mdosch> poll: If you ask XMPP client devs in xsf@ and jdev@ to contact you about a vulnerability via email or XMPP, do you think most contacts will be via:
> 1. XMPP
> 2. email
> (it's not even close btw, it's a landslide)
For stuff like this I prefer email as I can archive it whereas chat is for ephemeral talk.
chipmnkhas left
neshtaxmpphas joined
neshtaxmpphas left
lovetoxhas left
neshtaxmpphas joined
adiaholichas left
adiaholichas joined
neshtaxmpphas left
neshtaxmpphas joined
adiaholichas left
neshtaxmpphas left
adiaholichas joined
neshtaxmpphas joined
atomicwatchhas left
adiaholichas left
adiaholichas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
antranigvhas left
Maranda[x]has left
mjkhas left
neshtaxmpphas left
adiaholichas left
neshtaxmpphas joined
jcbrandhas joined
Maranda[x]has joined
adiaholichas joined
atomicwatchhas joined
adiaholichas left
antranigvhas joined
wladmishas left
jcbrandhas left
yushyinhas left
marc0shas left
marc0shas joined
adiaholichas joined
yushyinhas joined
rubihas left
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
rubihas joined
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
adiaholichas left
Kevhas left
Steve Killehas left
Steve Killehas joined
wladmishas joined
wladmishas left
wladmishas joined
yushyinhas left
antranigvhas left
adiaholichas joined
Kevhas joined
Kevhas left
Kevhas joined
adiaholichas left
rubihas left
florettahas left
restive_monkhas left
restive_monkhas joined
BASSGODhas left
florettahas joined
lovetoxhas joined
antranigvhas joined
mdosch> emus, yes, but went to spam (Gmail)
Funny that Google loves to put non-google mail to spam while most spam is coming from 🥁 gmail (at least on my server).
xnamedhas left
xnamedhas joined
wladmishas left
wladmishas joined
adiaholichas joined
lovetoxhas left
restive_monkhas left
Paganinihas left
adiaholichas left
restive_monkhas joined
sbachhas joined
antranigvhas left
BASSGODhas joined
վարյաhas left
yushyinhas joined
adiaholichas joined
adiaholichas left
վարյաhas joined
neshtaxmpphas left
neshtaxmpphas joined
Kevhas left
antranigvhas joined
neshtaxmpphas left
neshtaxmpphas joined
Kevhas joined
wladmishas left
wladmishas joined
mdoschhas left
mdoschhas joined
yushyinhas left
restive_monkhas left
restive_monkhas joined
Yagizahas joined
xnamedhas left
BASSGODhas left
rubihas joined
wladmishas left
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
florettahas left
florettahas joined
վարյաhas left
վարյաhas joined
adiaholichas joined
yushyinhas joined
neshtaxmpphas joined
neshtaxmpphas left
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
adiaholichas left
neshtaxmpphas joined
yushyinhas left
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
neshtaxmpphas joined
antranigvhas left
antranigvhas joined
neshtaxmpphas left
adiaholichas joined
BASSGODhas joined
Menelhas joined
neshtaxmpphas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
pasdesushihas joined
yushyinhas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
COM8has joined
COM8has left
mimi89999has left
mimi89999has joined
restive_monkhas left
neshtaxmpphas joined
neshtaxmpphas left
atomicwatchhas left
neshtaxmpphas joined
վարյաhas left
վարյաhas joined
neshtaxmpphas left
restive_monkhas joined
Menelhas left
Menelhas joined
atomicwatchhas joined
Samhas left
Samhas joined
Tobiashas joined
վարյաhas left
վարյաhas joined
jgarthas left
aswahas joined
pasdesushihas left
neshtaxmpphas joined
pasdesushihas joined
neshtaxmpphas left
atomicwatchhas left
վարյաhas left
jcbrandhas joined
atomicwatchhas joined
aswahas left
yushyinhas left
yushyinhas joined
neshtaxmpphas joined
neshtaxmpphas left
վարյաhas joined
Samhas left
xnamedhas joined
վարյաhas left
վարյաhas joined
wurstsalathas joined
Kevhas left
Samhas joined
Kevhas joined
L29Ahhas left
ti_gj06has joined
Samhas left
yushyinhas left
neshtaxmpphas joined
karoshihas joined
xnamedhas left
neshtaxmpphas left
emushas joined
COM8has joined
Samhas joined
yushyinhas joined
emus^^ mdosch
but did you receive sonething?
