DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
@ 2021-09-23  9:15 Ali Alnubani
       [not found] ` <SJ0PR11MB567875CF109284B0A46C9381DFA39@SJ0PR11MB5678.namprd11.prod.outlook.com>
  2021-11-08 14:05 ` [dpdk-dev] [dpdk-announce] " Ali Alnubani
  0 siblings, 2 replies; 4+ messages in thread
From: Ali Alnubani @ 2021-09-23  9:15 UTC (permalink / raw)
  To: announce, users, web

Hi all,

Due to the changes that Mailman (our mailing list software) does to posts before distributing them, DKIM and DMARC verification will fail for emails originating from the domains that support them. This causes some posts to go into spam/quarantine and sometimes completely discarded depending on the domain's policy.

DKIM (DomainKeys Identified Mail) is a form of email authentication that uses public key cryptography to digitally sign outgoing emails. Senders add this signature to the headers of the email message for the receiving mail servers to validate against. The sender specifies which of the original headers is covered by this signature.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) basically allows domains to publish policies that tell receiving mail servers how to handle DKIM verification failures. Strict policies can be set to either reject (message not delivered to user's mailbox), or quarantine (spam/junk) the messages failing them.

I would like to propose making some mailing list configuration changes to mitigate and reduce signature breakage:
- Disable prepending subject prefixes (e.g., [dpdk-dev]).
  Making this change will probably break the rules and filters list members have for their mailboxes if they filter by the subject prefix.
  Members can filter by Mailman's List-Id header instead, or by the To/Cc headers.
- Disable rewriting the "Sender" header.
  Mailman replaces this header by default with the list's bounce address to direct bounces from some broken MTAs to the right destination.
- Disable conversion of text/html to plain text.
  Mailman currently strips MIME attachments and does text/html to plain text conversion.

We experimented for a while with these changes in a test list we created (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped in mitigating signature breakage.
We tested with signed emails from the domains: nvidia.com, broadcom.com, and gmail.com. We verified that posts on the test list showed passing DKIM/DMARC results in their 'Authentication-Results' header.

We plan on making these changes to users@dpdk.org and web@dpdk.org first, and then to the rest of the lists once we make sure there are no unexpected issues.

Any feedback will be appreciated.

Thanks,
Ali

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [dpdk-web] DMARC mitigation in dpdk.org's mailing list
       [not found] ` <SJ0PR11MB567875CF109284B0A46C9381DFA39@SJ0PR11MB5678.namprd11.prod.outlook.com>
@ 2021-09-24 10:32   ` Thomas Monjalon
  2021-09-24 13:06     ` Ali Alnubani
  0 siblings, 1 reply; 4+ messages in thread
From: Thomas Monjalon @ 2021-09-24 10:32 UTC (permalink / raw)
  To: St Leger, Jim; +Cc: Ali Alnubani, techboard, dev

Would be interesting to list pros/cons of groups.io.
First problems I can see:
	- it means re-registering for everyone
	- groups.io is not under our control
	- not sure we can have some key features of inbox.dpdk.org:
		* thread view
		* download

Ali installed https://inbox.dpdk.org to complement
mailman and patchwork, this is very convenient in many use cases.
Please share the benefits of groups.io.


23/09/2021 19:26, St Leger, Jim:
> Ali:
> 
> I have no expertise here. But have we explored moving from Mailman to groups.io?
> 
> I can't speak to the pros/cons of the two. I can only say that for many other projects I'm involved in they use groups.io. (I can log in there and see all of the projects/groups that I subscribe to.)
> 
> Also, have you had this conversation with the Tech Board? It looks like the dev@dpdk.org mailing list will be last. Is that also correct?
> 
> Thanks,
> Jim
> 
> 
> -----Original Message-----
> From: announce <announce-bounces@dpdk.org> On Behalf Of Ali Alnubani
> Sent: Thursday, September 23, 2021 2:15 AM
> To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
> Subject: [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
> 
> Hi all,
> 
> Due to the changes that Mailman (our mailing list software) does to posts before distributing them, DKIM and DMARC verification will fail for emails originating from the domains that support them. This causes some posts to go into spam/quarantine and sometimes completely discarded depending on the domain's policy.
> 
> DKIM (DomainKeys Identified Mail) is a form of email authentication that uses public key cryptography to digitally sign outgoing emails. Senders add this signature to the headers of the email message for the receiving mail servers to validate against. The sender specifies which of the original headers is covered by this signature.
> DMARC (Domain-based Message Authentication, Reporting, and Conformance) basically allows domains to publish policies that tell receiving mail servers how to handle DKIM verification failures. Strict policies can be set to either reject (message not delivered to user's mailbox), or quarantine (spam/junk) the messages failing them.
> 
> I would like to propose making some mailing list configuration changes to mitigate and reduce signature breakage:
> - Disable prepending subject prefixes (e.g., [dpdk-dev]).
>   Making this change will probably break the rules and filters list members have for their mailboxes if they filter by the subject prefix.
>   Members can filter by Mailman's List-Id header instead, or by the To/Cc headers.
> - Disable rewriting the "Sender" header.
>   Mailman replaces this header by default with the list's bounce address to direct bounces from some broken MTAs to the right destination.
> - Disable conversion of text/html to plain text.
>   Mailman currently strips MIME attachments and does text/html to plain text conversion.
> 
> We experimented for a while with these changes in a test list we created (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped in mitigating signature breakage.
> We tested with signed emails from the domains: nvidia.com, broadcom.com, and gmail.com. We verified that posts on the test list showed passing DKIM/DMARC results in their 'Authentication-Results' header.
> 
> We plan on making these changes to users@dpdk.org and web@dpdk.org first, and then to the rest of the lists once we make sure there are no unexpected issues.
> 
> Any feedback will be appreciated.
> 
> Thanks,
> Ali
> 






