openssh-unix-dev DMARC-related settings (was Re: scattered thoughts on connection sharing)
Steffen Nurpmeso
steffen at sdaoden.eu
Sun Jul 21 12:20:45 AEST 2024
Ángel wrote in
<14341e304e23ff2bb276f727991228740c8bb470.camel at 16bits.net>:
|On 2024-07-20 at 16:30 -0400, James Ralston wrote:
|> The real issue here is that the Mailman configuration for the
|> openssh-unix-dev list does not appear to set
|> `dmarc_moderation_action`
|> (in `Privacy options` - `Sender filters`) to either `Munge From` or
|> `Wrap Message`, which is necessary for lists where ...
|
|"Necessary" if the client machines re going to penalize DMARC that way.
|
|If the clients recognised that the user is subscribed to that mailing
|list and thus wouldn't penalise it as a forged mail, we wouldn't need
|to change the mails to show a fake sender on From:
i will never understand how the IETF can map that "one hop
reputation" of for example DKIM .. to quote myself
(ie "Organizational Trust" of RFC 5863) to entire message chains
"over the corner" aka "many hops" (like ARC etc).
But yes, if MUAs would give the user an option to wave through
a chain of emails where each hop verifies and signs DKIM, and
where DKIM would notify "i changed the message, it is useless to
try to verify elder signatures", this would be fine.
But it will likely nonetheless require From: changes (and if only
for the others).
The IETF has a nice approach with tables where you get the real
name with <address at dmarc.ietf...> in From:. But that is
complicated to do.
(But *IF* ie GMail would allow this we could get rid of DMARC and
ARC altogether etc, at least. That would be a good thing imho.)
P.S.: that terribly to use port-knocker i posted had some bugs
i have fixed in a 0.8.1; if you knock hard enough, it will do it
for you.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the openssh-unix-dev
mailing list