Re: [PATCH] parser: Unmangle From: headers that have been mangled for DMARC purposes

[Christian Schoenebeck <qemu_oss@crudebyte.com>]

On Freitag, 11. Oktober 2019 06:50:14 CEST Andrew Donnellan wrote:
> On 11/10/19 3:36 pm, Andrew Donnellan wrote:
> > It would be nice if Mailman could adopt X-Original-Sender too. As it is,
> 
> (which I have gone ahead and reported as
> https://gitlab.com/mailman/mailman/issues/641)

Not stopping you from doing that, since I still think that it'd be helpful if 
mailman added some kind X-Original-Sender header in case the email has to be 
munged for some reason. Just some notes about status & consensus we had:

1. On GNU lists the default mailman settings are now to prevent munging in 
first place (if possible):
https://lists.gnu.org/archive/html/qemu-devel/2019-09/msg00416.html

2. If any list member has the "nodup" mailman option turned on, mailman would 
still munge emails due to that. Ian (on CC) worked on a patch to override that 
individual user setting automatically if necessary:
https://bugs.launchpad.net/mailman/+bug/1845751

3. On git side it was suggested to add some kind of "always_use_in_body_from" 
option:
https://public-inbox.org/git/20190923222415.GA22495@sigill.intra.peff.net/

Unless that git option exists, this little trick proofed as usable workaround 
for git patch submitters suffering from munging:
https://lists.gnu.org/archive/html/qemu-devel/2019-09/msg00932.html

4. MTA's should also address this DKIM issue more accurately. For instance 
Exim is currently by default filling the "dkim h=..." header with "all header 
names listed in RFC4871 will be used, whether or not each header is present in 
the message":
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_and_spf.html
That "h=" tag in email's dkim header lists all email headers which were 
included by MTA for signing the message. However IMO MTA's should not list any 
"List-*" header name in "dkim h=..." (at least not if not present in message), 
otherwise mailman is forced to munge any of such messages when adding its 
required List-* headers.

BTW section 5.5. (page 38) of that RFC4871 actually sais these headers "SHOULD 
be included in the signature, if they are present in the message being 
signed".

For now you can override this setting, e.g. by using Exim's 
"dkim_sign_headers" setting and providing your own list of header names, but 
from security point of view that's suboptimal, since admins probably leave 
that untouched for years and new security relevant headers might not be 
included for signing at some point in future. So IMO it would make sense to 
add more fine graded MTA DKIM config options like:
"include these headers for dkim signing only if present in message"
and/or
"use default header names except of these".

By taking these things into account, emails of domains with strict DMARC 
policies are no longer munged on gnu lists.

Best regards,
Christian Schoenebeck