[PATCH] parser: Unmangle From: headers that have been mangled for DMARC purposes
qemu_oss at crudebyte.com
Sat Oct 12 00:13:50 AEDT 2019
On Freitag, 11. Oktober 2019 06:50:14 CEST Andrew Donnellan wrote:
> On 11/10/19 3:36 pm, Andrew Donnellan wrote:
> > It would be nice if Mailman could adopt X-Original-Sender too. As it is,
> (which I have gone ahead and reported as
Not stopping you from doing that, since I still think that it'd be helpful if
mailman added some kind X-Original-Sender header in case the email has to be
munged for some reason. Just some notes about status & consensus we had:
1. On GNU lists the default mailman settings are now to prevent munging in
first place (if possible):
2. If any list member has the "nodup" mailman option turned on, mailman would
still munge emails due to that. Ian (on CC) worked on a patch to override that
individual user setting automatically if necessary:
3. On git side it was suggested to add some kind of "always_use_in_body_from"
Unless that git option exists, this little trick proofed as usable workaround
for git patch submitters suffering from munging:
4. MTA's should also address this DKIM issue more accurately. For instance
Exim is currently by default filling the "dkim h=..." header with "all header
names listed in RFC4871 will be used, whether or not each header is present in
That "h=" tag in email's dkim header lists all email headers which were
included by MTA for signing the message. However IMO MTA's should not list any
"List-*" header name in "dkim h=..." (at least not if not present in message),
otherwise mailman is forced to munge any of such messages when adding its
required List-* headers.
BTW section 5.5. (page 38) of that RFC4871 actually sais these headers "SHOULD
be included in the signature, if they are present in the message being
For now you can override this setting, e.g. by using Exim's
"dkim_sign_headers" setting and providing your own list of header names, but
from security point of view that's suboptimal, since admins probably leave
that untouched for years and new security relevant headers might not be
included for signing at some point in future. So IMO it would make sense to
add more fine graded MTA DKIM config options like:
"include these headers for dkim signing only if present in message"
"use default header names except of these".
By taking these things into account, emails of domains with strict DMARC
policies are no longer munged on gnu lists.
More information about the Patchwork