On Freitag, 11. Oktober 2019 06:50:14 CEST Andrew Donnellan wrote: > On 11/10/19 3:36 pm, Andrew Donnellan wrote: > > It would be nice if Mailman could adopt X-Original-Sender too. As it is, > > (which I have gone ahead and reported as > https://gitlab.com/mailman/mailman/issues/641) Not stopping you from doing that, since I still think that it'd be helpful if mailman added some kind X-Original-Sender header in case the email has to be munged for some reason. Just some notes about status & consensus we had: 1. On GNU lists the default mailman settings are now to prevent munging in first place (if possible): https://lists.gnu.org/archive/html/qemu-devel/2019-09/msg00416.html 2. If any list member has the "nodup" mailman option turned on, mailman would still munge emails due to that. Ian (on CC) worked on a patch to override that individual user setting automatically if necessary: https://bugs.launchpad.net/mailman/+bug/1845751 3. On git side it was suggested to add some kind of "always_use_in_body_from" option: https://public-inbox.org/git/20190923222415.GA22495@xxxxxxxxxxxxxxxxxxxxx/ Unless that git option exists, this little trick proofed as usable workaround for git patch submitters suffering from munging: https://lists.gnu.org/archive/html/qemu-devel/2019-09/msg00932.html 4. MTA's should also address this DKIM issue more accurately. For instance Exim is currently by default filling the "dkim h=..." header with "all header names listed in RFC4871 will be used, whether or not each header is present in the message": https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_and_spf.html That "h=" tag in email's dkim header lists all email headers which were included by MTA for signing the message. However IMO MTA's should not list any "List-*" header name in "dkim h=..." (at least not if not present in message), otherwise mailman is forced to munge any of such messages when adding its required List-* headers. BTW section 5.5. (page 38) of that RFC4871 actually sais these headers "SHOULD be included in the signature, if they are present in the message being signed". For now you can override this setting, e.g. by using Exim's "dkim_sign_headers" setting and providing your own list of header names, but from security point of view that's suboptimal, since admins probably leave that untouched for years and new security relevant headers might not be included for signing at some point in future. So IMO it would make sense to add more fine graded MTA DKIM config options like: "include these headers for dkim signing only if present in message" and/or "use default header names except of these". By taking these things into account, emails of domains with strict DMARC policies are no longer munged on gnu lists. Best regards, Christian Schoenebeck