^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [dpdk-web] DMARC mitigation in dpdk.org's mailing list
  2021-09-24 10:32   ` [dpdk-dev] [dpdk-web] " Thomas Monjalon
@ 2021-09-24 13:06     ` Ali Alnubani
  0 siblings, 0 replies; 4+ messages in thread
From: Ali Alnubani @ 2021-09-24 13:06 UTC (permalink / raw)
  To: NBU-Contact-Thomas Monjalon, St Leger, Jim; +Cc: techboard, dev

Hi Jim,

Yes I got the techboard's approval during the last meeting.

Another alternative we can look into is upgrading to Mailman 3, since it's now the actively developed version.
It has a more modern UI, and along with other features, it has support for ARC (Authenticated Received Chain) signing, which can help mitigate the DMARC issue by preserving email authentication results across subsequent hops that modify messages, which provides a valid "chain of custody" for email messages. Domains that support ARC will consider the ARC signed emails as authenticated regardless of the DKIM/DMARC failures.

> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Friday, September 24, 2021 1:33 PM
> To: St Leger, Jim <jim.st.leger@intel.com>
> Cc: Ali Alnubani <alialnu@nvidia.com>; techboard@dpdk.org; dev@dpdk.org
> Subject: Re: [dpdk-web] DMARC mitigation in dpdk.org's mailing list
> 
> Would be interesting to list pros/cons of groups.io.
> First problems I can see:
> 	- it means re-registering for everyone
> 	- groups.io is not under our control
> 	- not sure we can have some key features of inbox.dpdk.org:
> 		* thread view
> 		* download
> 
> Ali installed https://inbox.dpdk.org to complement mailman and patchwork,
> this is very convenient in many use cases.
> Please share the benefits of groups.io.
> 
> 
> 23/09/2021 19:26, St Leger, Jim:
> > Ali:
> >
> > I have no expertise here. But have we explored moving from Mailman to
> groups.io?
> >
> > I can't speak to the pros/cons of the two. I can only say that for
> > many other projects I'm involved in they use groups.io. (I can log in
> > there and see all of the projects/groups that I subscribe to.)
> >
> > Also, have you had this conversation with the Tech Board? It looks like the
> dev@dpdk.org mailing list will be last. Is that also correct?
> >
> > Thanks,
> > Jim
> >
> >
> > -----Original Message-----
> > From: announce <announce-bounces@dpdk.org> On Behalf Of Ali
> Alnubani
> > Sent: Thursday, September 23, 2021 2:15 AM
> > To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
> > Subject: [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
> >
> > Hi all,
> >
> > Due to the changes that Mailman (our mailing list software) does to posts
> before distributing them, DKIM and DMARC verification will fail for emails
> originating from the domains that support them. This causes some posts to
> go into spam/quarantine and sometimes completely discarded depending on
> the domain's policy.
> >
> > DKIM (DomainKeys Identified Mail) is a form of email authentication that
> uses public key cryptography to digitally sign outgoing emails. Senders add
> this signature to the headers of the email message for the receiving mail
> servers to validate against. The sender specifies which of the original headers
> is covered by this signature.
> > DMARC (Domain-based Message Authentication, Reporting, and
> Conformance) basically allows domains to publish policies that tell receiving
> mail servers how to handle DKIM verification failures. Strict policies can be
> set to either reject (message not delivered to user's mailbox), or quarantine
> (spam/junk) the messages failing them.
> >
> > I would like to propose making some mailing list configuration changes to
> mitigate and reduce signature breakage:
> > - Disable prepending subject prefixes (e.g., [dpdk-dev]).
> >   Making this change will probably break the rules and filters list members
> have for their mailboxes if they filter by the subject prefix.
> >   Members can filter by Mailman's List-Id header instead, or by the To/Cc
> headers.
> > - Disable rewriting the "Sender" header.
> >   Mailman replaces this header by default with the list's bounce address to
> direct bounces from some broken MTAs to the right destination.
> > - Disable conversion of text/html to plain text.
> >   Mailman currently strips MIME attachments and does text/html to plain
> text conversion.
> >
> > We experimented for a while with these changes in a test list we created
> (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped
> in mitigating signature breakage.
> > We tested with signed emails from the domains: nvidia.com,
> broadcom.com, and gmail.com. We verified that posts on the test list
> showed passing DKIM/DMARC results in their 'Authentication-Results'
> header.
> >
> > We plan on making these changes to users@dpdk.org and web@dpdk.org
> first, and then to the rest of the lists once we make sure there are no
> unexpected issues.
> >
> > Any feedback will be appreciated.
> >
> > Thanks,
> > Ali
> >
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
  2021-09-23  9:15 [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list Ali Alnubani
       [not found] ` <SJ0PR11MB567875CF109284B0A46C9381DFA39@SJ0PR11MB5678.namprd11.prod.outlook.com>
@ 2021-11-08 14:05 ` Ali Alnubani
  1 sibling, 0 replies; 4+ messages in thread
From: Ali Alnubani @ 2021-11-08 14:05 UTC (permalink / raw)
  To: announce, stable, dts, ci, govboard, maintainers, marketing,
	security, moving
  Cc: techboard

