Re: [Koha] Can the Koha Mailing List and DMARC become friends?
[Resending to correct accidental paste in my message but adding consideration of use of Discourse as a partial workaround.] I added to the meeting agenda some brief consideration of implementation if we adopt DMARC for the Koha mailing list. These issues have had some discussion on the Koha mailing list. There is no problem free way to implement DMARC for mailing lists in part because email and mailing lists were designed before authentication of senders was considered a sufficiently concerning problem. 1. Mailman. Two implementation approaches to consider are the following. Quotations below are from the Mailman 3 section in https://wiki.list.org/DEV/DMARC but there are matching parts in the Mailman 2 section. One option: "Munge the From: header - The obvious way to avoid a DMARC rejection [...]" Alternative option: "Wrap the message - This involves MIME wrapping the original message [...] Users of MUAs that can't unwrap this MIME decoration would suffer." The suffering would be some users of the very wide variety of email clients people use from console, to desktop, to some old mobile device may not see any body message and merely have an attachment requiring extra processing outside of the user's email program. See "If MIMEs could talk: Email structures in the wild" / Bo Waggoner - https://bowaggoner.com/bomail/writeups/mimes.html for some perspective on the complexities of mime use in messages and how every email client has an individual implementation to cope. Limiting scope to affected users. It is reportedly possible to configure Mailman to limit the scope of DMARC mitigations to affected users such that the mailing list messages are unaltered for others, "Enable dmarc mitigations" - https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/... . My current understanding leads me to prefer "munging the from header" as an implementation despite some RFC non-compliance. As stated above; email, mailing lists, and their associated RFCs long preceded considerations of authentication. Having problematic email clients for "MIME wrapping" in the wild seems to me to be a worse problem than some otherwise unavoidable RFC non-compliance with the very diverse subscriber base for the mailing list. Diverse subscribers have diverse computer systems and frequently restrictions on changing them where they actually read and reply to email on work systems and other systems as opposed to some major proprietary webmail intermediaries through which email may pass for many people. 2. Discourse. Does Discourse mailing list mode avoid problems with DMARC in a manner that is still sensible for offline use? Mailing lists are good for offline use. Does discourse provide something similar to Mailman "munging the from header" so that the message poster is identified in the email from header originating from the Discourse server allowing email clients to display lists of messages helpfully including by message poster in addition to subject and time? Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783 On Fri, March 3, 2023 17:43, David Liddle wrote:
Thank you for adding it to the discussion points!
On Fri, Mar 3, 2023 at 6:08 PM Katrin Fischer <katrin.fischer.83@web.de> wrote:
I have added the DMARC issue to the agenda for the next developer IRC meeting, but we might need the people running our mailservers to weigh in:
https://wiki.koha-community.org/wiki/Development_IRC_meeting_9_March_2023
Hope this helps,
Katrin
FWIW, I'm seeing the same thing for our "york.edu" domain, but only for
last couple of months. The list used to handle this correctly.
*Joel Coehoorn* Director of Information Technology *York University* Office: 402-363-5603 | jcoehoorn@york.edu | york.edu
On Mon, Feb 27, 2023 at 8:00 AM David Liddle <david@liddles.net> wrote:
Greetings, all!
At the encouragement of one of the mailing list administrators, I would like to present a situation and a proposal to you all.
Normally, I would write from my work account, david.liddle@wycliff.de, since one of the hats I wear is that of a Koha system administrator. One of my other hats, however, is that of the email administrator for our corporate domains. And the latter hat has precedence over the former.
To help protect our email domains from being used fraudulently, I have implemented DMARC policies according to current recommendations. You can read more about the Domain-based Message Authentication, Reporting & Conformance protocol at https://dmarc.org/. The policies direct
only messages from authorized sources should be allowed to send mail from wycliff.de and our other domains; messages from all unauthorized sources should be quarantined.
With DMARC policies in place, messages that I send from my work account to the Koha mailing list get quarantined by email providers that comply with the policies' directives. Why? It happens because
On 27.02.23 15:49, Coehoorn, Joel wrote: the that the
Koha mailing list spoofs the email address of the original sender. As a result, there is a significant number of subscribers who did not receive the messages at all or had to fetch them from quarantine. Some unknown number will have been marked as spam.
