[Koha] Can the Koha Mailing List and DMARC become friends?

Coehoorn, Joel jcoehoorn at york.edu
Tue Feb 28 03:49:43 NZDT 2023


FWIW, I'm seeing the same thing for our "york.edu" domain, but only for the
last couple of months. The list used to handle this correctly.

*Joel Coehoorn*
Director of Information Technology
*York University*
Office: 402-363-5603 | jcoehoorn at york.edu | york.edu



On Mon, Feb 27, 2023 at 8:00 AM David Liddle <david at liddles.net> wrote:

> Greetings, all!
>
> At the encouragement of one of the mailing list administrators, I
> would like to present a situation and a proposal to you all.
>
> Normally, I would write from my work account, david.liddle at wycliff.de,
> since one of the hats I wear is that of a Koha system administrator.
> One of my other hats, however, is that of the email administrator for
> our corporate domains. And the latter hat has precedence over the
> former.
>
> To help protect our email domains from being used fraudulently, I have
> implemented DMARC policies according to current recommendations. You
> can read more about the Domain-based Message Authentication, Reporting
> & Conformance protocol at https://dmarc.org/. The policies direct that
> only messages from authorized sources should be allowed to send mail
> from wycliff.de and our other domains; messages from all unauthorized
> sources should be quarantined.
>
> With DMARC policies in place, messages that I send from my work
> account to the Koha mailing list get quarantined by email providers
> that comply with the policies' directives. Why? It happens because the
> Koha mailing list spoofs the email address of the original sender. As
> a result, there is a significant number of subscribers who did not
> receive the messages at all or had to fetch them from quarantine. Some
> unknown number will have been marked as spam.
>
> There are well-meaning reasons for this behavior within an honest,
> friendly community such as the Koha mailing list. However, email
> spoofing is one of the chief means by which fraudsters engage in
> phishing, data exfiltration, and ransomware attacks. In my opinion,
> the Koha community ought to avoid the practice of email spoofing.
> Therefore, I have a proposal to make:
>
> -- The Koha Mailing List is based on the Mailman list system.
> According to its release notes, Mailman 2.1 supports what the
> developers call "DMARC mitigations".
> -- Mailman DMARC Mitigations are described here:
>
> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
> ++ I PROPOSE that the mailing list subscribers support the
> implementation of DMARC mitigations to the Koha mailing list.
> -- The result of the implementation would be that messages submitted
> to the list would no longer spoof the sender's address, but rather be
> altered so that the messages come from the list's own address,
> koha at lists.katipo.co.nz. They *should* be delivered successfully to
> all recipients. A reply to the message would return to the list, and a
> reply to all could include the original sender's address explicitly.
> -- If you agree (or disagree) with this proposal, you'll need to
> indicate that in your own clever way, because there's no voting
> mechanism in a mailing list.
>
> Thank you for being so kind and forbearing as to read this far! I hope
> that you'll give my proposal your earnest consideration.
>
> Regards,
>
> David Liddle
>
>
> After-credits scene:
>
> For you intrepid readers, I would like to boldly suggest something
> even more daring than changing the list's sending practices. Please
> consider changing the platforms of the Koha email and chat discussions
> to one such as Discourse:
>
> -- The Discourse software and community seems to have a fair bit in
> common with the character and nature of Koha's. You can read more
> about the platform at https://www.discourse.org/.
> -- Not only is it a web forum, but it can handle email submissions,
> replies, notifications, and digests. (And it would always send from a
> legitimate address.)
> -- It has migration tools that appear able to import archives such as
> those used by this list.
> -- It has chat integration for real-time messaging that can also be
> perused later.
> -- It has functions for search, categorization, and groups that a
> mailing list does not.
> _______________________________________________
>
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>


More information about the Koha mailing list