On Sat, Jul 16, 2022 at 11:49:31PM +0200, Pierre-Elliott Bécue wrote:

This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1].

That's great!

If you have any question or issue, please don't hesitate to reach out.

Question:
At this point, what about SPF? Ignoring potential whitelists on mail receivers, I think using this service doesn't provide extra advantages
than signing on our own servers.
Since there is now this system in place, I think it's fair that after a transition period we kind of force DDs to relay their email through
Debian infrastracture to properly authenticate outgoing emails.

Do you have any sort of plan in mind? I'd epxect to at least place a "ip4:82.195.75.108 ~all" ¯\_(ツ)_/¯

--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmLTwg0ACgkQCBa54Yx2 K61tlA//cqV+DwUNEBn3pL1m9kOnOxTjVjYf25dm3j8dqYjSzPstP2srNjCXVKgS Lg9HfVlRWK0mk+m3dX+FaFPwayAIgSTjB11gjABHeoL/rGLIgFvNBJZyCykzsd1T oex/jpoikF7jefSnsPWjpdBEIpxMPL5FZwChN8RlcioijuqgF/sSyuoww8fqFA8W sQNOQ487sUQtbHjdsQDxgizRQSF8yZwe2JsLJscNXf9d5VqGY/E4WY5thhdD2qNB c86p2ZwqWgeyzm6kv8KiKkidNUf8AwE1uYk8zMeUKrR4SphgPK/wGtyaQgazD++e icFjehDuQeDeMJW4WpJtJPHcXF0pTGH/92Tm/3MJe/nsQeMbnu78PMfyaRgF6SzS sotipXGG/iEQlIWkVK1m28jGs542v6/Lr1B2jYMF+x7Tw2Si1L7J6Z1s5cBg78Da O8LBMksv2/DvDzH9xYU/wdw3KHgkesEtSf6PyIHfIvY+GfzZ7IPvRXgKOX2wMrng ozxtYGyzizACgsqZTXA+/qJukbVW/SLtEh/sdzVP1H5pUz13Lb9

On Sun, 2022-07-17 at 10:02 +0200, Mattia Rizzolo wrote:

At this point, what about SPF?  Ignoring potential whitelists on mail receivers, I think using this service doesn't provide extra
advantages than signing on our own servers.

Why SPF? It doesn't provide any extra advantages over DKIM.

Having a Debian mail relay provies an advantage though: people do not
have to setup their own server with DKIM (or hack something in their
mail program to sign).

Since there is now this system in place, I think it's fair that after
a transition period we kind of force DDs to relay their email through
Debian infrastracture to properly authenticate outgoing emails.

Why?

If you want to work on improving mail infrastructure: bugs.d.o breaks
DKIM signatures ([1] is one of the reasons, but there are likely more
problems) and lists.d.o does so sometimes as well (but less often).
Both could be changed to rewrite the "From" to something like "Debian
Bug Tracker <...@bugs.d.o>" or "Debian Devel Mailinglist
<debian-devel@l.d.o>" to prevent this.

Ansgar

[1] https://bugs.debian.org/941195

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 2022-07-17 at 10:29 +0200, Dominik George wrote:

tl;dr: DKIM-signed mail is verifiable, but only the headers; the body
can be tampered with;

This is just wrong. There is no reason to sign mails to ensure
authenticity if one can just change the body...

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

thanks for finally providing this!

Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.

I just wanted to make you aware of something interesting I learnt recently:

In DKIM (and probably other signing systems), doing a regular key rollover is a good idea. That is not so new. What was new to me is the idea of publishing the old secret keys when rotating:

https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

tl;dr: DKIM-signed mail is verifiable, but only the headers; the body can be tampered with; it is only designed to provide authenticity in the one second the mail is received; malicious people could steal e-mail archives and abuse modified (or even
original) mails against senders, even using them in court maybe; publishing the old keys restores deniability because "everyone could have signed that mail because the keys are public"


Cheers,
Nik

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 17, 2022 at 10:35:21AM +0200, Ansgar wrote:

On Sun, 2022-07-17 at 10:02 +0200, Mattia Rizzolo wrote:

At this point, what about SPF?  Ignoring potential whitelists on mail receivers, I think using this service doesn't provide extra
advantages than signing on our own servers.

