* [dpdk-web] DMARC mitigation in dpdk.org's mailing list
@ 2021-09-23 9:15 Ali Alnubani
2021-09-23 16:42 ` [dpdk-web] [dpdk-users] " Dmitry Kozlyuk
2021-09-23 17:26 ` [dpdk-web] " St Leger, Jim
0 siblings, 2 replies; 6+ messages in thread
From: Ali Alnubani @ 2021-09-23 9:15 UTC (permalink / raw)
To: announce, users, web
Hi all,
Due to the changes that Mailman (our mailing list software) does to posts before distributing them, DKIM and DMARC verification will fail for emails originating from the domains that support them. This causes some posts to go into spam/quarantine and sometimes completely discarded depending on the domain's policy.
DKIM (DomainKeys Identified Mail) is a form of email authentication that uses public key cryptography to digitally sign outgoing emails. Senders add this signature to the headers of the email message for the receiving mail servers to validate against. The sender specifies which of the original headers is covered by this signature.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) basically allows domains to publish policies that tell receiving mail servers how to handle DKIM verification failures. Strict policies can be set to either reject (message not delivered to user's mailbox), or quarantine (spam/junk) the messages failing them.
I would like to propose making some mailing list configuration changes to mitigate and reduce signature breakage:
- Disable prepending subject prefixes (e.g., [dpdk-dev]).
Making this change will probably break the rules and filters list members have for their mailboxes if they filter by the subject prefix.
Members can filter by Mailman's List-Id header instead, or by the To/Cc headers.
- Disable rewriting the "Sender" header.
Mailman replaces this header by default with the list's bounce address to direct bounces from some broken MTAs to the right destination.
- Disable conversion of text/html to plain text.
Mailman currently strips MIME attachments and does text/html to plain text conversion.
We experimented for a while with these changes in a test list we created (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped in mitigating signature breakage.
We tested with signed emails from the domains: nvidia.com, broadcom.com, and gmail.com. We verified that posts on the test list showed passing DKIM/DMARC results in their 'Authentication-Results' header.
We plan on making these changes to users@dpdk.org and web@dpdk.org first, and then to the rest of the lists once we make sure there are no unexpected issues.
Any feedback will be appreciated.
Thanks,
Ali
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-web] [dpdk-users] DMARC mitigation in dpdk.org's mailing list
2021-09-23 9:15 [dpdk-web] DMARC mitigation in dpdk.org's mailing list Ali Alnubani
@ 2021-09-23 16:42 ` Dmitry Kozlyuk
2021-09-23 16:53 ` Stephen Hemminger
2021-09-23 17:26 ` [dpdk-web] " St Leger, Jim
1 sibling, 1 reply; 6+ messages in thread
From: Dmitry Kozlyuk @ 2021-09-23 16:42 UTC (permalink / raw)
To: Ali Alnubani; +Cc: announce, users, web
2021-09-23 09:15 (UTC+0000), Ali Alnubani:
> [...]
> - Disable conversion of text/html to plain text.
> Mailman currently strips MIME attachments and does text/html to plain text conversion.
Why not just reject HTML messages?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-web] [dpdk-users] DMARC mitigation in dpdk.org's mailing list
2021-09-23 16:42 ` [dpdk-web] [dpdk-users] " Dmitry Kozlyuk
@ 2021-09-23 16:53 ` Stephen Hemminger
2021-09-23 17:13 ` Dmitry Kozlyuk
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Hemminger @ 2021-09-23 16:53 UTC (permalink / raw)
To: Dmitry Kozlyuk; +Cc: Ali Alnubani, announce, users, web
On Thu, 23 Sep 2021 19:42:24 +0300
Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
> 2021-09-23 09:15 (UTC+0000), Ali Alnubani:
> > [...]
> > - Disable conversion of text/html to plain text.
> > Mailman currently strips MIME attachments and does text/html to plain text conversion.
>
> Why not just reject HTML messages?
Because too much of the world uses Outlook.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-web] [dpdk-users] DMARC mitigation in dpdk.org's mailing list
2021-09-23 16:53 ` Stephen Hemminger
@ 2021-09-23 17:13 ` Dmitry Kozlyuk
2021-09-24 14:01 ` Ali Alnubani
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Kozlyuk @ 2021-09-23 17:13 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: Ali Alnubani, announce, users, web
2021-09-23 09:53 (UTC-0700), Stephen Hemminger:
> On Thu, 23 Sep 2021 19:42:24 +0300
> Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
>
> > 2021-09-23 09:15 (UTC+0000), Ali Alnubani:
> > > [...]
> > > - Disable conversion of text/html to plain text.
> > > Mailman currently strips MIME attachments and does text/html to plain text conversion.
> >
> > Why not just reject HTML messages?
>
> Because too much of the world uses Outlook.
That's the reason for my concern. Outlook's handling of quotes in HTML mode
is unbelievably poor. Prolonged discussion, started by a message with several
points, inevitably becomes a mix of colored text inside(!) the quote; or
top-posting at best. More often than not it ends with an offline discussion by
voice or whatever. Which defeats the purpose of a public mailing list: to
preserve discussions. Outlook can send plain text, so its users are not
limited by forbidding HTML. Hopefully, dev@ will remain as-is anyway, because
threads are usually started by a plain text patch, and Outlook inherits this
property for replies.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-web] DMARC mitigation in dpdk.org's mailing list
2021-09-23 9:15 [dpdk-web] DMARC mitigation in dpdk.org's mailing list Ali Alnubani
2021-09-23 16:42 ` [dpdk-web] [dpdk-users] " Dmitry Kozlyuk
@ 2021-09-23 17:26 ` St Leger, Jim
1 sibling, 0 replies; 6+ messages in thread
From: St Leger, Jim @ 2021-09-23 17:26 UTC (permalink / raw)
To: Ali Alnubani; +Cc: announce, users, web
Ali:
I have no expertise here. But have we explored moving from Mailman to groups.io?
