Date: Tue, 5 Dec 2017 15:08:39 +0100 From: Solar Designer <solar@...nwall.com> To: musl@...ts.openwall.com Subject: Re: Why[,] ezmlm? On Tue, Dec 05, 2017 at 12:17:31AM -0800, Jorge Almeida wrote: > Well, I bet I'm not the only only receiving messages like this once in > a while. Is this some known problem? Yes. We knowingly currently do not support delivering list mail from senders in domains with strict DMARC policy (most notably, Yahoo) to recipients that reject mail based on DMARC (most notably, Gmail) when the actual policy is such that relaying mail via another host (such as ours) or/and altering the Subject is not allowed (by the sender's SPF or/and DKIM settings, respectively). > This is not the only list for which stuff like this happens. What do > such lists have in common? ezmlm Apparently, newer ezmlm-idx includes a workaround for DMARC, but it's not something I'd be happy to deploy. I am unaware of a workaround that wouldn't have major drawbacks. I guess eventually we'll have to bite the bullet, but I'd rather postpone that. The issue is not specific to ezmlm. All lists have to choose what they support and what they break. In this particular case: > <jjalmeida@...il.com>: > 184.108.40.206 failed after I sent the message. > Remote host said: 550-5.7.1 Unauthenticated email from jjtc.eu is not > accepted due to domain's > 550-5.7.1 DMARC policy. Please contact the administrator of jjtc.eu domain if > 550-5.7.1 this was a legitimate mail. Please visit > 550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the > 550 5.7.1 DMARC initiative. 65si4900123lfv.651 - gsmtp $ host -t txt _dmarc.jjtc.eu. _dmarc.jjtc.eu descriptive text "v=DMARC1\;p=reject\;rua=mailto:admin@...c.eu" $ host -t txt jjtc.eu. jjtc.eu descriptive text "v=spf1 mx -all" The sender domain identifies only the domain MX'es as allowed sending hosts, and asks recipients to reject mail from any other hosts. We relay mail via our server. Gmail rejects. Everything works "as intended". I think whoever posted from that domain should have used different SPF settings, or if those settings are desired then shouldn't have posted from that domain. This configuration is not mailing list compatible. On some other occasions, the problem is our rewriting of Subject (the addition of list name), which breaks DKIM signatures _if_ Subject is included under those (this is a sending server configuration matter; it is possible to exclude the Subject). Again, this makes such sender configurations currently unsuitable for posting to mailing lists. Maybe we should spoof header-From addresses on the mail we relay, which would avoid these problems. But like I said, I'd rather postpone that. (We already use our own envelope-from, valid per SPF, but that's often insufficient, as you can see.) Maybe we should stop rewriting Subjects, but this solves only one of two problem categories (it wouldn't help in this specific example), and it's also something I'd rather not do. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.