Re: [Qemu-devel] DMARC/DKIM and qemu-devel list settings

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Ian Kelling <iank@fsf.org>
Cc: stefanha@gmail.com,
	Christian Schoenebeck <qemu_oss@crudebyte.com>,
	Greg Kurz <groug@kaod.org>,
	qemu-devel@nongnu.org, antonios.motakis@huawei.com,
	dgilbert@redhat.com
Subject: Re: [Qemu-devel] DMARC/DKIM and qemu-devel list settings
Date: Wed, 4 Sep 2019 09:13:54 +0100	[thread overview]
Message-ID: <20190904081354.GA19582@redhat.com> (raw)
In-Reply-To: <87r24xqjoz.fsf@fsf.org>

On Tue, Sep 03, 2019 at 03:11:08PM -0400, Ian Kelling wrote:
> At FSF, we've been working on this issue recently. I was planning to
> send a general message to qemu-devel, but someone brought it up in a
> thread below, so I'm doing it now.
> 
> Currently, a message sent to qemu-devel from a domain that publishes a
> strict DMARC policy gets what mailman calls "Munge From". For example,
> for a message sent to the list:
> 
> From: Anne Example Person <exampleperson@examplepersonsdomain>
> 
> Is modified my Mailman and sent to subscribers as:
> 
> From: Anne Example Person via Qemu-devel <qemu-devel@nongnu.org>
> Reply-To: Anne Example Person <exampleperson@examplepersonsdomain>
> 
> We've recently made possible an alternative solution that does not need
> munging and I call the unmodified message fix. Currently, mailman adds
> "[Qemu-devel] " to the subject of messages. Modifying the message breaks
> DKIM message signature and thus DMARC. In short: turn that off, and we
> can stop from munging. Many lists are already this way, including most
> popular @gnu and @nongnu lists, and this week we are doing a mass
> conversion of lists which never touched DMARC related list settings (not
> qemu-devel). Instead of using the subject prefix to identify a list,
> subscribers can use the List-Id, To, and Cc headers.  List information
> can also be be put in the welcome email to subscribers and the list
> information page by list administrators.
> 
> Without going into all of the details, here's a few points about why we
> concluded the unmodified message fix is better for discussion
> lists. Email clients don't all treat munged messages the same way as
> unmunged, and humans read these headers so it can confuse people,
> causing messages not to be sent to the expected recipients. GNU Mailman
> has an option to do "Munge From" always, but does not recommend using
> it[1]. While we're not bound by what others do, it's worth noting that
> other very large free software communities like Debian GNU/Linux have
> adopted the unmodified message fix[2]. The unmodified messages fix
> avoids breaking DKIM cryptographic signatures, which show the message
> was authorized by the signing domain, which seems generally better for
> security. Additionally, patchew has problems, as seen in the below
> thread, subject was "[PATCH v6 0/4] 9p: Fix file ID collisions".
> 
> There is a small additional wrinkle. Very rarely, someone will send a
> message to the list with a bad DKIM signature and publish a strict DMARC
> policy, and in that case, we are forced to munge. I've searched all
> messages posted to nongnu and gnu lists and, its always by someone
> sending via their own mail server, or small enough to consider it that,
> so its reasonable to ask them fix their DKIM signatures or turn off
> their strict DMARC. I plan to setup an autoresponder to do that
> automatically. Another case is if someone sends an html only email,
> qemu-devel is configured to convert it to plaintext. That modifies the
> message, and if its from a strict DMARC domain, the from munging is
> done. Again, you can tell them to stop sending html only email.

I think we should change mailman settings to *NOT* convert HTML to
plain text. It is pretty easy to setup mail clients to do this
conversion when viewing instead, which will avoid the DMARC problems.

eg with mutt you can add

  auto_view text/html
  alternative_order text/plain text/html

and in $HOME/.mailcap something like

  text/html; elinks -dump -localhost 1 -no-connect 1 -default-mime-type text/html %s; needsterminal; copiousoutput;

> 
> I don't know who has the Qemu-devel list admin password, but whoever has
> it can adopt the unmodified message fix by changing
> dmarc_moderation_action to Accept here:
> https://lists.nongnu.org/mailman/admin/qemu-devel/privacy/sender and
> remove subject_prefix here
> https://lists.nongnu.org/mailman/admin/qemu-devel/general
> 
> If the list admins went missing, email mailman@gnu.org and we can sort
> out new ones eventually.
> 
> A few additional notes for completeness. We announced some of this at
> https://lists.gnu.org/archive/html/savannah-hackers-public/2019-06/msg00018.html,
> which includes information about other kinds of lists. For the unusual
> cases of munging I described, we do from munging through exim because
> mailman is not smart enough to only munge in these edge cases, and I'll
> document that soon here[1].
> 
> [1]: https://wiki.list.org/DEV/DMARC
> [2]: https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|