COM8has left
mdoschI did.
emusok
emusbut asking again. what can I do to improve. should I not send from Xsf mail comm mail?
adiaholichas left
msavoritiashas joined
konstantinoshas joined
xnamedhas joined
lovetoxhas joined
Samhas left
adiaholichas joined
restive_monkhas left
restive_monkhas joined
վարյաhas left
վարյաhas joined
pjnhas left
adiaholichas left
neshtaxmpphas joined
adiaholichas joined
neshtaxmpphas left
Alexhas joined
վարյաhas left
վարյաhas joined
restive_monkhas left
Guushas left
Guushas joined
Samhas joined
վարյաhas left
Samhas left
antranigvhas left
xeckshas joined
Samhas joined
marchas joined
stphas joined
restive_monkhas joined
Samhas left
Samhas joined
pjnhas joined
Steve Killehas left
Steve Killehas joined
վարյաhas joined
Samhas left
daagshas left
konstantinoshas left
վարյաhas left
վարյաhas joined
yushyinhas left
antranigvhas joined
Kevhas left
Kevhas joined
neshtaxmpphas joined
yushyinhas joined
neshtaxmpphas left
adiaholichas left
Samhas joined
konstantinoshas joined
yushyinhas left
konstantinoshas left
konstantinoshas joined
Samhas left
neshtaxmpphas joined
yushyinhas joined
neshtaxmpphas left
Samhas joined
վարյաhas left
վարյաhas joined
neshtaxmpphas joined
Apollohas left
Apollohas joined
Samhas left
gooyahas joined
marchas left
Samhas joined
neshtaxmpphas left
Samhas left
marchas joined
pjnhas left
Samhas joined
beanhas joined
Samhas left
վարյաhas left
վարյաhas joined
adiaholichas joined
վարյաhas left
վարյաhas joined
Samhas joined
harry837374884has left
Maranda[x]has left
Maranda[x]has joined
debaclehas joined
Samhas left
restive_monkhas left
Samhas joined
marc0shas left
marc0shas joined
marchas left
վարյաhas left
վարյաhas joined
lovetoxhas left
lovetoxhas joined
Samhas left
daagshas joined
restive_monkhas joined
Samhas joined
վարյաhas left
վարյաhas joined
pjnhas joined
adiaholichas left
adiaholichas joined
xeckshas left
xeckshas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
Samhas left
harry837374884has joined
Fishbowlerhas left
Fishbowlerhas joined
վարյաhas left
Fishbowlerhas left
Fishbowlerhas joined
xnamedhas left
Samhas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
stphas left
Samhas left
վարյաhas joined
marchas joined
Samhas joined
neshtaxmpphas joined
Samhas left
neshtaxmpphas left
adiaholichas left
Steve Killehas left
Samhas joined
adiaholichas joined
antranigvhas left
antranigvhas joined
Samhas left
neshtaxmpphas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
վարյաhas left
վարյաhas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
adiaholichas left
Titihas joined
Apollohas left
Apollohas joined
Samhas joined
mjkhas joined
Samhas left
chipmnkhas joined
Samhas joined
adiaholichas joined
Menelhas left
stphas joined
pjnhas left
Samhas left
karoshihas left
karoshihas joined
goffihas joined
Samhas joined
mjkThe letter probably has DKIM signature (or should have) of the sending server that should match the domain in `From`, and mailing lists are known to botch that, which increases spam score. Maybe there's a way to set From to the mailing list address?
վարյաhas left
վարյաhas joined
ZashThe mailing list would probably have to fix it.
mjkRight, there's probably nothing sender can do
ZashSend from somewhere without DKIM 🤷️
mjkWon't help, I think. What I think is happening, is the list server puts its own signature (or strips the existing one), but leaves `From` intact
debaclehas left
restive_monkhas left
mjkBut this is pure speculation, I didn't see the actual letter
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
mjk(Didn't subscribe)
lskdjfhas joined
Zash"I make the news, I don't read it" 🙂
mjk:)
I do read, it's just that I get notified via several xmppchats :D
mjkIf someone is willing to post here the .eml as they received it, it can be investigated further
restive_monkhas joined
mjkAt least the headers
Samhas left
adiaholichas left
APachhas left
konstantinoshas left
Steve Killehas joined
marc0shas left
marc0shas joined
mjkhas left
mjkhas joined
վարյաhas left
վարյաhas joined
konstantinoshas joined
lovetoxhas left
emusWell, I am happy to go through the mailman settings if that helps. Peter reviewed and said its fine. But dunno how to not let it look like spam
mjkAh, so the list replaced From and didn't add its own signature
Samhas left
Samhas joined
mjkSeems it also modified the body ("body hash did not verify")
ZashFooter? Often also the Subject is modified on mailing lists.
mjkSo maybe it'd be worth configuring the list server to add its signature then
emusThanks for disussing guys. I cannot provide a lot of input 😓
mjkBasically, the original signature from proton is useless and can be stripped
ZashSrsly 90% of all DKIM signatures I see on mailing list posts are invalid.
mjkYup
emusShould I extract something from proton?
restive_monkhas left
lovetoxhas left
emusOr was it wrong to send it from proton account?
mjkBut in the case of newsletter it's okay to mangle original sender's data (it's even preferable, I guess), which it already does, it just doesn't sign
mjkemus: it doesn't matter where you send from, the list will make the original signature invalid anyway
djorzhas left
mjkIt only should add its own, then verification should stsrt working✎
Samhas left
mjkIt only should add its own, then verification should start working ✏
lovetoxhas joined
ZashUnless you send from somewhere that doesn't use DKIM
mjkemus: no, since it modifies the body, it should put its own signature and modify From accordingly
վարյաhas left
adiaholichas left
mjkOr at least strip all dkim signatures present in the original (personally I'm not sure unsigned mail is any better, but don't have data to prove it)
Samhas joined
ZashI think the thing is to tell everyone if the newsletter ended up in the spam folder, to mark it as not spam.
mjkThe most effective measure!
ZashIIRC the mandatory thing to do when you create a new (especially self-hosted) email is to get a gmail account and then mail yourself and mark the email as trusted or somesuch.
mjkAnd maybe add the protonmail address in their addr book✎
ZashSo to self-host, you must have gmail. Yay!
mjkAnd maybe add the protonmail address in their addr book (if server-side) ✏
pjnhas joined
lovetoxhas left
Wojtekhas joined
mjkBut what if the mail I send to myself@gmail isn't marked as spam? (True story!)
adiaholichas joined
Samhas left
վարյաhas joined
emusSo I summarize:
how do we get mailman to either:
- put its own signature and modify "From" accordingly
- or at least strip all DKIM signatures present in the original sender message (no so prefered solution)
Samhas joined
mjknods
emus🙏 thanks for evaluating guys!
mjkA third option is don't touch the body, but I'm not sure how reasonable that is✎
mjkA third option is don't modify the body, but I'm not sure how reasonable that is ✏
վարյաhas left
վարյաhas joined
Wojtekhas left
Wojtekhas joined
Samhas left
debaclehas joined
Samhas joined
restive_monkhas joined
Samhas left
restive_monkhas left
xnamedhas joined
harry837374884has left
harry837374884has joined
Menelhas joined
wladmishas left
wladmishas joined
xnamedhas left
xnamedhas joined
restive_monkhas joined
Samhas joined
Samhas left
harry837374884has left
harry837374884has joined
adiaholichas left
adiaholichas joined
lovetoxhas joined
djorzhas left
Samhas joined
adiaholichas left
Menelhas left
Samhas left
neshtaxmpphas left
վարյաhas left
վարյաhas joined
lovetoxhas left
neshtaxmpphas joined
Samhas joined
robertooohas left
marc0shas left
marc0shas joined
restive_monkhas left
lovetoxhas joined
emusI got this input on mailmain:
https://wiki.list.org/DEV/DMARC
վարյաhas left
վարյաhas joined
djorzhas joined
restive_monkhas joined
harry837374884has left
harry837374884has joined
robertooohas joined
robertooohas left
papatutuwawahas joined
pjnhas left
gooyahas left
gooyahas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
marchas left
adiaholichas joined
marchas joined
COM8has joined
COM8has left
restive_monkhas left
chipmnkhas left
chipmnkhas joined
L29Ahhas joined
pjnhas joined
neshtaxmpphas left
neshtaxmpphas joined
lovetoxhas left
marc0shas left
marc0shas joined
mjkemus: how much are letters' bodies are modified and is it essential to the newsletter? Maybe it's just a useless footer? If non-essential, the easiest first step is probably to just not touch the body and see if that preserves validity of the original signature.
mjkThen there's also the matter of SPF, but that's easier to fix
restive_monkhas joined
lovetoxhas joined
neshtaxmpphas left
L29Ahhas left
L29Ahhas joined
mjkMight need to create a test mailing list so as not to wait another month :)
gooyahas left
neshtaxmpphas joined
gooyahas joined
lovetoxhas left
emusmjk, thanks.
I sent the mail and did "nothing" after that.
SPF?
Yeah, maybe good idea
վարյաhas left
վարյաhas joined
mjkemus: I mean, how does mailman modify the body? Mailing list usually add some footer, breaking the signature✎
mjkemus: I mean, how does mailman modify the body? Mailing lists usually add some footer, breaking the signature ✏
emusthere seem to be some html attachement: https://mail.jabber.org/pipermail/newsletter/2022/000000.html
mjk> SPF?
https://en.m.wikipedia.org/wiki/Sender_Policy_Framework
It only involves DNS records, thus easier to setup/amend than DKIM signatures
xeckshas left
harry837374884has left
harry837374884has joined
mjk> HTML attachment was scrubbed
I'm not familiar with mailing list software enough to tell if the scrubbing is done for the web interface or in the actual letters sent from it. But the html is most likely coming from protonmail. One could try sending a plain text email to see if mailman would pass it along unmodified✎
mjk> HTML attachment was scrubbed
I'm not familiar with mailing list software enough to tell if the scrubbing is done for the web interface or in the actual letters sent by the software. But the html is most likely coming from protonmail. One could try sending a plain text email to see if mailman would pass it along unmodified ✏
adiaholichas left
adiaholichas joined
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
Menelhas joined
mjkstarts to recall why they hate email
gooyahas left
ZashSPF should already be set up and I doubt it's of any concern here.
gooyahas joined
Friendly Resident Cynichas left
Danielhas left
Danielhas joined
mjkWell, the From does contain protonmail.com...
ZashThat doesn't matter
Zashit's the FROM that matters to SPF
mjkI might be misremembering how it works then
gooyahas left
Zashif it's even that
Zashthe SMTP HELO definitely
ZashThe From matters about as much as the Subject unless I think it's DMARC that says you can't lie there anymore.
ZashNowhere near the guarantees of the XMPP `from` attribute 🙂
mjkWhich is one reason I love and prefer it to email ✏
Danielhas joined
ZashI'm sure anyone who has deployed all the stuff required for modern email would agree (assuming they've seen how XMPP s2s works)
վարյաhas left
վարյաhas joined
Matthewhas left
Half-Shothas left
homebeachhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
mjk> I'm sure anyone who has deployed all the stuff ...
or even tried to :D
adiaholichas left
moparisthebesthas joined
mjkFor the record, I actually reread some of that wiki article I linked and, yea, SPF has nothing to do with email headers, so not relevant here
mjkAlthough that `dmarc=fail reason="SPF not aligned (strict)"` needs a separate investigatiom
adiaholichas joined
վարյաhas left
nuronhas left
nuronhas joined
վարյաhas joined
Wojtekhas left
chipmnkhas left
վարյաhas left
վարյաhas joined
Maranda[x]has left
Maranda[x]has joined
xnamedhas left
restive_monkhas left
Andrzejhas joined
ti_gj06has left
restive_monkhas joined
marc0shas left
robertooohas joined
marc0shas joined
xnamedhas joined
antranigvhas left
antranigvhas joined
kinetikhas left
djorzhas left
L29Ahhas left
L29Ahhas joined
adiaholichas left
Yagizahas left
Matthewhas left
Half-Shothas left
homebeachhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
lovetoxhas joined
adiaholichas joined
վարյաhas left
xeckshas joined
gooyahas joined
adiaholichas left
xnamedhas left
ti_gj06has joined
adiaholichas joined
phoeboshas joined
phoeboshas left
COM8has joined
COM8has left
xeckshas left
xeckshas joined
chipmnkhas joined
emusCan I somehow serve or support this elaboration? do you want to take a look at the mailman setup?
(Zash the password should be at something called Atlas^^)
Calvinhas joined
lovetoxhas left
Danielhas left
Danielhas joined
mjkI don't think I'll be able to put enough energy into this (not much of expertise + a hatred for the whole email mess)
emusmjk: no worries. many thanks
mjkJust leaving some pointers if anyone it motivated to fix this
emus👍
mjk> many thanks
No problem so far :D
papatutuwawahas left
Calvinhas left
konstantinoshas left
pasdesushihas left
florettahas left
neshtaxmpphas left
pasdesushihas joined
papatutuwawahas joined
Danielis PAM a thing?
Danielare there any implementations?
emusthats not about the mailman topic anymore right?
neshtaxmpphas joined
Danielit's about https://xmpp.org/extensions/xep-0376.html aka PAM
emusok
restive_monkhas left
neshtaxmpphas left
neshtaxmpphas joined
neshtaxmpphas left
al1r4dhas joined
al1r4dhas left
stpeterhas joined
restive_monkhas joined
Apollohas left
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
neshtaxmpphas joined
debaclehas left
lovetoxhas joined
florettahas joined
restive_monkhas left
restive_monkhas joined
neshtaxmpphas left
neshtaxmpphas joined
xnamedhas joined
xeckshas left
xeckshas joined
adiaholichas left
adiaholichas joined
antranigvhas left
Half-Shothas left
homebeachhas left
Matthewhas left
uhoreghas left
Half-Shothas joined
Matthewhas joined
homebeachhas joined
uhoreghas joined
antranigvhas joined
antranigvhas left
antranigvhas joined
վարյաhas joined
adiaholichas left
adiaholichas joined
matkorhas left
goffiDaniel: I'm working on an implementation right now.