I can't speak to the pros/cons of the two. I can only say that for many other projects I'm involved in they use groups.io. (I can log in there and see all of the projects/groups that I subscribe to.)
Also, have you had this conversation with the Tech Board? It looks like the dev@dpdk.org mailing list will be last. Is that also correct?
Thanks,
Jim
-----Original Message-----
From: announce <announce-bounces@dpdk.org> On Behalf Of Ali Alnubani
Sent: Thursday, September 23, 2021 2:15 AM
To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
Subject: [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
Hi all,
Due to the changes that Mailman (our mailing list software) does to posts before distributing them, DKIM and DMARC verification will fail for emails originating from the domains that support them. This causes some posts to go into spam/quarantine and sometimes completely discarded depending on the domain's policy.
DKIM (DomainKeys Identified Mail) is a form of email authentication that uses public key cryptography to digitally sign outgoing emails. Senders add this signature to the headers of the email message for the receiving mail servers to validate against. The sender specifies which of the original headers is covered by this signature.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) basically allows domains to publish policies that tell receiving mail servers how to handle DKIM verification failures. Strict policies can be set to either reject (message not delivered to user's mailbox), or quarantine (spam/junk) the messages failing them.
I would like to propose making some mailing list configuration changes to mitigate and reduce signature breakage:
- Disable prepending subject prefixes (e.g., [dpdk-dev]).
Making this change will probably break the rules and filters list members have for their mailboxes if they filter by the subject prefix.
Members can filter by Mailman's List-Id header instead, or by the To/Cc headers.
- Disable rewriting the "Sender" header.
Mailman replaces this header by default with the list's bounce address to direct bounces from some broken MTAs to the right destination.
- Disable conversion of text/html to plain text.
Mailman currently strips MIME attachments and does text/html to plain text conversion.
We experimented for a while with these changes in a test list we created (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped in mitigating signature breakage.
We tested with signed emails from the domains: nvidia.com, broadcom.com, and gmail.com. We verified that posts on the test list showed passing DKIM/DMARC results in their 'Authentication-Results' header.
We plan on making these changes to users@dpdk.org and web@dpdk.org first, and then to the rest of the lists once we make sure there are no unexpected issues.
Any feedback will be appreciated.
Thanks,
Ali
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dpdk-web] [dpdk-users] DMARC mitigation in dpdk.org's mailing list
2021-09-23 17:13 ` Dmitry Kozlyuk
@ 2021-09-24 14:01 ` Ali Alnubani
0 siblings, 0 replies; 6+ messages in thread
From: Ali Alnubani @ 2021-09-24 14:01 UTC (permalink / raw)
To: Dmitry Kozlyuk, Stephen Hemminger; +Cc: announce, users, web
> -----Original Message-----
> From: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
> Sent: Thursday, September 23, 2021 8:13 PM
> To: Stephen Hemminger <stephen@networkplumber.org>
> Cc: Ali Alnubani <alialnu@nvidia.com>; announce@dpdk.org;
> users@dpdk.org; web@dpdk.org
> Subject: Re: [dpdk-web] [dpdk-users] DMARC mitigation in dpdk.org's
> mailing list
>
> 2021-09-23 09:53 (UTC-0700), Stephen Hemminger:
> > On Thu, 23 Sep 2021 19:42:24 +0300
> > Dmitry Kozlyuk <dmitry.kozliuk@gmail.com> wrote:
> >
> > > 2021-09-23 09:15 (UTC+0000), Ali Alnubani:
> > > > [...]
> > > > - Disable conversion of text/html to plain text.
> > > > Mailman currently strips MIME attachments and does text/html to
> plain text conversion.
> > >
> > > Why not just reject HTML messages?
> >
> > Because too much of the world uses Outlook.
>
> That's the reason for my concern. Outlook's handling of quotes in HTML
> mode is unbelievably poor. Prolonged discussion, started by a message with
> several points, inevitably becomes a mix of colored text inside(!) the quote;
> or top-posting at best. More often than not it ends with an offline discussion
> by voice or whatever. Which defeats the purpose of a public mailing list: to
> preserve discussions. Outlook can send plain text, so its users are not limited
> by forbidding HTML. Hopefully, dev@ will remain as-is anyway, because
> threads are usually started by a plain text patch, and Outlook inherits this
> property for replies.
DMARC authentication will still fail for plain text messages if we don't change anything for dev,
because the mailing list will still alter the Subject and the Sender headers causing signature breakage.
Let's see how disabling the conversion from html to plain text goes, and we'll continue discussing
completely rejecting html messages with the techboard.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-09-24 14:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-23 9:15 [dpdk-web] DMARC mitigation in dpdk.org's mailing list Ali Alnubani
2021-09-23 16:42 ` [dpdk-web] [dpdk-users] " Dmitry Kozlyuk
2021-09-23 16:53 ` Stephen Hemminger
2021-09-23 17:13 ` Dmitry Kozlyuk
2021-09-24 14:01 ` Ali Alnubani
2021-09-23 17:26 ` [dpdk-web] " St Leger, Jim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).