Page MenuHomePhabricator

Mitigate strict DMARC policy on the mailing lists
Closed, ResolvedPublic

Description

Try to become more DMARC-complient on the mailing lists to improve deliverability, particularly given Yahoo and AOL recently switched to a policy p=reject, preventing these users from sending emails to the mailing lists.

This bug is partly wontfix since this is linked to an upstream Mailman for a proper resolution, but could be partly mitigated by changing some configuration parameters, although there is no proper solution. I open this bug partly to isolate this mailing lists issue from other DMARC-related bugs (56414, 59731, 64795), and properly tracking the issue.

Two mitigations:

1/ http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html is a way to mitigate the issue, although the main point is to change the From: header to a fixed address like wikitech-l@lists.wikimedia.org (quite disruptive for all users).

2/ http://www.ietf.org/mail-archive/web/ietf/current/msg87176.html proposes to rewrite Yahoo (+AOL) sending addresses from someone@yahoo.com to someone@yahoo.com.invalid to bypass DMARC.


Version: wmf-deployment
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=56414
https://bugzilla.wikimedia.org/show_bug.cgi?id=59731

Details

Reference
bz64818

Related Objects

StatusAssignedTask
ResolvedNone
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
ResolvedRobH
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolved JohnLewis
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
DuplicateDzahn
ResolvedDzahn
ResolvedDzahn
DuplicateDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
InvalidDzahn
ResolvedDzahn
ResolvedDzahn
DeclinedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolved JohnLewis
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
ResolvedDzahn
Resolvedherron

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:12 AM
bzimport set Reference to bz64818.
bzimport added a subscriber: Unknown Object (MLST).
Seb35 created this task.May 4 2014, 10:32 AM

(In reply to Seb35 from comment #0)

This bug is partly wontfix since this is linked to an upstream Mailman for a
proper resolution

Can you link or file it (on launchpad)?

Seb35 added a comment.May 4 2014, 8:32 PM

Apart http://dmarc.org/faq.html#s_3 which is only theoretical, I found this announcement of some support for DMARC in Mailman 2.1.16 and 2.1.18 (released April 18, 2014): http://wiki.list.org/display/DEV/DMARC

If I understand correctly, the introduced config parameter from_is_list is now on a per-list basis; this one rewrite the From: header (RFC 5322) with "Sender via the list wikitech-l" <wikitech-l@lists.wikimedia.org>, or could wrap the message as a sub-part in a MIME message.

Reply-To is unaffected, which is good (we use reply_goes_to_list). https://bugs.launchpad.net/mailman/+bug/1313010

Probably better wait for https://bugs.launchpad.net/mailman/+bug/1315970 at least.

I think we'll wait for upstream here, or rather on bug 64547 (Mailman 3).
Hence setting low priority.

This is fixed in Mailman 2.1.18, see the release announcement:

The from_is_list feature introduced in 2.1.16 is now unconditionally available to list owners. There is also, a new Privacy options -> Sender filters -> dmarc_moderation_action feature which applies to list messages where the From: address is in a domain which publishes a DMARC policy of reject or possibly quarantine. This is a list setting with values of Accept, Wrap Message, Munge From, Reject or Discard. There is a new DEFAULT_DMARC_MODERATION_ACTION configuration setting to set the default for this, and the list admin UI is not able to set an action which is 'less' than the default. The prior ALLOW_FROM_IS_LIST setting has been removed and is effectively always Yes. There is a new dmarc_quarantine_moderation_action list setting with default set by a new DEFAULT_DMARC_QUARANTINE_MODERATION_ACTION configuration setting which in turn defaults to Yes. The list setting can be set to No to exclude domains with DMARC policy of quarantine from dmarc_moderation_action.
dmarc_moderation_action and from_is_list interact in the following way. If the message is From: a domain to which dmarc_moderation_action applies and if dmarc_moderation_action is other than Accept, dmarc_moderation_action applies to that message. Otherwise the from_is_list action applies.

Jgreen set Security to None.

particularly given Yahoo and AOL recently switched to a policy p=reject, preventing these users from sending emails to the mailing lists.

They can still send emails, though not everyone on the list will receive them. I use Outlook.com for email and did not receive a recent message to wikitech-l, which came from a yahoo.com address. Apparently some other subscribers did, else there would have been no reply at all.

scfc added a subscriber: scfc.May 21 2015, 11:50 PM
Dzahn added a subscriber: Dzahn.Sep 18 2015, 4:50 PM

This is fixed in Mailman 2.1.18

We are now on 2.1.18 since today. :)

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2015, 4:50 PM

We should see a decrease in bounces, right? But where are the stats now? :)

JohnLewis closed this task as Resolved.Sep 30 2015, 6:50 PM
JohnLewis claimed this task.
JohnLewis added a subscriber: JohnLewis.

Seems resolved looking around and with the added configuration variables, can be fine-tuned per list if necessary but defaults should suffice.

@JohnLewis: What should we be tweaking? We're still seeing problems on various ArbCom/functionaries lists.

What should we be tweaking? We're still seeing problems on various ArbCom/functionaries lists.

John is no longer active, I'll remove his assignee here, @Dzahn may know more about some options.

Jalexander removed JohnLewis as the assignee of this task.Dec 28 2015, 4:47 AM
Jalexander removed a subscriber: JohnLewis.
Dzahn added a comment.Feb 29 2016, 8:39 PM

John is no longer active, I'll remove his assignee here, @Dzahn may know more about some options.

No, sorry, i don't know more about this.

Dzahn removed a subscriber: Dzahn.Feb 29 2016, 8:40 PM