Why SPF? It doesn't provide any extra advantages over DKIM.

Both SPF and DKIM suck. They are both needed, though, to increase your
chances to get delivered to poor souls who use Gmail (although you can
never be sure your mail won't be silently dropped).


Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Yo momma uses IPv4!
⢿⡄⠘⠷⠚⠋⠀ (And DC22 does too, meh...)
⠈⠳⣄⠀⠀⠀⠀

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-07-17 10:29, Dominik George wrote:

tl;dr: DKIM-signed mail is verifiable, but only the headers; the body can be tampered with

That's not true. The body is always part of the signature (in a strict
or relaxed way).

The Signer/Verifier MUST compute two hashes: one over the body of the message and one over the selected header fields of the message.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/16/22 23:49, Pierre-Elliott Bécue wrote:

Dear developers,

In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.

This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.

Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.

This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.

If you have any question or issue, please don't hesitate to reach out.

Cheers!

Thanks a lot for this really useful feature.

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-07-16 23:49, Pierre-Elliott Bécue wrote:

In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.

This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.

Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.

This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.

If you have any question or issue, please don't hesitate to reach out.

Hey!

Would it be possible to also make it available on port 465 without
STARTTLS? I am using smtp_tls_security_level=secure and smtp_tls_wrappermode=yes with my other providers and having mail-submit.debian.org on top of that is adding a bit of complexity that
I would like to avoid if possible.

Thanks.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Vincent Bernat <bernat@debian.org> wrote on 25/07/2022 at 14:58:04+0200:

On 2022-07-16 23:49, Pierre-Elliott Bécue wrote:

In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become
harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.
This service is now operational behind mail-submit.debian.org (AKA
stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.
Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.
This server requires an active Debian Account, and that one sets
their
mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.
If you have any question or issue, please don't hesitate to reach
out.

Hey!

Would it be possible to also make it available on port 465 without
STARTTLS? I am using smtp_tls_security_level=secure and smtp_tls_wrappermode=yes with my other providers and having mail-submit.debian.org on top of that is adding a bit of complexity
that I would like to avoid if possible.

Hi,

It was not on the roadmap, but we could definitely have a thought about
it.

Cheers!
--
PEB

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEE5CQeth7uIW7ehIz87iFbn7jEWwsFAmLjjmcPHHBlYkBkZWJp YW4ub3JnAAoJEO4hW5+4xFsLecIQAIcK86fQo9BOi6mz70+t4u+RqKrvebK5fq+I 5sJTrDPRQntbne5dPpPN/Vi6UEwVF4INDe8tk5TmboKZafK99jX0IskO7B672bs6 ULPSmVA+u04WmxruVh+6f6tVheUtKNaHibzYqLJHOfDoVNBWNoVZnGBd049tKQIT Wwlm9YEjbCWXg/52ZDl/RmSTC0vUZgsGndk07sKfESo2WO9xA9G1bAjWGrMyA65o FPDQd66ca6X4+juJnaXI2ClJKrc6CoXCdrB16Zu+O9xNQ9LPHNkRjQ7/6LkPI7be wrRI+ND33BA9+QjH2PEJz4Rmir5ZYeszr4eZz2RnPKYDkfgzhQjsyBzzlIdNKccR XcA2d9UGsoyIOZrXjI8hZt+N9eVlen8nt0XRbpCWT5gOTDBKkbyG7myt7JXRh19O W7/NMbouRfUOUJcacNyI6RgxxaNqkX9wcgD5kAZYrIDINi2V23hkeiKnIfOIhPgy uJq91SYaLy/A98Qyqaoo9dU4XtSp8fIsH29rrmlnJ5AKIx76EQ3iyzhHyrB5O28P hkxzHtZvMCoOefcoDg8EiR6EyRN9ORscwNic7l6Ta6LjUDCKNo9cmTQtjB+4oFZU XaAxxcKEXMPv10p9cHAJTDCl2PBOLsjZYwZHxthQLazHNSTeNnabvOyQh5krssyE
IwcVRWFX
=ZrJv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Vincent Bernat wrote on 25/07/2022:

Would it be possible to also make it available on port 465 without
STARTTLS?

