Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

Martin Graesslin mgraesslin at kde.org
Tue Dec 8 08:51:50 GMT 2015 

On Tuesday, December 8, 2015 8:21:03 PM CET Ben Cooksley wrote:
> On Tue, Dec 8, 2015 at 2:19 AM, Martin Graesslin <mgraesslin at kde.org> wrote:
> > On Friday, December 4, 2015 11:28:03 AM CET Jan Kundrát wrote:
> >> On Friday, 4 December 2015 10:56:42 CET, Ben Cooksley wrote:
> >> > Note that in the long run with DMARC looming you will need to switch
> >> > to #2 anyway, and keeping your current behaviour will likely lead to
> >> > mail from people who use Yahoo / AOL / etc ending up in the spam
> >> > folder with many mailing list members. I'll be starting a discussion
> >> > regarding taking this step on KDE systems at some point in the near
> >> > future (switching to DMARC compatible policies).
> >> > 
> >> > For more information, please see http://wiki.list.org/DEV/DMARC
> >> 
> >> Do I understand your plan correctly? The following projects appear to not
> >> re-sign their ML traffic, and they mangle headers at the same time. If I
> >> understand your plan correctly, this means that I won't be able to use my
> >> @kde.org addresses on mailing lists of these projects, for example:
> >> 
> >> - Qt,
> >> - Debian,
> >> - Gentoo,
> >> - OpenStack,
> >> - anything hosted at SourceForge,
> >> - and many, many more, essentially anybody who were ignoring DKIM.
> >> 
> >> Please, change your plans, this is obviously a huge no-go.
> > 
> > this looks like a huge problem. Could this be rolled out in two phases:
> > one
> > where a big fat warning is added in some way, so that we can inform our
> > mailing list masters about the breakage and then a slow enforcement?
> 
> You can examine the "Authentication-Results" header from any mail that
> passes through kde.org mail infrastructure to determine if it is
> valid.

Checking the non-KDE mailing lists I'm subscribed to:

* EWMH mailing list (hosted on GNOME infrastructure):

Authentication-Results: postbox.kde.org; dkim=fail
	reason="verification failed; unprotected key"
	header.d=gmail.com header.i=@gmail.com header.b=qL4yX1lm;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral

* wayland: no such header

* mesa: no such header, but receiving in digest form, so probably not possible 
to verify for me?

* lxde: no such header

* a private mailing list: same as with GNOME.

This means GNOME and the private are wrong. What should I tell the list master 
now? Should we users not understanding the technical bits perform it? Wouldn't 
it be better if the sysadmin's do a mass filtering on the headers to figure 
out which mailing lists are affected and contact the list masters

> You would still get the list subscription suspended message from the
> list, as these are generated by Mailman itself.

So kicking me out. If the system is not going to move, it means it's kicking 
us out. E.g. I would no longer be able to participate in EWMH discussions.

> I would suggest mailing the list administrator or server
> administrator's of the mailing lists in question. Nobody else really
> has the power to fix it.

I just don't know what to tell them. Seriously, please don't expect that we 
who have no clue about this stuff, will be able to contact list 
administrators.

Cheers
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20151208/8d1e535c/attachment.sig>

More information about the kde-core-devel mailing list