[Koha] Can the Koha Mailing List and DMARC become friends?
Katrin Fischer
katrin.fischer.83 at web.de
Sat Mar 4 06:08:52 NZDT 2023
I have added the DMARC issue to the agenda for the next developer IRC
meeting, but we might need the people running our mailservers to weigh in:
https://wiki.koha-community.org/wiki/Development_IRC_meeting_9_March_2023
Hope this helps,
Katrin
On 27.02.23 15:49, Coehoorn, Joel wrote:
> FWIW, I'm seeing the same thing for our "york.edu" domain, but only for the
> last couple of months. The list used to handle this correctly.
>
> *Joel Coehoorn*
> Director of Information Technology
> *York University*
> Office: 402-363-5603 | jcoehoorn at york.edu | york.edu
>
>
>
> On Mon, Feb 27, 2023 at 8:00 AM David Liddle <david at liddles.net> wrote:
>
>> Greetings, all!
>>
>> At the encouragement of one of the mailing list administrators, I
>> would like to present a situation and a proposal to you all.
>>
>> Normally, I would write from my work account, david.liddle at wycliff.de,
>> since one of the hats I wear is that of a Koha system administrator.
>> One of my other hats, however, is that of the email administrator for
>> our corporate domains. And the latter hat has precedence over the
>> former.
>>
>> To help protect our email domains from being used fraudulently, I have
>> implemented DMARC policies according to current recommendations. You
>> can read more about the Domain-based Message Authentication, Reporting
>> & Conformance protocol at https://dmarc.org/. The policies direct that
>> only messages from authorized sources should be allowed to send mail
>> from wycliff.de and our other domains; messages from all unauthorized
>> sources should be quarantined.
>>
>> With DMARC policies in place, messages that I send from my work
>> account to the Koha mailing list get quarantined by email providers
>> that comply with the policies' directives. Why? It happens because the
>> Koha mailing list spoofs the email address of the original sender. As
>> a result, there is a significant number of subscribers who did not
>> receive the messages at all or had to fetch them from quarantine. Some
>> unknown number will have been marked as spam.
>>
>> There are well-meaning reasons for this behavior within an honest,
>> friendly community such as the Koha mailing list. However, email
>> spoofing is one of the chief means by which fraudsters engage in
>> phishing, data exfiltration, and ransomware attacks. In my opinion,
>> the Koha community ought to avoid the practice of email spoofing.
>> Therefore, I have a proposal to make:
>>
>> -- The Koha Mailing List is based on the Mailman list system.
>> According to its release notes, Mailman 2.1 supports what the
>> developers call "DMARC mitigations".
>> -- Mailman DMARC Mitigations are described here:
>>
>> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
>> ++ I PROPOSE that the mailing list subscribers support the
>> implementation of DMARC mitigations to the Koha mailing list.
>> -- The result of the implementation would be that messages submitted
>> to the list would no longer spoof the sender's address, but rather be
>> altered so that the messages come from the list's own address,
>> koha at lists.katipo.co.nz. They *should* be delivered successfully to
>> all recipients. A reply to the message would return to the list, and a
>> reply to all could include the original sender's address explicitly.
>> -- If you agree (or disagree) with this proposal, you'll need to
>> indicate that in your own clever way, because there's no voting
>> mechanism in a mailing list.
>>
>> Thank you for being so kind and forbearing as to read this far! I hope
>> that you'll give my proposal your earnest consideration.
>>
>> Regards,
>>
>> David Liddle
>>
>>
>> After-credits scene:
>>
>> For you intrepid readers, I would like to boldly suggest something
>> even more daring than changing the list's sending practices. Please
>> consider changing the platforms of the Koha email and chat discussions
>> to one such as Discourse:
>>
>> -- The Discourse software and community seems to have a fair bit in
>> common with the character and nature of Koha's. You can read more
>> about the platform at https://www.discourse.org/.
>> -- Not only is it a web forum, but it can handle email submissions,
>> replies, notifications, and digests. (And it would always send from a
>> legitimate address.)
>> -- It has migration tools that appear able to import archives such as
>> those used by this list.
>> -- It has chat integration for real-time messaging that can also be
>> perused later.
>> -- It has functions for search, categorization, and groups that a
>> mailing list does not.
>> _______________________________________________
>>
>> Koha mailing list http://koha-community.org
>> Koha at lists.katipo.co.nz
>> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>>
> _______________________________________________
>
> Koha mailing list http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
More information about the Koha
mailing list