Broken DMARC workaround for glibc mailing lists

Broken DMARC workaround for glibc mailing lists

[Florian Weimer]

Hi,

we have received a report that at least one of the glibc mailing lists 
lacks anti-DMARC header rewriting:

   https://sourceware.org/ml/libc-help/2017-04/msg00034.html

I have seen the usual “via” From rewriting on other sourceware.org 
lists.  I don't think we have much choice but to enable that for all the 
glibc lists, too.

Thanks,
Florian

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Fri, Apr 28, 2017 at 06:29:38PM +0200, Florian Weimer wrote:
>Hi,
>
>we have received a report that at least one of the glibc mailing lists 
>lacks anti-DMARC header rewriting:
>
>   https://sourceware.org/ml/libc-help/2017-04/msg00034.html
>
>I have seen the usual “via” From rewriting on other sourceware.org 
>lists.  I don't think we have much choice but to enable that for all the 
>glibc lists, too.

?  We don't arbitrarily turn on/off features like that for different
mailing lists.  This feature is on for every mailing list.

cgf

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Sat, Apr 29, 2017 at 10:32:42PM -0400, Christopher Faylor wrote:
>On Fri, Apr 28, 2017 at 06:29:38PM +0200, Florian Weimer wrote:
>>Hi,
>>
>>we have received a report that at least one of the glibc mailing lists 
>>lacks anti-DMARC header rewriting:
>>
>>   https://sourceware.org/ml/libc-help/2017-04/msg00034.html
>>
>>I have seen the usual “via” From rewriting on other sourceware.org 
>>lists.  I don't think we have much choice but to enable that for all the 
>>glibc lists, too.
>
>?  We don't arbitrarily turn on/off features like that for different
>mailing lists.  This feature is on for every mailing list.

I found what should have been a minor misconfiguration in libc-help
mailing list configuration.  I don't know if it will help or not.

I'll monitor the mailing list to see if this fixes it.

cgf

Re: Broken DMARC workaround for glibc mailing lists

[Florian Weimer]

On 04/30/2017 07:34 AM, Christopher Faylor wrote:
> On Sat, Apr 29, 2017 at 10:32:42PM -0400, Christopher Faylor wrote:
>> On Fri, Apr 28, 2017 at 06:29:38PM +0200, Florian Weimer wrote:
>>> Hi,
>>>
>>> we have received a report that at least one of the glibc mailing lists
>>> lacks anti-DMARC header rewriting:
>>>
>>>    https://sourceware.org/ml/libc-help/2017-04/msg00034.html
>>>
>>> I have seen the usual “via” From rewriting on other sourceware.org
>>> lists.  I don't think we have much choice but to enable that for all the
>>> glibc lists, too.
>>
>> ?  We don't arbitrarily turn on/off features like that for different
>> mailing lists.  This feature is on for every mailing list.
> 
> I found what should have been a minor misconfiguration in libc-help
> mailing list configuration.  I don't know if it will help or not.
> 
> I'll monitor the mailing list to see if this fixes it.

Thanks for investigating this.

Florian

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Mon, May 01, 2017 at 12:18:51PM +0200, Florian Weimer wrote:
>On 04/30/2017 07:34 AM, Christopher Faylor wrote:
>> On Sat, Apr 29, 2017 at 10:32:42PM -0400, Christopher Faylor wrote:
>>> On Fri, Apr 28, 2017 at 06:29:38PM +0200, Florian Weimer wrote:
>>>> Hi,
>>>>
>>>> we have received a report that at least one of the glibc mailing lists
>>>> lacks anti-DMARC header rewriting:
>>>>
>>>>    https://sourceware.org/ml/libc-help/2017-04/msg00034.html
>>>>
>>>> I have seen the usual “via” From rewriting on other sourceware.org
>>>> lists.  I don't think we have much choice but to enable that for all the
>>>> glibc lists, too.
>>>
>>> ?  We don't arbitrarily turn on/off features like that for different
>>> mailing lists.  This feature is on for every mailing list.
>> 
>> I found what should have been a minor misconfiguration in libc-help
>> mailing list configuration.  I don't know if it will help or not.
>> 
>> I'll monitor the mailing list to see if this fixes it.
>
>Thanks for investigating this.

