Mailing-list DMARC changes?

[prologue: If you happen to look at the mailing-list/posts disregard anything since 10 Oct, as I was trying various DMARC settings from then]

When SPF & DMARC was introduced Mailing-lists had difficulties.

Enforcement of this was added by Yahoo years ago, and other domains they control such as @aol.

Mailing-list software provided work-arounds, Gnome Mailman, has an option which 'munges' the From header so it matched the domain, only for affected user domains.
For http://forum.openscad.org the list is discuss@lists.openscad.org,
so the munge is e.g. From: <joe@example.com>  changes to From: joe via discuss<discuss@lists.openscad.org> 

I suspect something in Nabble changed recently.
Originally such yahoo mails got on the mailing-list but never made it to the forum.
Now, since June 10, they (munged emails from multiple users) are posted to the forum against an unregistered user 'discuss@lists.openscad.org'
See http://forum.openscad.org/template/NamlServlet.jtp?macro=user_nodes&user=1513 
(note this forum is set to restrict posts to registered users)

Was this a Nabble change?

Also note that the mailing-list munge puts the original email address in the Cc field.
So I'm wondering if the 'incoming email' 'post' process could check if 'from' == the mailing-list address, check the (first/only?) Cc email-address, and if it matches a Nabble user, then post against that user?

Or is there some other DMARC solution?

------
or, this thought just popped-up,
Why does Nabble get the munged email?
Nabble is subscribed to the mailing-list, as lists+s<scrambled> at n5.nabble.com
Mailman should only munge messages DESTINED *TO* A DMARC RESTRICTED DOMAIN.
As Nabble is getting munged emails that means it has implemented SPF/DMARC???

We had a bug fix related to “Google Web Fonts” that was causing issues on embedded forums because the HTTPS protocol wasn’t fully implemented at this part. The issue reported by you (related to unregistered users) was caused because we propagated the update to all servers. Does this issue persist?

Israel <Nabble> wrote

The issue reported by you (related to unregistered users) was caused because we propagated the update to all servers. Does this issue persist?

Perhaps, after writing the below - yes there is a problem.

I was testing different Mailman DMARC settings & got it wrong when I reset them (on 21 Oct) , causing all emails to have a munged From: field. So disregard the "or, this thought just popped-up" bit of the OP, that was my misconfiguration.

Thus all users emails were 'From: joe-etc via discuss<discuss@lists.openscad.org> ' and hence got posted to the unregistered/non-member* user 'discuss@lists.openscad.org' on the Forum. So they were getting added to that user.
I fixed Mailman this morning, so non-munged peoples emails are posted under their registered user (matching real email address in Nabble), back to normal.

*I just checked permissions, seems the 'Create_topic' & 'Reply' now have 'Registered' unchecked (and 'Anyone' unchecked too, but 'Members' is checked), I don't recall unchecking 'Registered', but could have as a test to see if spammers had gone away.
So incomming emails to a matching Nabble user with membership only of 'Anyone' still get posted, even with permission 'Anyone' unchecked.



So I suspect that your change allowed the creation of user 'discuss@lists.openscad.org' on the Forum, and after that any DMARC munged emails got posted to that user. i.e incoming emails matching a Nabble 'member' email address got posted.

So I have now change that user's^ email to discuss at five432.one (one of my domains), to see what happens when another DMARC affected email (with discuss@lists.openscad.org) hits Nabble. They are not that common, I'll ask one to do a test post & see.

^ http://forum.openscad.org/template/NamlServlet.jtp?macro=user_nodes&user=1513

This however may be a work-around to the long standing DMARC problem, I could change that users email address back, and give it the right permissions, then munged emails do at least make it to the forum in some form. Previously they got lost to the ether (but made it to the mailing-lists users inbox), making it difficult to reply if you prefer the Forum.

Tho, the possible change I mentioned in the OP, re using 'Cc' would be the better way. There doesn't seem to be many existing good solutions to the yahoo problem...

I remembered I have an old yahoo email, michael_at_oz at yahoo.com.au
I sent one to the Mailing-list, it got munged to Michael M via Discuss [discuss@lists.openscad.org].
It created a new Nabble unregistered user^ with group just 'Anyone' and posted it there.
^ http://forum.openscad.org/template/NamlServlet.jtp?macro=user_nodes&user=2664

That is changed behaviour, previously they got dropped.

The first post to that mailing-list user (user=1513, previously discuss@lists.openscad.org, now discuss at five432.one) was June 10, so it may not have been that recent google web font change.

I'm now going to set permissions Create_topic & Reply to Registered and send another message from yahoo.

Yep, that also got posted*, so permissions are not working, at least in this email case.
* http://forum.openscad.org/Ignore-another-test-Sorry-tp27122p27552.html

Further, Mailman (for some reason yet to be found) started munging DMARC affected addresses and sending them to Nabble from 10 June, with the mailing-list address as From:
Nabble, not finding a matched user with the mailing-list address, created a new unregistered user with that address, and posted the email, regardless of the Permissions.
Subsequent munged emails (from a range of users) all got posted against that new user, regardless of Permissions.

Is that an intended design choice, incoming emails get posted without checking Permissions (hopefully - but I think not -  checking the address matched the configured mailing-list address and so assuming they are legitimate)??

I see that as a spam vulnerability.