Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

Martin Graesslin mgraesslin at kde.org
Tue Dec 8 10:23:37 GMT 2015 

On Tuesday, December 8, 2015 10:54:13 PM CET Ben Cooksley wrote:
> On Tue, Dec 8, 2015 at 10:33 PM, Martin Graesslin <mgraesslin at kde.org> 
wrote:
> > On Tuesday, December 8, 2015 9:51:50 AM CET Martin Graesslin wrote:
> >> On Tuesday, December 8, 2015 8:21:03 PM CET Ben Cooksley wrote:
> >> > On Tue, Dec 8, 2015 at 2:19 AM, Martin Graesslin <mgraesslin at kde.org>
> > 
> > wrote:
> >> > > On Friday, December 4, 2015 11:28:03 AM CET Jan Kundrát wrote:
> >> > >> On Friday, 4 December 2015 10:56:42 CET, Ben Cooksley wrote:
> >> > >> > Note that in the long run with DMARC looming you will need to
> >> > >> > switch
> >> > >> > to #2 anyway, and keeping your current behaviour will likely lead
> >> > >> > to
> >> > >> > mail from people who use Yahoo / AOL / etc ending up in the spam
> >> > >> > folder with many mailing list members. I'll be starting a
> >> > >> > discussion
> >> > >> > regarding taking this step on KDE systems at some point in the
> >> > >> > near
> >> > >> > future (switching to DMARC compatible policies).
> >> > >> > 
> >> > >> > For more information, please see http://wiki.list.org/DEV/DMARC
> >> > >> 
> >> > >> Do I understand your plan correctly? The following projects appear
> >> > >> to
> >> > >> not
> >> > >> re-sign their ML traffic, and they mangle headers at the same time.
> >> > >> If
> >> > >> I
> >> > >> understand your plan correctly, this means that I won't be able to
> >> > >> use
> >> > >> my
> >> > >> @kde.org addresses on mailing lists of these projects, for example:
> >> > >> 
> >> > >> - Qt,
> >> > >> - Debian,
> >> > >> - Gentoo,
> >> > >> - OpenStack,
> >> > >> - anything hosted at SourceForge,
> >> > >> - and many, many more, essentially anybody who were ignoring DKIM.
> >> > >> 
> >> > >> Please, change your plans, this is obviously a huge no-go.
> >> > > 
> >> > > this looks like a huge problem. Could this be rolled out in two
> >> > > phases:
> >> > > one
> >> > > where a big fat warning is added in some way, so that we can inform
> >> > > our
> >> > > mailing list masters about the breakage and then a slow enforcement?
> >> > 
> >> > You can examine the "Authentication-Results" header from any mail that
> >> > passes through kde.org mail infrastructure to determine if it is
> >> > valid.
> >> 
> >> Checking the non-KDE mailing lists I'm subscribed to:
> >> 
> >> * EWMH mailing list (hosted on GNOME infrastructure):
> >> 
> >> Authentication-Results: postbox.kde.org; dkim=fail
> >> 
> >>       reason="verification failed; unprotected key"
> >>       header.d=gmail.com header.i=@gmail.com header.b=qL4yX1lm;
> >>       dkim-adsp=none (unprotected policy); dkim-atps=neutral
> >> 
> >> * wayland: no such header
> > 
> > Correction: Wayland is also affected. I didn't check a gmail mail. So
> > given
> > that all freedesktop.org are probably affected.
> > 
> > Sorry Ben, that's just a no, it will be highly disruptive to KDE to turn
> > us
> > off from these mailing lists.
> 
> Can't recall if I stated this previously, but i'd already decided to
> delay this until the end of January.
> It should not be delayed forever though.

Can we increase this to at least end of February or March? I'm a little bit 
concerned that this won't go anywhere over Christmas and New Year and end of 
January not being realistic.

As much as I support your proposal in general, I just don't have any spare 
time to work on this by contacting list admins, etc.

I also think we need to coordinate this. I'm sure we can get the changes 
applied, but it'll take more time than a month. This is a small project which 
needs to be coordinated:
* track all affected mailing lists @kde.org address owners interact with
* create a task for each mailing list on phab
* get someone to contact, document when contacted
* track the progress
* send reminders including (hey project foo was able to change that in three 
days, and we are waiting now two weeks)
* switch when we can be certain that it won't disrupt our work

As a list moderator I also hate the spam, but not being able to be on the 
mailing lists with my @kde.org address on mailing lists where I am only 
because I consider myself as a representative for kde is worse.

Cheers
Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20151208/f09af567/attachment.sig>

More information about the kde-core-devel mailing list