Could you ask them to send another message to the list to see if the
From is properly mangled?

cgf

Re: Broken DMARC workaround for glibc mailing lists

[Florian Weimer]

[-- Attachment #1: Type: text/plain, Size: 1494 bytes --]

On 05/02/2017 04:07 PM, Christopher Faylor wrote:
> On Mon, May 01, 2017 at 12:18:51PM +0200, Florian Weimer wrote:
>> On 04/30/2017 07:34 AM, Christopher Faylor wrote:
>>> On Sat, Apr 29, 2017 at 10:32:42PM -0400, Christopher Faylor wrote:
>>>> On Fri, Apr 28, 2017 at 06:29:38PM +0200, Florian Weimer wrote:
>>>>> Hi,
>>>>>
>>>>> we have received a report that at least one of the glibc mailing lists
>>>>> lacks anti-DMARC header rewriting:
>>>>>
>>>>>     https://sourceware.org/ml/libc-help/2017-04/msg00034.html
>>>>>
>>>>> I have seen the usual “via” From rewriting on other sourceware.org
>>>>> lists.  I don't think we have much choice but to enable that for all the
>>>>> glibc lists, too.
>>>>
>>>> ?  We don't arbitrarily turn on/off features like that for different
>>>> mailing lists.  This feature is on for every mailing list.
>>>
>>> I found what should have been a minor misconfiguration in libc-help
>>> mailing list configuration.  I don't know if it will help or not.
>>>
>>> I'll monitor the mailing list to see if this fixes it.
>>
>> Thanks for investigating this.
> 
> Could you ask them to send another message to the list to see if the
>  From is properly mangled?

The most recent message didn't have rewriting applied.  I assume that 
gmail.com has strict DMARC policies and would ordinarily trigger 
rewriting.  However, I don't see this happening on other sourceware.org 
lists, either.  Maybe we'd need a test posting from google.com.

Thanks,
Florian

[-- Attachment #2: Re: GMail DMARC : 'ezmlm warning' - '550-5_7_1 DMARC policy_ ___ of google_com domain' not considered an authorized sender ?.eml --]
[-- Type: message/rfc822, Size: 7951 bytes --]

From: Jason Vas Dias <jason.vas.dias@gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-help@sourceware.org
Subject: Re: GMail DMARC : 'ezmlm warning' - '550-5.7.1 DMARC policy. ... of google.com domain' not considered an authorized sender ?
Date: Fri, 5 May 2017 10:22:17 +0000
Message-ID: <CALyZvKzULTzj6TNHgD0xgYhYC+mPt7xQmLj5=kAFBb1rjD=_-w@mail.gmail.com>

Hi Florian -
> Jason, would you please send another message to the libc-help list?
I am doing so hereby.

I haven't got any more of these failed-to-deliver messages since:
libc-help-help	| Inbox, To Jason |
   ezmlm warning - .1 DMARC policy. Please contact the administrator of
   google.com domain 550-5.7.1 if this was a legitimate mail. Please	16/11/2016

I just thought I should report it because it looked like all is not
quite OK with
authenticating your email sender to google.

Thanks & Regards,
Jason

On 05/05/2017, Florian Weimer <fweimer@redhat.com> wrote:
> On 05/01/2017 12:18 PM, Florian Weimer wrote:
>> On 04/28/2017 08:11 AM, Florian Weimer wrote:
>>> On 04/26/2017 01:05 AM, Jason Vas Dias wrote:
>>>> Is this google's problem or your email sender's or my gmail settings ?
>>>> ( I can't see anything in Gmail settings about 'authorized senders'
>>>> or anything.
>>>> Having a problem with your gmail sending account / or are
>>>> authentications
>>>> for it sometimes transiently timing out ?
>>>
>>> Google and Gmail (and Yahoo and others) broke mailing lists.  There
>>> should be a vast amount of information available out there under the
>>> topic of DMARC and mailing lists.  I don't know if the version of
>>> ezmlm used on sourceware.org supports the usual workarounds for the
>>> breakage.
>>
>> There may have been a misconfiguration which prevented the broken DMARC
>> workaround from being applied to the libc-help list.
>
> Jason, would you please send another message to the libc-help list?
>
> Thanks,
> Florian
>

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Fri, May 05, 2017 at 12:32:38PM +0200, Florian Weimer wrote:
>The most recent message didn't have rewriting applied.  I assume that 
>gmail.com has strict DMARC policies and would ordinarily trigger 
>rewriting.  However, I don't see this happening on other sourceware.org 
>lists, either.  Maybe we'd need a test posting from google.com.