I'd also prefer "full TLS" over STARTTLS, as it is simpler (encryption
from the beginning instead starting with a plaintext session) and
somehow more secure than STARTTLS, see [1], paragraph starting with:

A man-in-the-middle attack can be launched by deleting the "250
STARTTLS" response from the server.

This shouldn't be an issue if client and server are properly configured,
but I think it's a good practice to use "full TLS" when possible.

Cheers to DSA for setting up this much needed service!

Paride

[1] https://www.rfc-editor.org/rfc/rfc3207

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le samedi 16 juillet 2022, 21:49:31 UTC Pierre-Elliott Bécue a écrit :

Dear developers,

In the past months, it's been clear that sending mails from an
@debian.org address to some mail providers, including GMail, has become harder and harder. While user DKIM feature (documented on [0]) can help,
we thought providing a relay server for our users to send their Debian
mail was a more long-term solution.

This service is now operational behind mail-submit.debian.org (AKA stravinsky.debian.org). Documentation about how to use this service can
be accessed via [1]. The page behind [0] will be updated on the next
release we make of userdir-ldap-cgi.

Mails sent via this server will be DKIM-signed if the from is a
debian.org, debconf.org or ftp-master.debian.org address. If any
additional domain should be considered, feel free to ask.

This server requires an active Debian Account, and that one sets their mailPassword up (again, see [1]) to be able to use the service. I've
tried to provide some useful tips on the doc.

If you have any question or issue, please don't hesitate to reach out.

Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...

Any idea for debugging?

Bastien

Cheers!

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmL5JgkACgkQADoaLapB CF+7ZxAAshVqDj9+PRm0L9SRv0veLrTEgDr7HHmQc4Gnb1WFI1NIL9Lk+VswENwS jHq/9feVKae1xcFSN9yyTvDG2bHu/Et5x8yHrlVloNuPzUSMI7IzLhvhwwdm4R1r Fl4vZ7xDVoGWDf8BUZL3XbAgVxQbJ32jLkfpDnUrpQ8XOc06lUzRjq4jkLJlwON7 GkHW8wbFnrmoFx1wEYpBmYNPRBWsYuNfo1fF3tKr8ZXBkRRJIy06Rvk8RfTcfWtb qwzbLWAlbYeFaQzB+SxHjUbVpFIzaVIQqBqqBWRHhhJSSlBAwO0ntB2oYk+Nc8HE k9OG7Hso+aSzVqbJ0fs8eIlx6jGaIRgdjJY+8yTylvxyn0tYmzThwxe/SLZQN+fP FcdnlJT8gg4aMac2PxRkDosNRb5epwqN/1GyYpqs1Rgw4WDfkFo5qglOeIeNRG8w wviVt1bnXS1PH1vGKAQQQ3aE6FVWUprPo+mvX/rJG13W/u5ud4zGFa2lycVWs+Cm JudL56suxWC1LQYGLdhklc19oQMyG8dAmRsq459Xr9VUtKD8eyHru/7RjbxHpzs9 s6pjuPRC49XlQu0fb8zdl1T45LUzF/0aYom1LOX35aBbFWdlzxfsdSRLGlXJjleR IMCZHJOyyTfr0ZfyFcljQzQ4ajg5i0WGj7kTRUY+hVcu0RQ1RCQ=
=d7ra
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Bastien Roucariès <rouca@debian.org> writes:

Le samedi 16 juillet 2022, 21:49:31 UTC Pierre-Elliott Bécue a écrit : Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...

