[Koha] Can the Koha Mailing List and DMARC become friends?

David Liddle david at liddles.net
Sat Mar 4 06:43:50 NZDT 2023


Thank you for adding it to the discussion points!


On Fri, Mar 3, 2023 at 6:08 PM Katrin Fischer <katrin.fischer.83 at web.de>
wrote:

> I have added the DMARC issue to the agenda for the next developer IRC
> meeting, but we might need the people running our mailservers to weigh in:
>
> https://wiki.koha-community.org/wiki/Development_IRC_meeting_9_March_2023
>
> Hope this helps,
>
> Katrin
>
> On 27.02.23 15:49, Coehoorn, Joel wrote:
> > FWIW, I'm seeing the same thing for our "york.edu" domain, but only for
> the
> > last couple of months. The list used to handle this correctly.
> >
> > *Joel Coehoorn*
> > Director of Information Technology
> > *York University*
> > Office: 402-363-5603 | jcoehoorn at york.edu | york.edu
> >
> >
> >
> > On Mon, Feb 27, 2023 at 8:00 AM David Liddle <david at liddles.net> wrote:
> >
> >> Greetings, all!
> >>
> >> At the encouragement of one of the mailing list administrators, I
> >> would like to present a situation and a proposal to you all.
> >>
> >> Normally, I would write from my work account, david.liddle at wycliff.de,
> >> since one of the hats I wear is that of a Koha system administrator.
> >> One of my other hats, however, is that of the email administrator for
> >> our corporate domains. And the latter hat has precedence over the
> >> former.
> >>
> >> To help protect our email domains from being used fraudulently, I have
> >> implemented DMARC policies according to current recommendations. You
> >> can read more about the Domain-based Message Authentication, Reporting
> >> & Conformance protocol at https://dmarc.org/. The policies direct that
> >> only messages from authorized sources should be allowed to send mail
> >> from wycliff.de and our other domains; messages from all unauthorized
> >> sources should be quarantined.
> >>
> >> With DMARC policies in place, messages that I send from my work
> >> account to the Koha mailing list get quarantined by email providers
> >> that comply with the policies' directives. Why? It happens because the
> >> Koha mailing list spoofs the email address of the original sender. As
> >> a result, there is a significant number of subscribers who did not
> >> receive the messages at all or had to fetch them from quarantine. Some
> >> unknown number will have been marked as spam.
> >>
> >> There are well-meaning reasons for this behavior within an honest,
> >> friendly community such as the Koha mailing list. However, email
> >> spoofing is one of the chief means by which fraudsters engage in
> >> phishing, data exfiltration, and ransomware attacks. In my opinion,
> >> the Koha community ought to avoid the practice of email spoofing.
> >> Therefore, I have a proposal to make:
> >>
> >> -- The Koha Mailing List is based on the Mailman list system.
> >> According to its release notes, Mailman 2.1 supports what the
> >> developers call "DMARC mitigations".
> >> -- Mailman DMARC Mitigations are described here:
> >>
> >>
> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
> >> ++ I PROPOSE that the mailing list subscribers support the
> >> implementation of DMARC mitigations to the Koha mailing list.
> >> -- The result of the implementation would be that messages submitted
> >> to the list would no longer spoof the sender's address, but rather be
> >> altered so that the messages come from the list's own address,
> >> koha at lists.katipo.co.nz. They *should* be delivered successfully to
> >> all recipients. A reply to the message would return to the list, and a
> >> reply to all could include the original sender's address explicitly.
> >> -- If you agree (or disagree) with this proposal, you'll need to
> >> indicate that in your own clever way, because there's no voting
> >> mechanism in a mailing list.
> >>
> >> Thank you for being so kind and forbearing as to read this far! I hope
> >> that you'll give my proposal your earnest consideration.
> >>
> >> Regards,
> >>
> >> David Liddle
> >>
> >>
> >> After-credits scene:
> >>
> >> For you intrepid readers, I would like to boldly suggest something
> >> even more daring than changing the list's sending practices. Please
> >> consider changing the platforms of the Koha email and chat discussions
> >> to one such as Discourse:
> >>
> >> -- The Discourse software and community seems to have a fair bit in
> >> common with the character and nature of Koha's. You can read more
> >> about the platform at https://www.discourse.org/.
> >> -- Not only is it a web forum, but it can handle email submissions,
> >> replies, notifications, and digests. (And it would always send from a
> >> legitimate address.)
> >> -- It has migration tools that appear able to import archives such as
> >> those used by this list.
> >> -- It has chat integration for real-time messaging that can also be
> >> perused later.
> >> -- It has functions for search, categorization, and groups that a
> >> mailing list does not.
> >> _______________________________________________
> >>
> >> Koha mailing list  http://koha-community.org
> >> Koha at lists.katipo.co.nz
> >> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> >>
> > _______________________________________________
> >
> > Koha mailing list  http://koha-community.org
> > Koha at lists.katipo.co.nz
> > Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
> _______________________________________________
>
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>


More information about the Koha mailing list