Discussion:
[Qemu-devel] qemu-devel mailing list vs DMARC and microsoft.com's p=reject policy
Peter Maydell
2017-03-28 17:35:55 UTC
Permalink
Hi; it's been pointed out to me that we have a problem with qemu-devel
unsubscribing people because of DMARC. Specifically:
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed

This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
world we have a few choices:

(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
(3) I could set dmarc_moderation_action to Munge From, which means that
those senders who have a p=reject policy will get their mails
rewritten to have a From="Whoever (via the list) <qemu-***@...>"
and their actual email in the Reply-to:
* if anybody's mail client doesn't honour Reply-to: then what they
think is a personal reply will go to the list by accident
(4) I could do nothing, and hope that we don't get so many of these
that they actually result in unsubscriptions
* in any case emails won't end up going through to some recipients,
so this isn't much of an option anyway
(5) I could set the bounce processing config to be (much) less aggressive
* this seems like a bad idea
* in any case people whose systems honour DMARC still wouldn't get
mails from the p=reject senders

I don't really like any of these choices.

For the moment I have picked option (3), but I'm open to argument
that we should pick something else.

thanks
-- PMM
Peter Maydell
2017-03-28 17:58:08 UTC
Permalink
Post by Peter Maydell
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
Clarification: if I've understood correctly, this means nobody can *post*,
right? The problem arises when I post to the list, not when I subscribed
(and qemu-devel doesn't require subscription to post).
Yes, you're right. It wouldn't inconvenience mere lurkers at
these domains.

thanks
-- PMM
Michael S. Tsirkin
2017-03-28 18:28:06 UTC
Permalink
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
Post by Peter Maydell
(3) I could set dmarc_moderation_action to Munge From, which means that
those senders who have a p=reject policy will get their mails
* if anybody's mail client doesn't honour Reply-to: then what they
think is a personal reply will go to the list by accident
(4) I could do nothing, and hope that we don't get so many of these
that they actually result in unsubscriptions
* in any case emails won't end up going through to some recipients,
so this isn't much of an option anyway
(5) I could set the bounce processing config to be (much) less aggressive
* this seems like a bad idea
* in any case people whose systems honour DMARC still wouldn't get
mails from the p=reject senders
I don't really like any of these choices.
For the moment I have picked option (3), but I'm open to argument
that we should pick something else.
thanks
-- PMM
Is there a way not to munge the name? It's currently rewritten to
add "via qemu-devel" which confuses the clients which think
it's part of the name, and can't be easily stripped away.
--
MST
Eric Blake
2017-03-28 18:41:36 UTC
Permalink
Post by Michael S. Tsirkin
Post by Peter Maydell
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
I'm ambivalent - I like the prefixes, but don't mind if they are not
present (it's easy enough to filter on List-Sender: when the prefix is
not reliable). It's especially nice that the prefix lets me tell the
difference between mail sent to qemu-devel and qemu-block while still
dumping both lists into the same folder.
Post by Michael S. Tsirkin
Is there a way not to munge the name? It's currently rewritten to
add "via qemu-devel" which confuses the clients which think
it's part of the name, and can't be easily stripped away.
Not that I know of, but at least the munging only occurs for senders
with restrictive DMARC and not for ALL senders.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Markus Armbruster
2017-03-29 06:46:27 UTC
Permalink
Post by Michael S. Tsirkin
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
Seconded. Mailing lists messing with the subject to "help" users with
filtering just complicate it.

Filtering on List-Id isn't any harder, and has the added advantage that
it actually works.
Post by Michael S. Tsirkin
Post by Peter Maydell
(3) I could set dmarc_moderation_action to Munge From, which means that
those senders who have a p=reject policy will get their mails
* if anybody's mail client doesn't honour Reply-to: then what they
think is a personal reply will go to the list by accident
(4) I could do nothing, and hope that we don't get so many of these
that they actually result in unsubscriptions
* in any case emails won't end up going through to some recipients,
so this isn't much of an option anyway
(5) I could set the bounce processing config to be (much) less aggressive
* this seems like a bad idea
* in any case people whose systems honour DMARC still wouldn't get
mails from the p=reject senders
I don't really like any of these choices.
For the moment I have picked option (3), but I'm open to argument
that we should pick something else.
thanks
-- PMM
Is there a way not to munge the name? It's currently rewritten to
add "via qemu-devel" which confuses the clients which think
it's part of the name, and can't be easily stripped away.
Not munging the name will confuse different clients to think qemu-devel@
is an alternative e-mail for this person.

Once you start messing with e-mail headers, you inevitably get to a
place where you have to choose the functionality you're least unhappy to
break. Which may not be the one your users are least happy to lose.

Just say no.
Thomas Huth
2017-03-29 10:44:27 UTC
Permalink
Post by Markus Armbruster
Post by Michael S. Tsirkin
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
Seconded. Mailing lists messing with the subject to "help" users with
filtering just complicate it.
Filtering on List-Id isn't any harder, and has the added advantage that
it actually works.
The problem is that some mail clients are rather limited and you can
only filter via title there - so I guess some people would complain we
removed the tag from the subject.

Apart from that, I've also seen mailman messing up white spaces in the
body of e-mails, so this likely would only solve parts of this problem.

