XSF Discussion - 2022-04-06

> poll: If you ask XMPP client devs in xsf@ and jdev@ to contact you about a vulnerability via email or XMPP, do you think most contacts will be via: > 1. XMPP > 2. email > (it's not even close btw, it's a landslide) For stuff like this I prefer email as I can archive it whereas chat is for ephemeral talk.

> emus, yes, but went to spam (Gmail) Funny that Google loves to put non-google mail to spam while most spam is coming from 🥁 gmail (at least on my server).

^^ mdosch but did you receive sonething?

I did.

ok

but asking again. what can I do to improve. should I not send from Xsf mail comm mail?

The letter probably has DKIM signature (or should have) of the sending server that should match the domain in `From`, and mailing lists are known to botch that, which increases spam score. Maybe there's a way to set From to the mailing list address?

The mailing list would probably have to fix it.

Right, there's probably nothing sender can do

Send from somewhere without DKIM 🤷️

Won't help, I think. What I think is happening, is the list server puts its own signature (or strips the existing one), but leaves `From` intact

But this is pure speculation, I didn't see the actual letter

(Didn't subscribe)

"I make the news, I don't read it" 🙂

:) I do read, it's just that I get notified via several xmppchats :D

If someone is willing to post here the .eml as they received it, it can be investigated further

At least the headers

Well, I am happy to go through the mailman settings if that helps. Peter reviewed and said its fine. But dunno how to not let it look like spam

https://files.mdosch.de/upload/rOWMeaLMpo43Oeo61O8bnJTC/3DjQn0uhQM6vHDVSUG6tDg.jpg

I don't see dkim or SPF. So shouldn't be a problem.

Is that all the headers? I'm not sure I really trust that screen.

But maybe k9 doesn't show all headers.

Ah, I read in neomutt and didn't download the full message in k9.

https://files.mdosch.de/upload/GgUqLlucDyZbuCYTazJMAPHd/3cJenQPRQDq5MiBxTW1ivw.jpg

https://files.mdosch.de/upload/NmAJt0oHBsDVWS2rNtacYqVI/MEouVlaNTZiQlCuX57z3UQ.jpg

Dkim fail. ✏

Ah, so the list replaced From and didn't add its own signature

Seems it also modified the body ("body hash did not verify")

Footer? Often also the Subject is modified on mailing lists.

So maybe it'd be worth configuring the list server to add its signature then

Thanks for disussing guys. I cannot provide a lot of input 😓

Basically, the original signature from proton is useless and can be stripped

Srsly 90% of all DKIM signatures I see on mailing list posts are invalid.

Yup

Should I extract something from proton?

Or was it wrong to send it from proton account?

But in the case of newsletter it's okay to mangle original sender's data (it's even preferable, I guess), which it already does, it just doesn't sign

emus: it doesn't matter where you send from, the list will make the original signature invalid anyway

It only should add its own, then verification should start working ✏

Unless you send from somewhere that doesn't use DKIM

I assume protonmail does?

Yes

https://protonmail.com/blog/dkim-key-management/

but the issue with this was the same as with Tinyletter. Many people claimed it ends up in spam

Zash: well I'm not really sure lack of signatures is any better than invalid ones, in the eyes of spam milters

emus: to be clear, valid DKIM signatures aren't a panacea, but imho greatly reduce spaminess of letters

DKIM isn't about spam, it's an authentication mechanism.

Right

yes, I understood

So mailman must ensure DKIM propagation from senders to receivers?

I can ask two more people in that regard

if that is what we are looking for ✏

emus: no, since it modifies the body, it should put its own signature and modify From accordingly

Or at least strip all dkim signatures present in the original (personally I'm not sure unsigned mail is any better, but don't have data to prove it)

I think the thing is to tell everyone if the newsletter ended up in the spam folder, to mark it as not spam.

The most effective measure!

IIRC the mandatory thing to do when you create a new (especially self-hosted) email is to get a gmail account and then mail yourself and mark the email as trusted or somesuch.

So to self-host, you must have gmail. Yay!

And maybe add the protonmail address in their addr book (if server-side) ✏

But what if the mail I send to myself@gmail isn't marked as spam? (True story!)

So I summarize: how do we get mailman to either: - put its own signature and modify "From" accordingly - or at least strip all DKIM signatures present in the original sender message (no so prefered solution)

🙏 thanks for evaluating guys!

A third option is don't modify the body, but I'm not sure how reasonable that is ✏

I got this input on mailmain: https://wiki.list.org/DEV/DMARC

emus: how much are letters' bodies are modified and is it essential to the newsletter? Maybe it's just a useless footer? If non-essential, the easiest first step is probably to just not touch the body and see if that preserves validity of the original signature.

Then there's also the matter of SPF, but that's easier to fix

Might need to create a test mailing list so as not to wait another month :)

mjk, thanks. I sent the mail and did "nothing" after that. SPF? Yeah, maybe good idea

emus: I mean, how does mailman modify the body? Mailing lists usually add some footer, breaking the signature ✏

there seem to be some html attachement: https://mail.jabber.org/pipermail/newsletter/2022/000000.html

> SPF? https://en.m.wikipedia.org/wiki/Sender_Policy_Framework It only involves DNS records, thus easier to setup/amend than DKIM signatures

> HTML attachment was scrubbed I'm not familiar with mailing list software enough to tell if the scrubbing is done for the web interface or in the actual letters sent by the software. But the html is most likely coming from protonmail. One could try sending a plain text email to see if mailman would pass it along unmodified ✏

SPF should already be set up and I doubt it's of any concern here.

Well, the From does contain protonmail.com...

That doesn't matter

it's the FROM that matters to SPF

I might be misremembering how it works then

if it's even that

the SMTP HELO definitely

The From matters about as much as the Subject unless I think it's DMARC that says you can't lie there anymore.

Nowhere near the guarantees of the XMPP `from` attribute 🙂

Which is one reason I love and prefer it to email ✏

I'm sure anyone who has deployed all the stuff required for modern email would agree (assuming they've seen how XMPP s2s works)

> I'm sure anyone who has deployed all the stuff ... or even tried to :D

For the record, I actually reread some of that wiki article I linked and, yea, SPF has nothing to do with email headers, so not relevant here

Although that `dmarc=fail reason="SPF not aligned (strict)"` needs a separate investigatiom

Can I somehow serve or support this elaboration? do you want to take a look at the mailman setup? (Zash the password should be at something called Atlas^^)

I don't think I'll be able to put enough energy into this (not much of expertise + a hatred for the whole email mess)

mjk: no worries. many thanks

Just leaving some pointers if anyone it motivated to fix this

👍

> many thanks No problem so far :D

is PAM a thing?

are there any implementations?

thats not about the mailman topic anymore right?

it's about https://xmpp.org/extensions/xep-0376.html aka PAM

ok

Daniel: I'm working on an implementation right now.