[tor-project] upcoming change in mailing lists configurations

Antoine Beaupré anarcat at torproject.org
Tue Sep 14 17:51:27 UTC 2021 

Hi again,

This change has just been deployed on all lists.

Do note one detail that was not obvious to me at first: not *all* emails
get their "From" munged. Only mail from a provider with an *active*
DMARC record (e.g. with `p=reject` or `p=quarantine`).

In other words, if your provider partially implements DMARC but doesn't
tell others to actually reject invalid emails, the From does not get
munged.

This might lead to some inconsistencies where some mails will come from
the list and some from normal users. I think the solution for this is to
simply not rely on From for filtering, which you were likely not doing
anyways.

Details in the ticket, as usual:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/19914

Cheers,

a.

On 2021-09-07 11:54:03, Antoine Beaupré wrote:
> Hi,
>
> TL;DR: we are going to enable DMARC workarounds on Mailman mailing
> lists, which should improve deliverability. You may need to change your
> mailbox filters.
>
> # What is happening?
>
> We are going to change the configuration of all Mailman mailing lists to
> set the `dmarc_moderation_action` to `Munge From`.
>
> This will change the `From` header of outgoing email from mailing lists
> (such as this one) from, say:
>
>     From: "Antoine Beaupré" <anarcat at torproject.org>
>
> .. to something like:
>
>     From: Antoine Beaupre via tor-project <tor-project at lists.torproject.org>
>
> # Why are we doing this?
>
> This is because some email providers comply with the DMARC standard. To
> give an example, say provider example.com says that only them is allowed
> to send email from that domain and a user at example.com sends an email to
> one of our mailing lists. It's possible that this email then ends up at
> provider user at test.test, which, when it looks at the DMARC policy, decides
> to refuse the email because example.com doesn't allow
> lists.torproject.org to impersonate it.
>
> The net effect of this is that user at test.test will not get the email (at
> best) or (at worst!) get unsubscribed from the mailing list even though
> their email provider is actually complying with the email standard.
>
> A longer discussion of this happened in the issue tracker, here:
>
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/19914
>
> # When?
>
> This change will be performed in one week.
>
> Tests have been going since August 24th on the tor-relays@ lists and it
> has actually solved issues there, while not causing any other problems.
>
> # How?
>
> TPA will actually change the configuration on all lists, in the
> backend. List admins wishing their list to be excluded can notify us by
> replying to this email or opening a ticket in the TPA issue tracker, as
> usual:
>
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/new
>
> A.
>
> -- 
> Antoine Beaupré
> torproject.org system administration

-- 
Antoine Beaupré
torproject.org system administration

More information about the tor-project mailing list