[conspire] Awful kludge removed from Conspire and SF-LUG lists

Rick Moen rick at linuxmafia.com
Sat Mar 2 13:54:38 PST 2024 

Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):

> Up to my understanding you could
> 
> v=DMARC1; p=none
> 
> and then set ARC headers if you've DKIM/SPF set up properly.
> 
> https://support.google.com/a/answer/81126?sjid=2605316202093911332-EU#zippy=%2Crequirements-for-all-senders

Ivan, I appreciate your trying to help.  The real problem is 
not the setup of linuxmafia.com's DNS, but rather the interaction
between _other_ sending domains' militant DMARC policies (p=reject or
p=quarantine) and linuxmafia.com's present Mailman release (2.1.13) 
that precedes the releases that do DMARC mitigation.

As you perhaps have, or perhaps have not, verified for yourself, 
and as I posted here shortly after the DMARC problem landed heavily on
us all in February, I swapped out my former "DMARC suck" (paraphrased)
TXT record at _dmarc.linuxmafia.com for this:

:r! dig -t txt _dmarc.linuxmafia.com +short
"v=DMARC1\; p=none\; sp=none\; rua=mailto:hostmaster at linuxmafia.com\; ruf=mailto:hostmaster at linuxmafia.com\; ri=604800\; fo=s\; pct=100"

And yes, Google says "Hey, simply add Authenticated Received Chain
headers to all forwarded mail including mailing list mail."  Again,
in early February, in an initial posting to this very mailing list,
saying that the DMARC problem had just landed hard and we all had to
deal with it, I _linked_ to that Google page.  So, yes, I read it a
month ago.

As I've also said on this mailing list, within the last couple of days,
the present state of this host makes it's software difficult and
dangerous to maintain (for complicated reasons I'd rather not waste time
getting into).  So "simply add Authenticated Received Chain
headers to all forwarded mail including mailing list mail" is
hilariously not feasible at this time (I think).

Also, and more to the immediate point, upgrading Mailman to a version
that supports DMARC mitigation for all mailing list mail arriving from
domains with DMARC policies "p=reject" and "p=quarantine" makes the
problem go away by munging "From: " for those subscribers' postings
_only_, but also making that only a minimally horrific kludge by 
preserving the users's fullname and adding his/her real sending address
to a Reply-To: line.  This is the mitigation Akkana was just speaking
about yesterday, IIRC, that I confirmed was the Mailman one I keep
talking about.

Also, I really have fsck-all idea how to add three ARC headers to every
mailing list message.  Also, that would necessitate my system doing
DKIM, which it does not do.  Also, I personaly hate DKIM, considering it
botched and mailing list-hostile.  (Arguably, ARC is a measure to 
retroactively fix what Yahoo haplessly broke in its incompletent design
of DKIM/DMARC.  I will consider that for the future during rollout of 
entirely new replacement system software.  That is not today.

Did I mention that I don't have time for all of this?  I'm very sure I
did.

It would help alleviate my growing pessimism about the benefit of
mailing list discussion if people would actually pay attention to what I
say, because, honestly, I covered the guts of all of this already,
though I didn't get into ARC headers for reasons mentioned above.

And, in particular, your well-intended remark seems to amount to
"Hey, Google published a page of suggestions."  Yes, Ivan, I know, and
that's why I talked about that, right here, a month ago.


> BTW do we have more than 5000 subscribers that use gmail adresses?

The probable reason for your (above) question is the assumption that
Google is telling the truth, in its claim that the full set of
requirements onto sending SMTP domains would, at this time, be enforced
only onto "bulk senders", ones sending Google 5000+ messages per day
(not, BTW, 5000 individuals).

Guess what?  Following Feb. 1st, it has been widely reported that Google
was _not_ telling the truth (or changed its tiny little mind), that it
has, in fact, been enforcing various of the page's requirements for bulk
senders even on small-time sending domains.

I am pretty sure I mentioned that fact on this mailing list shortly
after Feb. 1st, too.

Seriously, people.  I'm getting very, very tired of explaining this over
and over.

-- 
Cheers,                   "Every bit of complexity you add is a failure point."
Rick Moen                                                -- Adam Savage
rick at linuxmafia.com 
McQ! (4x80)

More information about the conspire mailing list