There are well-meaning reasons for this behavior within an honest, friendly community such as the Koha mailing list. However, email spoofing is one of the chief means by which fraudsters engage in phishing, data exfiltration, and ransomware attacks. In my opinion, the Koha community ought to avoid the practice of email spoofing. Therefore, I have a proposal to make:
-- The Koha Mailing List is based on the Mailman list system. According to its release notes, Mailman 2.1 supports what the developers call "DMARC mitigations". -- Mailman DMARC Mitigations are described here:
https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/do...
++ I PROPOSE that the mailing list subscribers support the implementation of DMARC mitigations to the Koha mailing list. -- The result of the implementation would be that messages submitted to the list would no longer spoof the sender's address, but rather be altered so that the messages come from the list's own address, koha@lists.katipo.co.nz. They *should* be delivered successfully to all recipients. A reply to the message would return to the list, and a reply to all could include the original sender's address explicitly. -- If you agree (or disagree) with this proposal, you'll need to indicate that in your own clever way, because there's no voting mechanism in a mailing list.
Thank you for being so kind and forbearing as to read this far! I hope that you'll give my proposal your earnest consideration.
Regards,
David Liddle
After-credits scene:
For you intrepid readers, I would like to boldly suggest something even more daring than changing the list's sending practices. Please consider changing the platforms of the Koha email and chat discussions to one such as Discourse:
-- The Discourse software and community seems to have a fair bit in common with the character and nature of Koha's. You can read more about the platform at https://www.discourse.org/. -- Not only is it a web forum, but it can handle email submissions, replies, notifications, and digests. (And it would always send from a legitimate address.) -- It has migration tools that appear able to import archives such as those used by this list. -- It has chat integration for real-time messaging that can also be perused later. -- It has functions for search, categorization, and groups that a mailing list does not.
[...]
Hello! I'm going to state up front that I'm no expert in Discourse. I've only just registered on the Discourse Meta site so that I can get a look at its message formats. That done, I'm going to give my best shot at answering your questions: 1. Can you clarify in which sense you mean "offline use"? Some people describe themselves as offline when they don't have a web browser open but are still very much connected to the internet. For others, it just means that they're not logged in to the specific site or service in question. Then there are the people who are fully offline, making only occasional connections to the internet to collect mail by POP. 2. Systems such as Discourse are typically configured to send from a single address on their own verified domain. A message from Discourse Meta comes from the address "notifications@meta.discoursemail.com", and the reply-to address is a "plus address" on that domain which contains a string referring to the discussion thread. 3. With "Mailing list mode" enabled in my preferences, the message received contains the poster's handle and, if applicable, the message to which the poster is responding and its author's handle. However, it seems the Discourse Meta site generally suppresses the display of subscribers' email addresses and disables private messaging. So at least one aspect of their configuration makes it difficult to draw comparisons. The important aspect is that a person can reply to the topic by email and have that response shared with the wider audience. 4. With the "Activity Summary" (periodic digest) activated, the messages come from the same address. All post references and links lead to the site itself. There was no clear way to reply to an individual post by email. Again, a platform change is just something to consider. If there's no critical mass of people reporting that the communications platforms are insufficient or unsatisfying, then it's not worth discussing or pursuing. I just know for a fact that messages are not getting delivered to some subscribers because of address spoofing. The list will have to deal with that sooner or later, in one fashion or another. Regards, David Liddle IT Manager david.liddle@wycliff.de Wycliff e.V., https://wycliff.de Seminar für Sprache und Kultur, https://spracheundkultur.org/ Internationales Tagungszentrum Karimu, https://karimu.de On Thu, Mar 9, 2023 at 5:48 PM Thomas Dukleth <kohalist@agogme.com> wrote:
[Resending to correct accidental paste in my message but adding consideration of use of Discourse as a partial workaround.]
2. Discourse.
Does Discourse mailing list mode avoid problems with DMARC in a manner that is still sensible for offline use? Mailing lists are good for offline use. Does discourse provide something similar to Mailman "munging the from header" so that the message poster is identified in the email from header originating from the Discourse server allowing email clients to display lists of messages helpfully including by message poster in addition to subject and time?
Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783
Hi David You wrote:
Again, a platform change is just something to consider. If there's no critical mass of people reporting that the communications platforms are insufficient or unsatisfying, then it's not worth discussing or pursuing.
