Munging report-only DMARC
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GNU Mailman |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Hi GNU Mailman folks
This is the first report from here, so do let me know if it's not hitting the mark in one way or another.
So, as I understand it, DMARC from-munging takes place whenever the sender has specified a DMARC policy of `p=quarantine` or `p=reject`, but *not* for the report-only policy `p=none`. I believe that it should cover the `p=none` case as well, though, as one can otherwise set such that as a DMARC policy on a self-hosted mail server, send an email to a GNU Mailman mailing list, and receive reports from the mail servers of some of the subscribers. Moreover, in some cases, mail servers (such as personal ones) host only very few email addresses, so that you are effectively deanonymizing some of the mailing list's subscribers. I tested this on a Mailman 2.1.23 setup.
Now, due to the way mailing lists work, you could argue that it's not really an issue that a subscriber can figure out who else subscribes, but since this information is not readily available in any other way, it does seem unintentional.
| Mark Sapiro (msapiro) wrote | #1 |
| Changed in mailman: | |
| status: | New → Invalid |
| fuglede (fuglede) wrote | #2 |
What DMARC mitigations are applied an under what circumstances are list configuration settings. The Munge From mitigation was introduced in Mailman 2.1.16 but in that version could only be applied to all list posts. This is controlled by the from_is_list setting.
Beginning with Mailman 2.1.18 there is also a dmarc_moderatio
So if a list owner sets the list roster to be available to the admin only and is concerned about this potential membership leak, there are ways to apply DMARC mitigations to all posts or to posts From: a domain that publishes any DMARC policy including none.
Also see https:/