-
mdosch
> poll: If you ask XMPP client devs in xsf@ and jdev@ to contact you about a vulnerability via email or XMPP, do you think most contacts will be via: > 1. XMPP > 2. email > (it's not even close btw, it's a landslide) For stuff like this I prefer email as I can archive it whereas chat is for ephemeral talk.
-
mdosch
> emus, yes, but went to spam (Gmail) Funny that Google loves to put non-google mail to spam while most spam is coming from 🥁 gmail (at least on my server).
-
emus
^^ mdosch but did you receive sonething?
-
mdosch
I did.
-
emus
ok
-
emus
but asking again. what can I do to improve. should I not send from Xsf mail comm mail?
-
mjk
The letter probably has DKIM signature (or should have) of the sending server that should match the domain in `From`, and mailing lists are known to botch that, which increases spam score. Maybe there's a way to set From to the mailing list address?
-
Zash
The mailing list would probably have to fix it.
-
mjk
Right, there's probably nothing sender can do
-
Zash
Send from somewhere without DKIM 🤷️
-
mjk
Won't help, I think. What I think is happening, is the list server puts its own signature (or strips the existing one), but leaves `From` intact
-
mjk
But this is pure speculation, I didn't see the actual letter
-
mjk
(Didn't subscribe)
-
Zash
"I make the news, I don't read it" 🙂
-
mjk
:) I do read, it's just that I get notified via several xmppchats :D
-
mjk
If someone is willing to post here the .eml as they received it, it can be investigated further
-
mjk
At least the headers
-
emus
Well, I am happy to go through the mailman settings if that helps. Peter reviewed and said its fine. But dunno how to not let it look like spam
-
mdosch
https://files.mdosch.de/upload/rOWMeaLMpo43Oeo61O8bnJTC/3DjQn0uhQM6vHDVSUG6tDg.jpg
-
mdosch
I don't see dkim or SPF. So shouldn't be a problem.
-
Zash
Is that all the headers? I'm not sure I really trust that screen.
-
mdosch
But maybe k9 doesn't show all headers.
-
mdosch
Ah, I read in neomutt and didn't download the full message in k9.
-
mdosch
https://files.mdosch.de/upload/GgUqLlucDyZbuCYTazJMAPHd/3cJenQPRQDq5MiBxTW1ivw.jpg
-
mdosch
https://files.mdosch.de/upload/NmAJt0oHBsDVWS2rNtacYqVI/MEouVlaNTZiQlCuX57z3UQ.jpg
-
mdosch
Skim fail.✎ -
mdosch
Dkim fail. ✏
-
mjk
Ah, so the list replaced From and didn't add its own signature
-
mjk
Seems it also modified the body ("body hash did not verify")
-
Zash
Footer? Often also the Subject is modified on mailing lists.
-
mjk
So maybe it'd be worth configuring the list server to add its signature then
-
emus
Thanks for disussing guys. I cannot provide a lot of input 😓
-
mjk
Basically, the original signature from proton is useless and can be stripped
-
Zash
Srsly 90% of all DKIM signatures I see on mailing list posts are invalid.
-
mjk
Yup
-
emus
Should I extract something from proton?
-
emus
Or was it wrong to send it from proton account?
-
mjk
But in the case of newsletter it's okay to mangle original sender's data (it's even preferable, I guess), which it already does, it just doesn't sign
-
mjk
emus: it doesn't matter where you send from, the list will make the original signature invalid anyway
-
mjk
It only should add its own, then verification should stsrt working✎ -
mjk
It only should add its own, then verification should start working ✏
-
Zash
Unless you send from somewhere that doesn't use DKIM
-
emus
I assume protonmail does?
-
mjk
Yes
-
emus
https://protonmail.com/blog/dkim-key-management/
-
emus
but the issue with this was the same as with Tinyletter. Many people claimed it ends up in spam
-
mjk
Zash: well I'm not really sure lack of signatures is any better than invalid ones, in the eyes of spam milters
-
mjk
emus: to be clear, valid DKIM signatures aren't a panacea, but imho greatly reduce spaminess of letters
-
Zash
DKIM isn't about spam, it's an authentication mechanism.
-
mjk
Right
-
emus
yes, I understood
-
emus
So mailman must ensure DKIM propagation from senders to receivers?
-
emus
I can ask two more people in that regard
-
emus
if that is what we are looking fof✎ -
emus
if that is what we are looking for ✏
-
mjk
emus: no, since it modifies the body, it should put its own signature and modify From accordingly
-
mjk
Or at least strip all dkim signatures present in the original (personally I'm not sure unsigned mail is any better, but don't have data to prove it)
-
Zash
I think the thing is to tell everyone if the newsletter ended up in the spam folder, to mark it as not spam.
