Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Dec 2017 15:08:39 +0100
From: Solar Designer <solar@...nwall.com>
To: musl@...ts.openwall.com
Subject: Re: Why[,] ezmlm?

On Tue, Dec 05, 2017 at 12:17:31AM -0800, Jorge Almeida wrote:
> Well, I bet I'm not the only only receiving messages like this once in
> a while. Is this some known problem?

Yes.  We knowingly currently do not support delivering list mail from
senders in domains with strict DMARC policy (most notably, Yahoo) to
recipients that reject mail based on DMARC (most notably, Gmail) when
the actual policy is such that relaying mail via another host (such as
ours) or/and altering the Subject is not allowed (by the sender's SPF
or/and DKIM settings, respectively).

> This is not the only list for which stuff like this happens. What do
> such lists have in common? ezmlm

Apparently, newer ezmlm-idx includes a workaround for DMARC, but it's
not something I'd be happy to deploy.  I am unaware of a workaround that
wouldn't have major drawbacks.  I guess eventually we'll have to bite
the bullet, but I'd rather postpone that.

The issue is not specific to ezmlm.  All lists have to choose what they
support and what they break.

In this particular case:

> <jjalmeida@...il.com>:
> 74.125.205.27 failed after I sent the message.
> Remote host said: 550-5.7.1 Unauthenticated email from jjtc.eu is not
> accepted due to domain's
> 550-5.7.1 DMARC policy. Please contact the administrator of jjtc.eu domain if
> 550-5.7.1 this was a legitimate mail. Please visit
> 550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
> 550 5.7.1 DMARC initiative. 65si4900123lfv.651 - gsmtp

$ host -t txt _dmarc.jjtc.eu.
_dmarc.jjtc.eu descriptive text "v=DMARC1\;p=reject\;rua=mailto:admin@...c.eu"
$ host -t txt jjtc.eu.
jjtc.eu descriptive text "v=spf1 mx -all"

The sender domain identifies only the domain MX'es as allowed sending
hosts, and asks recipients to reject mail from any other hosts.  We
relay mail via our server.  Gmail rejects.  Everything works "as intended".

I think whoever posted from that domain should have used different SPF
settings, or if those settings are desired then shouldn't have posted
from that domain.  This configuration is not mailing list compatible.

On some other occasions, the problem is our rewriting of Subject (the
addition of list name), which breaks DKIM signatures _if_ Subject is
included under those (this is a sending server configuration matter; it
is possible to exclude the Subject).  Again, this makes such sender
configurations currently unsuitable for posting to mailing lists.

Maybe we should spoof header-From addresses on the mail we relay, which
would avoid these problems.  But like I said, I'd rather postpone that.
(We already use our own envelope-from, valid per SPF, but that's often
insufficient, as you can see.)

Maybe we should stop rewriting Subjects, but this solves only one of two
problem categories (it wouldn't help in this specific example), and it's
also something I'd rather not do.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