[Mailman-Users] Authenticated Received Chain in Mailman?
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Thu Jun 8 02:48:33 EDT 2017
[My apologies, I drafted this a couple days ago, but never finished
Brett Delmage writes:
> Will Mailman 2 or 3 be incorporating Authenticated Received Chain (ARC)
> http://arc-spec.org/ ?
We will be doing so in Mailman 3, probably by mid-July for the Gitlab
trunk, and planned for release in Mailman 3.2.
However, configuring ARC in Mailman is a not-great idea if you can
avoid it. instead, use an ARC-enabled MTA on your boundary MX. There
is no need based on the protocol itself to do this in Mailman; we're
providing the feature only for experimentation and because it seems
likely many virtual hosting services will take a while to update their
MTAs. (Of course, they're even more likely to take a while to update
from Mailman 2.1 to Mailman 3.)
(1) Mailman cannot do ARC by itself. It requires help from the DNS
for the distribution of the public key needed to verify the
signatures. So you already need somebody with sensitive access to
sensitive hosts, you can't delegate to Mailman list/site admins.
(2) In many configurations, the private signing key will be the key
used for DKIM. You don't want anybody but root to have access to
(3) The ARC host should be a boundary host (ie, the first host in your
administrative domain to receive the post on the way in, and the
last host to touch it on the way out). In many configurations,
the Mailman host will not be a boundary host. This is especially
likely in the current state of Mailman 3, as there are strong
reasons to put all of the services (Mailman itself, Postorius, and
HyperKitty) on the same host. On the other hand, because the
Mailman component communicates with the MTA by LMTP and submission
or SMTP, there's no need for Mailman to be on the MTA host. This
allows isolation of the MTA on a more secure host (recommended).
(4) Mailman cannot verify SPF because it does not have access to the
SMTP connection. Few important hosts are dependent on SPF (almost
everybody with SPF also has DKIM configured), but this is a
weakness of doing it in Mailman.
If you're running your own host and can configure your own DNS, you
can use the Mailman version, but I do have to recommend an MTA-based
implementation of ARC over ours.
In the next few days I'll follow up with Sendmail, Postfix, and Exim
to see what they're planning for ARC. (We don't officially support
Qmail, but if there are Qmail fans out there, feel free to check and
let me know!) I do know that the ARC developers are planning milters
(which would take care of Sendmail and Postfix).
Hope this helps,
Associate Professor Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/ Faculty of Systems and Information
Email: turnbull at sk.tsukuba.ac.jp University of Tsukuba
Tel: 029-853-5175 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN
More information about the Mailman-Users