For me the current mailing list is satisfying and completely sufficient. If I'd feel otherwise I'd first consider consulting the archives which can be found at * https://lists.katipo.co.nz/public/koha/ * https://lists.katipo.co.nz/pipermail/koha/ * https://koha.markmail.org/ Best wishes: Michael -- Geschäftsführer · Diplombibliothekar BBS, Informatiker eidg. Fachausweis Admin Kuhn GmbH · Pappelstrasse 20 · 4123 Allschwil · Schweiz T 0041 (0)61 261 55 61 · E mik@adminkuhn.ch · W www.adminkuhn.ch
On Thu, Mar 9, 2023 at 5:48 PM Thomas Dukleth <kohalist@agogme.com> wrote:
[Resending to correct accidental paste in my message but adding consideration of use of Discourse as a partial workaround.]
2. Discourse.
Does Discourse mailing list mode avoid problems with DMARC in a manner that is still sensible for offline use? Mailing lists are good for offline use. Does discourse provide something similar to Mailman "munging the from header" so that the message poster is identified in the email from header originating from the Discourse server allowing email clients to display lists of messages helpfully including by message poster in addition to subject and time?
Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783
_______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
[Reply inline.] On Fri, March 10, 2023 14:24, David Liddle wrote: [...]
1. Can you clarify in which sense you mean "offline use"? Some people describe themselves as offline when they don't have a web browser open but are still very much connected to the internet. For others, it just means that they're not logged in to the specific site or service in question. Then there are the people who are fully offline, making only occasional connections to the internet to collect mail by POP.
I had meant some form of only occasional connections to the internet. The vast majority of mailing list subscribers may have high availability relatively low cost internet connections. However, we should not exclude the less fortunate where Koha may still serve people well. Some less developed places have institutional islands where Koha would be suitable to an institution which is an island with some connectivity in the midst of an internet connectivity desert where internet connectivity has limited availability and high metered expense. Institutional intranet can serve Koha while internet access is not used much. In such circumstances, people read messages anytime which had been collected via POP or offline IMAP when briefly online and queue messages which they have composed for when they are briefly online again. The use case is also the same for people who live just outside some internet coverage area but work where internet is more readily available. I have read that some people have configured Discourse so that they can interact entirely from email and never have to interact directly with the Discourse server. However, Hyperkitty for Mailman 3 may serve users better. [...]
Again, a platform change is just something to consider. If there's no critical mass of people reporting that the communications platforms are insufficient or unsatisfying, then it's not worth discussing or pursuing. I just know for a fact that messages are not getting delivered to some subscribers because of address spoofing. The list will have to deal with that sooner or later, in one fashion or another.
A Discourse forum has been raised previously as a way to raise engagement for users who do not currently engage on the mailing list. A major issue is how much extra work maintaining a forum would be. Are the anti-spam tools or message review tools as helpful as what we currently have for the mailing list? There have been many subscribers to the mailing list from people whose systems are infected by a variety of spambots. If people want a forum which also severs as a mailing list, Hyperkitty in Mailman 3 provides date based access to archives as opposed to sequence based access to archives. For Discourse servers which I tested, I did not find any evident means to access archives by some date based period of time nor any evident effective means to include date in a search query. Maybe there is some way of configuring date based access to messages which I did not see. Both Discourse and Hyperkitty use continuous scrolling for the next page of content which generally breaks returning to access a particular place in a list of messages without accessing a particular message. Date based access provides some mitigation for Hyperkitty and both Discourse and Hyperkitty provide proper paginated access for indexing robots run by Google, Bing, etc. or otherwise perhaps JavaScript disabled on the client side. Mailman 3 still does not have feature parity with Mailman 2 but maybe we are not using or do not need Mailman 2 features which are not currently present in Mailman 3. The easiest thing to do for the moment is to Mung the from header in Mailman 2 to support DMARC. I have not found notice of any software project mailing list adopting the MIME wrapping approach to DMARC which has too much of an adverse risk of having messages appear as attachments instead of the body for some users. MIME wrapping is probably better suited as a DMARC approach when all subscribers work for the same company using only company supplied email software to read the company mailing list. [...] Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783
participants (3)
-
David Liddle -
Michael Kuhn -
Thomas Dukleth