Any idea for debugging?

Bastien

Hi Bastien;

I'm not involved with the service (even as a user), but I am interested
in mail clients. Can you be more specific about what is failing and on
what client? A sample message is typically needed to debug these things.
I'm not sure there is any sensible way to report issues (RT? BTS?) but
if someone knows, that would be useful to mention.

d

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------tu704oQAz2bYh2fld8qDJjFY
Content-Type: multipart/mixed; boundary="------------qZcTT1HEqBnUMIN03MnxMziZ"

--------------qZcTT1HEqBnUMIN03MnxMziZ
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQoNCk9uIDE3LzA3LzIyIDM6MTkgYW0sIFBpZXJyZS1FbGxpb3R0IELDqWN1ZSB3cm90ZToN Cj4gRGVhciBkZXZlbG9wZXJzLA0KPiANCj4gSW4gdGhlIHBhc3QgbW9udGhzLCBpdCdzIGJl ZW4gY2xlYXIgdGhhdCBzZW5kaW5nIG1haWxzIGZyb20gYW4NCj4gQGRlYmlhbi5vcmcgYWRk cmVzcyB0byBzb21lIG1haWwgcHJvdmlkZXJzLCBpbmNsdWRpbmcgR01haWwsIGhhcyBiZWNv bWUNCj4gaGFyZGVyIGFuZCBoYXJkZXIuIFdoaWxlIHVzZXIgREtJTSBmZWF0dXJlIChkb2N1 bWVudGVkIG9uIFswXSkgY2FuIGhlbHAsDQo+IHdlIHRob3VnaHQgcHJvdmlkaW5nIGEgcmVs YXkgc2VydmVyIGZvciBvdXIgdXNlcnMgdG8gc2VuZCB0aGVpciBEZWJpYW4NCj4gbWFpbCB3 YXMgYSBtb3JlIGxvbmctdGVybSBzb2x1dGlvbi4NCg0KVGhhbmtzIGEgbG90IGZvciBkb2lu ZyB0aGlzLiBJIHN0YXJ0ZWQgc2VuZGluZyBtYWlscyB1c2luZyBAZGViaWFuLm9yZyANCmFk ZHJlc3Mgbm93Lg0KDQo+IA0KPiBJZiB5b3UgaGF2ZSBhbnkgcXVlc3Rpb24gb3IgaXNzdWUs IHBsZWFzZSBkb24ndCBoZXNpdGF0ZSB0byByZWFjaCBvdXQuDQoNCkkgd291bGQgbGlrZSB0 byBicmluZyB1cCB0aGUgaXNzdWUgb2YgcHJvdmlkZXJzIHdpdGggc3RyaWN0IFNQRiByZWNv cmQsIA0KZm9yIGV4YW1wbGUgZGlzcm9vdC5vcmcNCg0KZGlnIC10IFRYVCBkaXNyb290Lm9y ZyBoYXMgdGhlIHJlbGV2YW50IGxpbmUsDQpkaXNyb290Lm9yZy4JCTM2MDAJSU4JVFhUCSJ2 PXNwZjEgYSBteCAtYWxsIg0KDQp3aGljaCBtZWFucyBwZW9wbGUgdXNpbmcgZGlzcm9vdC5v cmcgdG8gcmVjZWl2ZSBkZWJpYW4ub3JnIGZvcndhcmRlZCANCm1haWxzIGNhbm5vdCByZWNl aXZlIGFueSBtYWlscyBzZW50IGZyb20gb3RoZXIgZGlzcm9vdC5vcmcgdXNlcnMuIEkgaGF2 ZSANCmFsc28gc2VlbiByZWplY3Rpb25zIHdpdGggc29tZSBvdGhlciBtYWlsIHNlcnZlcnMg d2l0aCBzdHJpY3QgU1BGIGVuZm9yY2VkLg0KDQpDYW4gd2UgZW5hYmxlIFNSUyBbMV0gb24g dGhlIGZvcndhcmRpbmcgbWFpbCBzZXJ2ZXIgdG8gbWl0aWdhdGUgdGhpcz8gDQpUaGlzIHdv dWxkIGFsc28gYmUgcmVsZXZhbnQgZm9yIEBkZWJjb25mLm9yZyBhbGlhc2VzIHRvby4NCg0K WzFdIGh0dHBzOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1NlbmRlcl9SZXdyaXRpbmdfU2No ZW1lDQo+IENoZWVycyENCg==
