search

sympa-community / sympa

Sympa, Mailing List Management Software
https://www.sympa.community/sympa
GNU General Public License v2.0
248 stars 99 forks source link

Using anonymous_sender breaks sender authentication #1899

Open adam12b1 opened 1 month ago

adam12b1 commented 1 month ago

Version

Sympa 6.2.72

Installation method

FreeBSD package

Expected behavior

All emails should be authenticated with SPF/DKIM

Actual behavior

If you use the anonymous_sender setting with a sender domain not hosted on the same system, the messages will all lack any sender authentication, and will thus be rejected by many providers.

Additional information

Very similar to #1846 (thank you for acting on that!), a remnant of an earlier era of the internet before sender auth... but the fix for this one may not be so simple. Is there any way to make this feature work in the modern world?

ikedas commented 1 month ago

Hi @adam12b1 ,

You may set dkim_parameters.signer_domain to be the domain of anonymous sender.

ikedas commented 1 month ago

@adam12b1 , if the problem you had encountered has been solved, please close this issue. Otherwise please provide more information if possible.

adam12b1 commented 1 month ago

Oh, thank you for following up... and thank you for the dkim_parameters.signer_domain suggestion, and I can see how that would solve the authentication problem.

It's not really something we can expect from our users - it would have to be automatic for them, probably. Like Sympa would have to override dkim_parameters.signer_domain for them if they used anonymous_sender, maybe? But it's probably not correct to call this a bug, more of a feature request. And there are other things we care a lot more about. :)

So I will close it.

adam12b1 commented 1 month ago

Wait, I'm sorry... re-opening! Changing dkim_parameters.signer_domain only works if Sympa knows how to sign for the new domain, right? But if this is a user setting an address in an arbitrary domain (@gmail.com or anything else) as the anonymous_sender, we don't have that DKIM private key, so we can't sign the email... right? So this anonymous sender feature still won't work for most people.

Or am I missing something?

ikedas commented 1 month ago

@adam12b1 , the user should prepare private (and also public) key for that domain. Or if they cannot do it by themselves, they should ask someone who has the authority to create the keys (and add a DNS record for the public key).

This is the same thing when you want to enable DKIM signing on the regular mailing lists, isn't this?