains have gone down the DMARC
rathole.

Not to put too fine a point on it, my domains linuxmafia.com and
unixmercenary.net do NOT publish DMARC/DKIM policies of any kind.  I do
provide a competently designed means to reject SMTP forgeries of my
domain in the form of a strongly asserted SPF record in my DNS, however.

While (as a listadmin) I keenly appreciate the DMARC problem and its
malign effets on mailing lists, I would appreciate it if GoLUG's
software would leave my domain's (and other domains not publishing MARC
Reject/Quarantine Policies) mail headers alone, so that my 'From:'
information transits the mailing list intact.

As always, thank you for your generous and public-spirited work.

----- End forwarded message -----