-
mjk
The most effective measure!
-
Zash
IIRC the mandatory thing to do when you create a new (especially self-hosted) email is to get a gmail account and then mail yourself and mark the email as trusted or somesuch.
-
mjk
And maybe add the protonmail address in their addr book✎ -
Zash
So to self-host, you must have gmail. Yay!
-
mjk
And maybe add the protonmail address in their addr book (if server-side) ✏
-
mjk
But what if the mail I send to myself@gmail isn't marked as spam? (True story!)
-
emus
So I summarize: how do we get mailman to either: - put its own signature and modify "From" accordingly - or at least strip all DKIM signatures present in the original sender message (no so prefered solution)
- mjk nods
-
emus
🙏 thanks for evaluating guys!
-
mjk
A third option is don't touch the body, but I'm not sure how reasonable that is✎ -
mjk
A third option is don't modify the body, but I'm not sure how reasonable that is ✏
-
emus
I got this input on mailmain: https://wiki.list.org/DEV/DMARC
-
mjk
emus: how much are letters' bodies are modified and is it essential to the newsletter? Maybe it's just a useless footer? If non-essential, the easiest first step is probably to just not touch the body and see if that preserves validity of the original signature.
-
mjk
Then there's also the matter of SPF, but that's easier to fix
-
mjk
Might need to create a test mailing list so as not to wait another month :)
-
emus
mjk, thanks. I sent the mail and did "nothing" after that. SPF? Yeah, maybe good idea
-
mjk
emus: I mean, how does mailman modify the body? Mailing list usually add some footer, breaking the signature✎ -
mjk
emus: I mean, how does mailman modify the body? Mailing lists usually add some footer, breaking the signature ✏
-
emus
there seem to be some html attachement: https://mail.jabber.org/pipermail/newsletter/2022/000000.html
-
mjk
> SPF? https://en.m.wikipedia.org/wiki/Sender_Policy_Framework It only involves DNS records, thus easier to setup/amend than DKIM signatures
-
mjk
> HTML attachment was scrubbed I'm not familiar with mailing list software enough to tell if the scrubbing is done for the web interface or in the actual letters sent from it. But the html is most likely coming from protonmail. One could try sending a plain text email to see if mailman would pass it along unmodified✎ -
mjk
> HTML attachment was scrubbed I'm not familiar with mailing list software enough to tell if the scrubbing is done for the web interface or in the actual letters sent by the software. But the html is most likely coming from protonmail. One could try sending a plain text email to see if mailman would pass it along unmodified ✏
- mjk starts to recall why they hate email
-
Zash
SPF should already be set up and I doubt it's of any concern here.
-
mjk
Well, the From does contain protonmail.com...
-
Zash
That doesn't matter
-
Zash
it's the FROM that matters to SPF
-
mjk
I might be misremembering how it works then
-
Zash
if it's even that
-
Zash
the SMTP HELO definitely
-
Zash
The From matters about as much as the Subject unless I think it's DMARC that says you can't lie there anymore.
-
Zash
Nowhere near the guarantees of the XMPP `from` attribute 🙂
-
mjk
Which is why I love and prefer it to email✎ -
mjk
Which is one reason I love and prefer it to email ✏
-
Zash
I'm sure anyone who has deployed all the stuff required for modern email would agree (assuming they've seen how XMPP s2s works)
-
mjk
> I'm sure anyone who has deployed all the stuff ... or even tried to :D
-
mjk
For the record, I actually reread some of that wiki article I linked and, yea, SPF has nothing to do with email headers, so not relevant here
-
mjk
Although that `dmarc=fail reason="SPF not aligned (strict)"` needs a separate investigatiom
-
emus
Can I somehow serve or support this elaboration? do you want to take a look at the mailman setup? (Zash the password should be at something called Atlas^^)
-
mjk
I don't think I'll be able to put enough energy into this (not much of expertise + a hatred for the whole email mess)
-
emus
mjk: no worries. many thanks
-
mjk
Just leaving some pointers if anyone it motivated to fix this
-
emus
👍
-
mjk
> many thanks No problem so far :D
-
Daniel
is PAM a thing?
-
Daniel
are there any implementations?
-
emus
thats not about the mailman topic anymore right?
-
Daniel
it's about https://xmpp.org/extensions/xep-0376.html aka PAM
-
emus
ok
-
goffi
Daniel: I'm working on an implementation right now.