I think this may be a bug in the patched ezmlm that we're using.  It
may be looking at "gmail.com":

_dmarc.gmail.com.	300	IN	TXT	"v=DMARC1; p=none; rua=mailto:mailauth-reports@google.com"

rather than google.com (which handles gmail's mx):

_dmarc.google.com.	183	IN	TXT	"v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"

It should be easy to fix.  I'll look at it tomorrow.

cgf

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Mon, May 08, 2017 at 01:34:52AM -0400, Christopher Faylor wrote:
>On Fri, May 05, 2017 at 12:32:38PM +0200, Florian Weimer wrote:
>>The most recent message didn't have rewriting applied.  I assume that 
>>gmail.com has strict DMARC policies and would ordinarily trigger 
>>rewriting.  However, I don't see this happening on other sourceware.org 
>>lists, either.  Maybe we'd need a test posting from google.com.
>
>I think this may be a bug in the patched ezmlm that we're using.  It
>may be looking at "gmail.com":
>
>_dmarc.gmail.com.	300	IN	TXT	"v=DMARC1; p=none; rua=mailto:mailauth-reports@google.com"
>
>rather than google.com (which handles gmail's mx):
>
>_dmarc.google.com.	183	IN	TXT	"v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"
>
>It should be easy to fix.  I'll look at it tomorrow.

I looked at it tonight and instituted a temporary fix (that will probably
be around until someone complains that it isn't quite right).

cgf

Re: Broken DMARC workaround for glibc mailing lists

[Florian Weimer via overseers]

On 05/08/2017 07:34 AM, Christopher Faylor wrote:
> On Fri, May 05, 2017 at 12:32:38PM +0200, Florian Weimer wrote:
>> The most recent message didn't have rewriting applied.  I assume that
>> gmail.com has strict DMARC policies and would ordinarily trigger
>> rewriting.  However, I don't see this happening on other sourceware.org
>> lists, either.  Maybe we'd need a test posting from google.com.
> 
> I think this may be a bug in the patched ezmlm that we're using.  It
> may be looking at "gmail.com":
> 
> _dmarc.gmail.com.	300	IN	TXT	"v=DMARC1; p=none; rua=mailto:mailauth-reports@google.com"
> 
> rather than google.com (which handles gmail's mx):
> 
> _dmarc.google.com.	183	IN	TXT	"v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"
> 
> It should be easy to fix.  I'll look at it tomorrow.

Huh.  This is not what I expected.  I think this means that gmail.com 
does not have a strict DMARC policy after all.  So I was wrong to expect 
rewriting for it.

(Just to be clear: it would be wrong to apply the google.com DMARC 
policy to gmail.com because the MX host location does not matter for 
this policy.)

Thanks,
Florian

Re: Broken DMARC workaround for glibc mailing lists

[Christopher Faylor]

On Mon, May 08, 2017 at 08:44:34AM +0200, Florian Weimer via overseers wrote:
>On 05/08/2017 07:34 AM, Christopher Faylor wrote:
>> On Fri, May 05, 2017 at 12:32:38PM +0200, Florian Weimer wrote:
>>> The most recent message didn't have rewriting applied.  I assume that
>>> gmail.com has strict DMARC policies and would ordinarily trigger
>>> rewriting.  However, I don't see this happening on other sourceware.org
>>> lists, either.  Maybe we'd need a test posting from google.com.
>> 
>> I think this may be a bug in the patched ezmlm that we're using.  It
>> may be looking at "gmail.com":
>> 
>> _dmarc.gmail.com.	300	IN	TXT	"v=DMARC1; p=none; rua=mailto:mailauth-reports@google.com"
>> 
>> rather than google.com (which handles gmail's mx):
>> 
>> _dmarc.google.com.	183	IN	TXT	"v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"
>> 
>> It should be easy to fix.  I'll look at it tomorrow.
>
>Huh.  This is not what I expected.  I think this means that gmail.com 
>does not have a strict DMARC policy after all.  So I was wrong to expect 
>rewriting for it.
>
>(Just to be clear: it would be wrong to apply the google.com DMARC 
>policy to gmail.com because the MX host location does not matter for 
>this policy.)

Yeah, I realized that as I was drifting off to sleep last night.  Email
I sent to test-list from gmail to gmail worked so I should have realized
that meant that gmail didn't enforce and that this wassn't an issue.