--------------qZcTT1HEqBnUMIN03MnxMziZ
Content-Type: application/pgp-keys; name="OpenPGP_0x8F53E0193B294B75.asc" Content-Disposition: attachment; filename="OpenPGP_0x8F53E0193B294B75.asc" Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF41S9ABEADELm+hJ5iCLke3NvzOH+cE8LvZ8ZLR/r296bpYxNpx08fXPlj3 8YeBErqKKvh6kGaOaUEUBCkDzKhqJxU/1T++2iRTUnhTqjS1hBte/IxPiIjcHFiA d69U+UAwGMEMpBGWNUd0VqKH3ZKd8eokztP1rML+nCyXId/Kfg5qZAoKCqRRqOpS fs31YRoxRk/OqSn81h2GfrxgBWGpFMMrtujfpUmJMx9Qm3JgVt39r2Hj2Ee1JLrq OP7S7Gm1a+rZOZwV0UtRucRiUzVn8otL7QR7udjYjccJUjdFRshgDV+2w5w40HZg cqEuTPqj1BxwPzkYIpLjQbdrLSOMzp7OVrEuomAntyoL6lOnlWV5+R9upC+6bGT7 GtOwhmd9iGPezgfpnM/BrJAvyQ4BN+nHj7/1aEECu0NN76hip+z9TRTw1mHQnpZa HUnT2pBPY+grwLi5QlvjOqBICtWPI6fSIT5kZj1tLPZwIed1Q5zxjlo1zbOzotJc GapvNHlc+o7jvlT5vrXzFoycsQOlLyZpU0tuzOTRalxyim7ZgKugiXF/er772G05 VKU0T+jnqL1Hc0sMKCJGafhX2/7ZD67CUM2gFmh9IQcouOBdSasOGHSAdTmukvsr D2oh2JlgLQh0hXPdXxei5CBPe27x+SncYQ1fj7drdHBqCcjKJH1++Zn8hwARAQAB zTtQcmF2ZWVuIEFyaW1icmF0aG9kaXlpbCAoUGlyYXRlKSA8cHJhdmVlbkBvbmVu ZXRiZXlvbmQub3JnPsLBjgQTAQoAOBYhBNMIY+JgIOVD9HGag49T4Bk7KUt1BQJe NUxdAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEI9T4Bk7KUt1QGUP+gPz +TxNz1l6KwfRaEcoaWJm8r2TaEPU5iZkkNZL5eGe1uGQ3AV1wonRJTR2cFcdq2oU pJjpZByYPd1YDyFcbKOFglOiAG8cGrA/y0ySIOpWO06Mx/lMdRsrzsgIJxQ2tUvK RRiksVnL79JpLZzHOXBH7B6RZkUriv2RhsVKOcjca9ybbtrSPfQnWt80CXaEHqM0 ZbpcUdyn7IfMm0eWX/itV6AuLhldYDF/8LHTRdrQcbgBeQZ/RqT6j3MuASQvTTDP hMq9JlWWKTuqrNQgGRlSKTq0PotRpEw566kyrlQUhLr9WRKXI76WTmeHoVqTl6AO 3lIXuYKS4gvvAlMokcVSlkHDuqQlRURrqqGj1MvEpqA5+Rj8Yhe9kOU94VKb2JMN ctr7674kbwXaovJ4Uw5TmV06Jf57m+xcHej42oKLRVCcnAUNIUdveWQLNzF+DCF8 AloNoA+bTGXYqnHGPFjODfx6qVl6Wf1DLop8RCGzfZ461vlKmoYX1azForxcM59C t71tt/syYOeg4nWGGfPIPnreMU+675uV2UZBt9qjGbiXHqdFZ5hS65T4yD4PEr8B 0+y2ODWG3NTGTwymm25zyJWt5R70oVW2waTIF/EIXqLQVGf9V+CrPpjCcY8RXwmi ukCqyEEPioVDm4dFz/vUID9k8n6pFTfUTK6IEkz9zTVQcmF2ZWVuIEFyaW1icmF0 aG9kaXlpbCAoUGlyYXRlKSA8cHJhdmVlbkBkZWJpYW4ub3JnPsLBjgQTAQoAOBYh BNMIY+JgIOVD9HGag49T4Bk7KUt1BQJeNUvQAhsDBQsJCAcCBhUKCQgLAgQWAgMB Ah4BAheAAAoJEI9T4Bk7KUt1s7UP/A1uePUU82oYk6IpO9HAjNsXYzsDod5+khOh