Page MenuHomePhabricator
Create Task
Maniphest T322395

Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and go to spam
Closed, ResolvedPublic
Actions

Description

Current situation

When somebody with any recent and "modern" mail protection (SPF, DKIM, DMARC) tries to write to Mailman of wikimedia.it, usually their email is marked as spam.

This is probably what is happening:

  1. alice.it has a modern mail configuration only allowing e-mails from alice.it MX
  2. alice@alice.it sends an email (From: alice@alice.it) to a mailing list example@wikimedia.it
  3. wikimedia.it impersonates alice sending an email with From: alice@alice.it to all its members
  4. SPF fail, wikimedia.it is NOT authorized to impersonate alice.it

Current:

(Origin: wikimedia.it)
From: alice@alice.it
CC: direttivo@wikimedia.it

Expected:

(Origin: wikimedia.it)
From: "Alice" <noreply@wikimedia.it>
Reply-To: alice@alice.it
CC: direttivo@wikimedia.it

Probably Mailman will do this:

(Origin: wikimedia.it)
From: direttivo@wikimedia.it
Reply-To:  direttivo@wikimedia.it, alice@alice.it

Related mailman documentation

https://www.gnu.org/software/mailman/mailman-admin/general-personality.html

from_is_list

This applies to all non-digest messages sent by the list. For settings that apply only to messages whose From: domain publishes a DMARC p=reject or p=quarantine policy, see the dmarc_moderation_action description in section 2.7.

If set to Munge From, it replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header.

If set to Wrap Message it wraps the original message as a MIME subpart of an outer message with From: and Reply-To: headers as above.

https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html#sender-filters

Problematic mailing lists

  • tech@wikimedia.it
  • direttivo@wikimedia.it
  • ...

Wrong mitigations

The domain alice.it should not be configured to have a less secure configuration, just because its receivers try to impersonate alice.it.

The solution should try to just avoid to impersonate alice.it. So, the solution is in the wikimedia.it mailserver configuration, not in alice.it.

Proposed solution

The mailing list wikimedia.it should only send e-mails from its own domain.

Set the from_is_list configuration from value No to value Munge From

https://mailman.wikimedia.it/admin/tech/?VARHELP=general/from_is_list

Related Objects
Search...

Event Timeline

valerio.bozzolan created this task.Nov 4 2022, 9:39 AM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan triaged this task as Medium priority.Nov 4 2022, 10:16 AM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 11:35 AM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 12:18 PM
valerio.bozzolan mentioned this in T322356: Fix mailing list direttivo@wikimedia.it always discarding "CC:" when replying from most clients.
valerio.bozzolan renamed this task from Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail to Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and go to spam.Nov 4 2022, 12:32 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 1:55 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 2:07 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 2:33 PM
valerio.bozzolan renamed this task from Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and go to spam to Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and goes to spam.Nov 4 2022, 3:12 PM
valerio.bozzolan renamed this task from Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and goes to spam to Fix Mailman mailing lists when someone with a recent and strict SPF+DKIM+DMARC configuration tries to send an e-mail and go to spam.Nov 4 2022, 3:26 PM
valerio.bozzolan updated the task description. (Show Details)Nov 4 2022, 3:29 PM
valerio.bozzolan added a comment.Nov 4 2022, 4:43 PM

To be honest I don't see any change from a From: perspective.

In both ways I see this:

From: Valerio Bozzolan via tech <tech@wikimedia.it>
Reply-To: Coordinamento tecnico Wikimedia Italia <tech@wikimedia.it>
Cc: Valerio Bozzolan <boz@reyboz.it>

In the other hand, thanks to Nemo_bis I noticed that the DKIM signature is broken in both ways with this DKIM error message: message has been altered.

Authentication-Results: gamma.dgw.it (amavisd-new); dkim=fail (1024-bit
 key) reason="fail (message has been altered)" header.d=reyboz.it
 header.b=JTAvJYcU; dkim=fail (1024-bit key) reason="fail (message has been
 altered)" header.d=reyboz.it header.b=JTAvJYcU

I think the problem is that Mailman receives the DKIM-Signature: and deliver that DKIM-Signature: as-is. This cannot be accepted in a modern context, since the sender's signature can't be the same.

The optimal solution would be:

  1. preserve the old DKIM signature in another (non?)standard header (X-original-DKIM-Signature: ?)
  2. delete the sender's DKIM-Signature: since it cannot be valid anymore if Mailman changes the original message
  3. just in case, introduce a new DKIM-Signature: header respecting the new message delivered from the mailing list

Having said that, the minimal solution that can be easily respected by Mailman would be just:

  • delete the sender's DKIM-Signature: since it cannot be valid anymore if Mailman changes the original message

Let's understand how to strip that header in Mailman.

valerio.bozzolan closed subtask T322429: Mailman: strip the 'DKIM-Signature' related to the original messages, since Mailman alters the message, causing broken DKIM signature, contributing to messages marked as spam as Resolved.Nov 15 2022, 12:52 PM
valerio.bozzolan closed this task as Resolved.Dec 18 2022, 9:01 AM
valerio.bozzolan claimed this task.

This seems totally fixed. Now mailman deletes the sender DKIM signature and adds another DKIM signature. Thanks to gvf for applying these measures.

valerio.bozzolan added a comment.Apr 17 2023, 8:58 AM

Probably very partially related to T334826: Understand how to fix broken email aliases, causing delivery issues / spam false-positiveness in some circumstances (when a receiver is an alias)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL