configuration error in lists.isc.org

/dev/rob0 rob0 at gmx.co.uk
Fri Aug 7 00:00:40 UTC 2015 

On Fri, Aug 07, 2015 at 01:25:37AM +0200, Heiko Richter wrote:
> Nothing concerning Bind, but still relevant to all list users:
> 
> Just wanted to let you all know about a configuration error on
> lists.isc.org. It doesn't rewrite any email headers, only reflects
> incoming messages to all list members which leads to problems in
> SPF-checks.

Just like pretty much every list server in existence, ever since the 
idea of participatory mailing lists began.

> Whenever I post something to the list (I'm not using SMTP, I'm 
> using a usenet server to post to comp.protocols.dns.bind), my 
> postmaster address receives DMARC notifications from list members 
> that have employed this wonderful protocol on their servers, 
> telling me my message had been rejected for violating my SPF 
> policy.

Something which the wonderful folks who thought up DMARC apparently 
failed to consider.  (Somewhat like a FUSSP in that in order to work 
correctly, millions of sites globally will have to change the way 
they do things.)

> My SPF record doesn't include lists.ist.org, of course and it never 
> will. Furthermore it ends with "-all" so all my messages to the 
> list are being rejected by list members who have spf aware servers.

No, GNU Mailman (which is the software behind lists.isc.org) does the 
right thing, setting a proper *envelope* sender address in the ISC 
domain.  Proper filtering would go on the envelope sender.

> Just wanted to let you all know about it as I can imagine I'm not 
> the only person who has outgoing SPF.
> 
> And the worst thing: If you have a record ending with "~all" your
> messages will be accepted but probably end up in a spam report
> container slowly eating away the good anti-spam-reputation your
> server has.

Unfortunately a lot of sites do silly things, so there may be a bit 
of truth in that.  But it's not a reason to join in on doing silly 
things.

> So ISC: please fix your list servers, let them rewrite the From 
> headers!

I am strongly opposed to this.  DMARC was another half-baked idea 
which should not be influencing such wide-ranging changes.  Do note 
that lists.isc.org long predates DMARC.

Furthermore, it's not fixing the server, it's breaking it.  Users 
want to see the sender's address.  Some of them use it for such 
things as killfiling.

But thank you for bringing this issue up.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the bind-users mailing list