PMbaynU1aLUHf7VePDDIVZvG7cqTdhsKJE5tN2n8eBvdM5gcroWSN+91Q5o3Eodk AE5LMz8EEPJRu4Ke0DVCPsmipvZnJhZnDNAw8lXcifnM8Ug1cKv4CcsnwzVrZwaS K6NJtfUeij1yHzKyBvzntnq2f6qIBnWHd1Cn+muoHkb398UFBJYHOI8+KmN1blQx SzteAx/x6/SuTwqjRQGRUqXKt3Ny0mzXUl1UM9YimW1chAMYJ0jR0lzHzGqn/mxu 0+iHQeguZV6JR04na4T2KMr+3ca9njC/vb8x361rQPihbDVb6erDX2ZAXVUp+N7j ejN10bjvo8IqV3OR9+OtbvY3NFJKYp+1qkPTJwC57GRfQfg4H+yvViNr+41Sg9u2 eYZqmJjwHr1y55VGah65rEBKKfOrS1aLFOvZ9SXNF6qERrB40wvzCMlmmQR2LvFZ DjuT6WvlDwIrR2O8IwLfVRbaPViQHOBh76EE2o02RNfeElkQtIa9kEm9H8vpvwSf 3eeelLeSaUtnqeR9A7u/Iw5cDRtKWnsjTX1FL1+6FxlAmEJKUzbUFxaIoQjpxFS9 POn1LDKSQNm2Wu29ZGFH8ehxN7S8Pkdk2wAjLPbZY02AW5DbCEsAqnv4GSI6W6aB AU2FWltZzsFNBF41S9ABEACVC9nYANHof17++lJrywB3+V+h4kZTtXSfWNt+IH2k KOj223PqTUz9orKktHEbYhsDx4Rl9+CMBMXqkuO8dH3fIoI1MFISBxPSaH6wWQ0x osucu3Latb6cUNjY6NEevTjEACAIE4oVooZH7Wd0CJ6EOdtP2nVZRV+RMa/HAsWo 3sslXq3IQLRxD+Fmh5AmK01ZC0wsuCrXOW62dz1pL4bPVJ1Jd1JiWlmYOSobO+Y/ yafDhwl+OF/Hrexxq0vuhODYHvL+RrY1dobbL/onVbaT1qG10L8fv3IOc/Cit6bw sjWR/tKcN9oxAIx9n//G+gG8avQ3FOl3tvak6zsqPXuHrXhRjxDcXJBNitN0S+PV VSZbouLfm8fe9OdYmg+fPFxUfwl1RwTedW+KDcxrZBiu4mw43YXAiIUHIRb2RYOP TEeQplao2w+vmL73dLntLCT6AlLf67KkAbrBhLAqoxJwMtJlV2cGAiwA9DJDOTRZ ccWWK+Oqo6u8kZ++GDgIA9XLYuT5hPi01qaqQ30Kp5b7+uLM6oL5ixdNyee4HmPk vsZVnrBmjIPs4fXKjCQxFPSK/u6NBdkRVHzkkprqHdIZJBKk6un1NMfZu4eErbJh S8afzLJ4KdA+w60WfRW04Q3NSX5ujkD0dCaXWcBc3G73VFX8B4khaCcLmEFHVXxm mwARAQABwsF2BBgBCgAgFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAl41S9ACGwwA CgkQj1PgGTspS3U8DA//UsAXVN5qKIHYI1Vh+jg5c0qOgK2dK2ja4g39zOiTwtno inOSiQlIiDItlcoMxw/NJJ88AVwX37jQ3UzMoC4iNgakh+KW5lz7mJyRskAKfWJt uSYPHkLiAIMARxVp+UbkPl3TAekLDOY/W4yhJaIBC4HNh86GC4/jjDjVvnpUdq8y qAAhmIDo0uNbeKs6W0WRtcw5j8ngrfLr6TK0TEF3DPtFFrSTqZsnWdKoNqVovY1I 1oEsiiroizpVcD8ehPOQVyOH1mK37TsHFd8bDVMcAkJwIqImvI4bk7iesmIwGo+T 0lPw+ynR3vqeVxGmcQCJFZnAv3I6b5KVHizAxWuZvTmyJ1OV9qqetjBPCDTRG9cr 1VYSZx6nn1T7xaIUyeU4G7fdAeC15i+eHtFfHynEfQTODcFICsyEpCMxj+V3wKcI adGUqFDRrZ8eGalEGicaxJfp9z21I8myeP27o+GqPC9qIzmjSxgHrdK2dwXsorlI V6TP+Q1Gov55aloTFHPrRgHUtPAJOUL8yr4Xmxz1EWM/X1v4d/3VLhuRc9Pf0qNE onHDBpTnAWlV0Gw+hKOWRxbhVPcdM8bWMs0h8ZR3oMWwINv1NW/M4nAoM7kNZXaA YQB8GeSD8T62P+16ofutoa8ziJPY+L+wbW7G5lHdDgcfpO/bDXxLPmGS8O/t/7U=
=drm+
-----END PGP PUBLIC KEY BLOCK-----

