openssh-unix-dev DMARC-related settings (was Re: scattered thoughts on connection sharing)

[Damien Miller]

On Sat, 20 Jul 2024, James Ralston wrote:

> On Thu, Jul 18, 2024 at 5:14 AM Stuart Henderson <stu at spacehopper.org> wrote:
> > The mail admins can choose what is covered by the DKIM signature.
> > In the case of barclays.com there are various headers (which I think
> > make it through the mailing list untouched) but also the body, which
> > does not; a footer with the list URL is added.
> 
> The real issue here is that the Mailman configuration for the
> openssh-unix-dev list does not appear to set `dmarc_moderation_action`
> (in `Privacy options` - `Sender filters`) to either `Munge From` or
> `Wrap Message`, which is necessary for lists where either of the
> following is true:
> 
> 1. The list accepts posts from senders whose domain applies DMARC
>    policy (`p=reject` or `p=quarantine`) but only implements SPF, not
>    DKIM.  (Resending a message through a mailing list will always
>    invalidate SPF unless SRS (1) is used, and almost no one bothers
>    with SRS.)
> 
> 2. The list accepts posts from senders whose domain applies DMARC
>    policy (`p=reject` or `p=quarantine`), and the list is configured
>    to modify messages sent to the list (add a Subject: header tag, add
>    a footer, et. al.).  (Modifying messages will invalid the DKIM
>    signature.)
> 
> When affected senders (either group #1 or group #2) post to the list,
> all list subscribers whose MTAs apply/obey DMARC policy will take the
> action the sender’s domain’s DMARC policy declares (reject outright,
> or quarantine / flag as spam).
> 
> Damien, is there any possibility of updating the Mailman
> `dmarc_moderation_action` setting (2)?  DMARC isn’t going anywhere;
> the big mail providers are either already requiring it to some
> degree (3), or have said they will start requiring it soon.

Thanks, I've set this option and will trial it for a couple of weeks.
If nothing breaks then I'll make it permanent.

-d