[Bug 1539390] [NEW] Alternative DMARC mitigation: Keep Headers

Jakob Bohm jb-debbugs at wisemo.net
Thu Jan 28 23:27:31 EST 2016


Public bug reported:

This is just a suggestion:

The current Mailman code offers two alternative DMARC mitigation values:
"Munge From" and "Wrap Message".

I would suggest a 3rd and even simpler mitigation:

"Keep Headers"

This setting would have the following effects within Mailman:

* Preserve the Subject header intact, as well as all other headers
listed in the DKIM-Signature header of the actual post.

* Do not remove the DKIM-Signature header, even if the Mailman option to
do so is set.

* Do not add a DKIM-Signature for the mailing list, even if otherwise
configured to do so.

* If there is no DKIM-Signature in the post, none of the above applies.

* When gatewaying from NNTP to SMTP and there is no DKIM-Signature
header in the post, use the "Munge From" procedure because most NNTP
servers and newsreaders do not add the required DKIM signatures anyway.

The expected effect on message delivery would be:

+ The posting passes DKIM validation for the signature placed there by
the posters domain

+ DMARC checking recipients will therefore (according to the DMARC spec)
accept the message as validly sent by the original poster and let it
pass.

+ Because the number of DKIM-Signature headers is not increased from 1
to 2, there is no issue with the common case where buggy DMARC checkers
use only the first or last DKIM-Signature header, even though the RFC
says to check all DKIM signatures that match the From header domain and
accept if at least one is good.

+ Spoofed posts via SMTP with an invalid DKIM-Signature header will be
correctly rejected as spoofs by anyone checking the DKIM signatures
according to DMARC or ADSP.

+ Spoofed posts via SMTP with no DKIM-Signature header will be correctly
rejected as spoofs by anyone checking the DKIM signatures according to
DMARC or ADSP.

Note: Older Mailman versions happen to already do this for replies (but
not original posts) by accident because they lack the code to rearrange
the "Re: " in the Subject header.

** Affects: mailman
     Importance: Undecided
         Status: New


** Tags: dmarc

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1539390

Title:
  Alternative DMARC mitigation: Keep Headers

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1539390/+subscriptions


More information about the Mailman-coders mailing list