Thomas
Markus Armbruster
2017-03-29 11:18:56 UTC
Permalink
Post by Thomas Huth
Post by Markus Armbruster
Post by Michael S. Tsirkin
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
Seconded. Mailing lists messing with the subject to "help" users with
filtering just complicate it.
Filtering on List-Id isn't any harder, and has the added advantage that
it actually works.
The problem is that some mail clients are rather limited and you can
only filter via title there - so I guess some people would complain we
removed the tag from the subject.
Some people might have to switch to less crippled^W^Wmore capable
software. Thank me later.
Post by Thomas Huth
Apart from that, I've also seen mailman messing up white spaces in the
body of e-mails, so this likely would only solve parts of this problem.
Assuming that's still the case, and not a mailman configuration issue:
mailman bug.
Michael S. Tsirkin
2017-03-29 13:47:40 UTC
Permalink
Post by Thomas Huth
Post by Markus Armbruster
Post by Michael S. Tsirkin
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
For the record I'd strongly prefer this option - I tag all list mail
and so "qemu-devel" appears twice: in subject and as a tag.
Also, if mail is copied to another list, qemu-devel will
still appear as gmail de-duplicates email by msg id.
I can remove tags I don't care about but can't remove
subject prefixes.
Seconded. Mailing lists messing with the subject to "help" users with
filtering just complicate it.
Filtering on List-Id isn't any harder, and has the added advantage that
it actually works.
The problem is that some mail clients are rather limited and you can
only filter via title there - so I guess some people would complain we
removed the tag from the subject.
Do you mean gmail by any chance? In gmail you can filter using list:
which isn't well known. This works even if you get same mail through
multiple paths. filtering by subject in gmail is extermely unreliable:
if you get a copy directly it discards others and so you get
an inconsistent mix of messages with and without the subject prefix.

In short I suspect filtering by subject works only half-way and
most people just don't notice.
Post by Thomas Huth
Apart from that, I've also seen mailman messing up white spaces in the
body of e-mails, so this likely would only solve parts of this problem.
Thomas
Eric Blake
2017-03-28 18:38:04 UTC
Permalink
Post by Peter Maydell
(3) I could set dmarc_moderation_action to Munge From, which means that
those senders who have a p=reject policy will get their mails
* if anybody's mail client doesn't honour Reply-to: then what they
think is a personal reply will go to the list by accident
That's my favorite of the options (and these days, reply-to works a lot
better than it used to even 10 year ago)...
Post by Peter Maydell
For the moment I have picked option (3), but I'm open to argument
that we should pick something else.
Option 3 is a fine one from my perspective (I could also live with 2). This email will hopefully help you test whether it's effective.
and it appears to have worked; Andrew's mail purported to be from the
list, but had a correct 'Reply-to', and my mailer (thunderbird) appears
to do the right thing for reply-to-all.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Stefan Hajnoczi
2017-03-29 10:34:49 UTC
Permalink
Post by Peter Maydell
Hi; it's been pointed out to me that we have a problem with qemu-devel
* microsoft.com publishes a DMARC policy that has p=reject
* some subscribers use mail systems that honour this and send bounces
for non-verifying emails from those domains
* the mailing list software (mailman) modifies emails that pass through
it, among other things adding the "[qemu-devel]" subject tag, in
a way that means that signatures no longer verify
* bounces back to mailman as a result of mailing list postings from
microsoft.com people can then cause people to be unintentionally
unsubscribed
This is kind of painful. https://wiki.list.org/DEV/DMARC has the
Mailman wiki information on the subject. In an ideal world nobody
would use p=reject because it breaks mailing lists. In the actual
(1) I could set dmarc_moderation_action=Reject
* this means nobody can subscribe if they've set their dmarc policy
to reject (the "if you don't believe in mailing lists we don't
believe in you" policy).
* there is a certain purity to this option, in that it is pushing
the costs of this unhelpful mail config back on the organisations
which have chosen it; on the other hand I'm reluctant to make
life harder for people who are contributing to the project
and who typically don't have much say over corporate email config.
(2) I could reconfigure mailman to try to not rewrite anything that
we think is likely to be signed (in particular not the body or the
subject)
* this means dropping the [qemu-devel] tag from the subject, which I'm
a bit reluctant to do (it seems likely at least some readers are
filtering on it, and personally I quite like it)
* if anybody DKIM-signs the Sender: header we're stuck anyway
(3) I could set dmarc_moderation_action to Munge From, which means that
those senders who have a p=reject policy will get their mails
* if anybody's mail client doesn't honour Reply-to: then what they
think is a personal reply will go to the list by accident
Option 3 sounds good given that Option 2 is unlikely to be reliable
(e.g. DKIM-signing).
Post by Peter Maydell
(4) I could do nothing, and hope that we don't get so many of these
that they actually result in unsubscriptions
* in any case emails won't end up going through to some recipients,
so this isn't much of an option anyway
(5) I could set the bounce processing config to be (much) less aggressive
* this seems like a bad idea
* in any case people whose systems honour DMARC still wouldn't get
mails from the p=reject senders
I don't really like any of these choices.
For the moment I have picked option (3), but I'm open to argument
that we should pick something else.
thanks
-- PMM
Loading...