--------------qZcTT1HEqBnUMIN03MnxMziZ--

--------------tu704oQAz2bYh2fld8qDJjFY--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmL6hMsFAwAAAAAACgkQj1PgGTspS3Xz 6BAApmXnnEZG9KNiSAVb/4pFpnAxpJWsxPo2yS9s2E5ShUGjx6nkrHvd0wYMd3WGslVjJ5/CVvCZ tyQCpcrRRid8g8HCOUNsT9EAidnpXmqpihe2BH8tMvbxSebS3AaPbZb1QY4PxWpSTnDFsBsTanXC Zq99uLm/3vKz5+OTTYCNckvaOcsydrzMLZOmXMArmI8vloiprrmi6rSMyi0RZdruXVQrwt0//8ZU dENdrEAb+u9qXvvuzwEKWAZX0BbobyRBJNd4Cp1UcMKJLgAnWfAejgjLqgwDXc8BFiSXkfnjOJjD k/KkJtnuzV5YE6G/X8u1XfZmc7eNAGBsQr64pO6ozSnQ7rkMAdRfOww40UPKsG5JWwCgQoAUkOWq GOa5EIyBvQ4WfD1cLaotRN0aeJFyVdPFy08/rHdPyhDy0dfew9CCeF3648lKMbbz1YIS3Ct79QMi b/xj9VU/hjqiHVlmtKnNlxGVNbnbig4YQS4a+S9K3dHz/MvDVwF12Kw3RMr9XaHViT/gjNb5WBZ2 4jtsR46czoGJGNLrnfkqDk/5vX+FlSfmL+AviytZpm3M4pfpsqHZUW0fbFjHHxSLCL/aGVPSQndi fF7ED9sm+8S/JI7bnLMJ61oWk2w+c5YTBDnsvr2rBWjBJ1Qp/HWMAVGloiOL+IyKoajqFICb1dqf cJE=
=bpMY
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2022-08-15 at 23:09 +0530, Praveen Arimbrathodiyil wrote:

