[Mailman-Users] Re: B.S. With Google Yellow Boxes and GNU Mailman
Michael Reeder -- Hygeia MS writes: > *For now -- problem solved!** Good news! > I will take a look at Mark's DMARC mitigations below also. You may also want to ask Dreamhost if they can enable the ARC protocol for your host. This protocol allows your host to testify which authentication tests passed on the way in, in particular DMARC's "From alignment". This means that the host takes responsibility for the changes in the message (such as adding a list name tag in Subject or a footer explaining how to access list resources, which break DKIM signatures). The difference between using ARC and the DMARC mitigations Mark mentions are 1. ARC allows your list to leave From as is, while the Munge_From options change From to point to your list, instead. "Munge From" may confuse some subscribers (or their filtering and sorting software), although that's usually not a problem. 2. ARC requires that the final recipient participate in the protocol. Most of the largest freemail sites support it. On the other hand, "Munge From" allows your site to authenticate itself, since it DKIM signs and From is the same domain as the signature. Which is better depends on the tradeoff between some inconvenience for subscribers who want to reply to author only when From is munged, and the risk of having sites that don't participate in ARC bouncing your traffic. If you aren't getting DMARC bounces already, I would suppose ARC would be good insurance against some (but not all) DMARC bounces in the future. If you are, you might want to go straight to Munge From rather than try ARC and hope it fixes them for all current and future recipient hosts. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: B.S. With Google Yellow Boxes and GNU Mailman
Steve, The list already uses the General "Munge_From" feature and I like having reply to list be the default. Will keep ARC in mind. I don't think I am getting DMARC bounces... FYI -- This the DNS entry that seems to have done the job fixing the problem I think: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all -- Michael *Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. * On 8/3/2022 7:55 AM, Stephen J. Turnbull wrote: Michael Reeder -- Hygeia MS writes: > *For now -- problem solved!** Good news! > I will take a look at Mark's DMARC mitigations below also. You may also want to ask Dreamhost if they can enable the ARC protocol for your host. This protocol allows your host to testify which authentication tests passed on the way in, in particular DMARC's "From alignment". This means that the host takes responsibility for the changes in the message (such as adding a list name tag in Subject or a footer explaining how to access list resources, which break DKIM signatures). The difference between using ARC and the DMARC mitigations Mark mentions are 1. ARC allows your list to leave From as is, while the Munge_From options change From to point to your list, instead. "Munge From" may confuse some subscribers (or their filtering and sorting software), although that's usually not a problem. 2. ARC requires that the final recipient participate in the protocol. Most of the largest freemail sites support it. On the other hand, "Munge From" allows your site to authenticate itself, since it DKIM signs and From is the same domain as the signature. Which is better depends on the tradeoff between some inconvenience for subscribers who want to reply to author only when From is munged, and the risk of having sites that don't participate in ARC bouncing your traffic. If you aren't getting DMARC bounces already, I would suppose ARC would be good insurance against some (but not all) DMARC bounces in the future. If you are, you might want to go straight to Munge From rather than try ARC and hope it fixes them for all current and future recipient hosts. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: B.S. With Google Yellow Boxes and GNU Mailman
Mark, This is the DNS record entry that seems to have fixed the problem: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all Dream Host runs GNU Mailman version 2.1.39 (but I SWEAR it was 2.1.23 earlier this morning!). I already had General Options set to "Munge From" all along (including when I as getting Gmail yellow box). Under Privacy options... -> Sender filters, I have: dmarc_moderation_action = Accept dmarc_quarantine_moderation_action = Yes Possibly stupid question -- Does it make any sense to also change dmarc_moderation_action to Munge From under Privacy options --> Sender Filters? Thanks, Michael *Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* On 8/2/2022 4:50 PM, Mark Sapiro wrote: On 8/2/22 11:43, Michael Reeder LCPC -- Hygeia Regular wrote: Gmail is also indicating: SPF:?? NEUTRAL with IP 64.90.62.202 DKIM:?? 'FAIL' with domain gmail.com Dreamhost should be DKIM signing the outgoing list mail with the list's domain. If they aren't you can ask them to do it, and they can come here for help if they need it. It may not be an issue, but you should also enable DMARC mitigations. For Mailman >= 2.1.18, in Privacy options... -> Sender filters, set dmarc_moderation_action to Munge From and dmarc_quarantine_moderation_action) to Yes. Older versions 2.1.16 and 2.1.17 you can set General Options from_is list to Munge From, but this requires setting ALLOW_FROM_IS_LIST to Yes in mm_cfg.py. This is also available in 2.1.18+, and will apply mitigations to all messages, not just ones publishing DMARC polocy reject or quarantine, This is freaking out a few of my users. I'm attaching a screenshot of the message and source code for the same message.?? Hopefully this list allows attachments... Not images, only attached messages, text and pgp ang pkcs7 signatures. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: B.S. With Google Yellow Boxes and GNU Mailman
On August 3, 2022 10:26:57 AM PDT, Michael Reeder -- Hygeia MS wrote: > >I already had General Options set to "Munge From" all along (including when I >as getting Gmail yellow box). > >Under Privacy options... -> Sender filters, I have: >dmarc_moderation_action = Accept >dmarc_quarantine_moderation_action = Yes > >Possibly stupid question -- Does it make any sense to also change >dmarc_moderation_action to Munge From under Privacy options --> Sender Filters? General Options from_is_list = Munge From trumps dmarc_moderation_action and applies to all senders. -- Mark Sapiro Sent from my Not_an_iThing with standards compliant, open source software. -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