Hi all,

> -----Original Message-----
> From: Ali Alnubani
> Sent: Thursday, September 23, 2021 12:15 PM
> To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
> Subject: DMARC mitigation in dpdk.org's mailing list
> 
> Hi all,
> 
> Due to the changes that Mailman (our mailing list software) does to posts
> before distributing them, DKIM and DMARC verification will fail for emails
> originating from the domains that support them. This causes some posts to
> go into spam/quarantine and sometimes completely discarded depending on
> the domain's policy.
> 
> DKIM (DomainKeys Identified Mail) is a form of email authentication that
> uses public key cryptography to digitally sign outgoing emails. Senders add
> this signature to the headers of the email message for the receiving mail
> servers to validate against. The sender specifies which of the original headers
> is covered by this signature.
> DMARC (Domain-based Message Authentication, Reporting, and
> Conformance) basically allows domains to publish policies that tell receiving
> mail servers how to handle DKIM verification failures. Strict policies can be
> set to either reject (message not delivered to user's mailbox), or quarantine
> (spam/junk) the messages failing them.
> 
> I would like to propose making some mailing list configuration changes to
> mitigate and reduce signature breakage:
> - Disable prepending subject prefixes (e.g., [dpdk-dev]).
>   Making this change will probably break the rules and filters list members
> have for their mailboxes if they filter by the subject prefix.
>   Members can filter by Mailman's List-Id header instead, or by the To/Cc
> headers.
> - Disable rewriting the "Sender" header.
>   Mailman replaces this header by default with the list's bounce address to
> direct bounces from some broken MTAs to the right destination.
> - Disable conversion of text/html to plain text.
>   Mailman currently strips MIME attachments and does text/html to plain text
> conversion.
> 
> We experimented for a while with these changes in a test list we created
> (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped
> in mitigating signature breakage.
> We tested with signed emails from the domains: nvidia.com, broadcom.com,
> and gmail.com. We verified that posts on the test list showed passing
> DKIM/DMARC results in their 'Authentication-Results' header.
> 
> We plan on making these changes to users@dpdk.org and web@dpdk.org
> first, and then to the rest of the lists once we make sure there are no
> unexpected issues.
> 

I'm seeing less DKIM and DMARC breakage from users@dpdk.org and web@dpdk.org after making the changes mentioned above.
I had a discussion with the technical board, and they approved making the changes to the rest of the lists. We'll apply the change in 2 days.

Feedback is still appreciated.

Thanks,
Ali

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-11-09  8:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-23  9:15 [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list Ali Alnubani
     [not found] ` <SJ0PR11MB567875CF109284B0A46C9381DFA39@SJ0PR11MB5678.namprd11.prod.outlook.com>
2021-09-24 10:32   ` [dpdk-dev] [dpdk-web] " Thomas Monjalon
2021-09-24 13:06     ` Ali Alnubani
2021-11-08 14:05 ` [dpdk-dev] [dpdk-announce] " Ali Alnubani

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).