I would like to bring up the issue of providers with strict SPF
record, for example disroot.org

dig -t TXT disroot.org has the relevant line, disroot.org.            3600    IN      TXT     "v=spf1 a mx -all"

which means people using disroot.org to receive debian.org forwarded
mails cannot receive any mails sent from other disroot.org users. I
have also seen rejections with some other mail servers with strict
SPF enforced.

Can we enable SRS [1] on the forwarding mail server to mitigate this?
This would also be relevant for @debconf.org aliases too.

SRS doesn't help with that as it will still look like forged mail.

To not look like forged mail, the "From" header field (not the
envelope) has to be validated with either DKIM or SPF. disroot.org
says this is supposed to be the case for mail from their domain:

_dmarc.disroot.org. [...] TXT "v=DMARC1; p=quarantine; adkim=s; aspf=s; [...]"

This requirement is not met by SRS, so SRS isn't really useful.

You need to ask disroot.org users to:

- make sure all their outgoing mail is DKIM-signed,
- not send mail forwarded via the BTS (breaks DKIM signatures),
- not send mail to @d.o lists that break DKIM signatures (most are
fine, but depends on the DKIM-signature).

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Aug 15, Ansgar <ansgar@43-1.org> wrote:

To not look like forged mail, the "From" header field (not the
envelope) has to be validated with either DKIM or SPF. disroot.org
says this is supposed to be the case for mail from their domain:

Not exactly. DMARC validation requires that at least one of DKIM or SPF
is aligned.

DKIM validates the 822.From header, while SPF validates the 821.From
envelope sender.

Forwarding emails does not break DKIM signatures, as long as the signed headers are not modified (and they are not supposed to be, so usually it
is fine).
Forwarding emails does break SPF, and this is what SRS fixes (by
changing the sender domain, so this does not help with DMARC).

Mailing lists always break SPF and they may or may not break DKIM
depending if they change e.g. the message body or the Subject header.
The BTS does both, so after years it is still incompatible with DMARC validation (OTOH, domains which are not phishing targets should not
enable DMARC. But we cannot fix other people's systems...).

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYvqrbQAKCRDLPsM64d7X gVjiAQC9zz25OqVaiYarNYKsyYF5QHJLaBRoYMsAQUHwMoyDJwEA9UA8Qh9eQ65m 7c7eJyFt/NJWgrMzbthkBwnbLMobhgc=
=MJUW
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Le lundi 15 août 2022, 14:19:57 UTC David Bremner a écrit :

Bastien Roucariès <rouca@debian.org> writes:

Le samedi 16 juillet 2022, 21:49:31 UTC Pierre-Elliott Bécue a écrit : Thanks for this hard work, however it seems that some mail client consider these mail as invalid, whereas gmail and other verifier service consider ok...

Any idea for debugging?

Bastien

Hi Bastien;

I'm not involved with the service (even as a user), but I am interested
in mail clients. Can you be more specific about what is failing and on
what client?

kmail is the client with dkim plugin enable

Message-ID: <87h73gyaiw.fsf@janja.pimeys.fr> by , Pierre-Elliott Bécue <peb@debian.org> of this thread fail (invalid dkim signature) , where as Message-ID: <YtPCD66BkIDf9jyf@mapreri.org> is marked as dkim valid...

Bastien

A sample message is typically needed to debug these things.

I'm not sure there is any sensible way to report issues (RT? BTS?) but
if someone knows, that would be useful to mention.

d

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)