Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 5 Dec 2017 15:08:39 +0100
From: Solar Designer <solar@...nwall.com>
To: musl@...ts.openwall.com
Subject: Re: Why[,] ezmlm?

On Tue, Dec 05, 2017 at 12:17:31AM -0800, Jorge Almeida wrote:
> Well, I bet I'm not the only only receiving messages like this once in
> a while. Is this some known problem?

Yes.  We knowingly currently do not support delivering list mail from
senders in domains with strict DMARC policy (most notably, Yahoo) to
recipients that reject mail based on DMARC (most notably, Gmail) when
the actual policy is such that relaying mail via another host (such as
ours) or/and altering the Subject is not allowed (by the sender's SPF
or/and DKIM settings, respectively).

> This is not the only list for which stuff like this happens. What do
> such lists have in common? ezmlm

Apparently, newer ezmlm-idx includes a workaround for DMARC, but it's
not something I'd be happy to deploy.  I am unaware of a workaround that
wouldn't have major drawbacks.  I guess eventually we'll have to bite
the bullet, but I'd rather postpone that.

The issue is not specific to ezmlm.  All lists have to choose what they
support and what they break.

In this particular case:

> <jjalmeida@...il.com>:
> 74.125.205.27 failed after I sent the message.
> Remote host said: 550-5.7.1 Unauthenticated email from jjtc.eu is not
> accepted due to domain's
> 550-5.7.1 DMARC policy. Please contact the administrator of jjtc.eu domain if
> 550-5.7.1 this was a legitimate mail. Please visit
> 550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
> 550 5.7.1 DMARC initiative. 65si4900123lfv.651 - gsmtp

$ host -t txt _dmarc.jjtc.eu.
_dmarc.jjtc.eu descriptive text "v=DMARC1\;p=reject\;rua=mailto:admin@...c.eu"
$ host -t txt jjtc.eu.
jjtc.eu descriptive text "v=spf1 mx -all"

The sender domain identifies only the domain MX'es as allowed sending
hosts, and asks recipients to reject mail from any other hosts.  We
relay mail via our server.  Gmail rejects.  Everything works "as intended".

I think whoever posted from that domain should have used different SPF
settings, or if those settings are desired then shouldn't have posted
from that domain.  This configuration is not mailing list compatible.

On some other occasions, the problem is our rewriting of Subject (the
addition of list name), which breaks DKIM signatures _if_ Subject is
included under those (this is a sending server configuration matter; it
is possible to exclude the Subject).  Again, this makes such sender
configurations currently unsuitable for posting to mailing lists.

Maybe we should spoof header-From addresses on the mail we relay, which
would avoid these problems.  But like I said, I'd rather postpone that.
(We already use our own envelope-from, valid per SPF, but that's often
insufficient, as you can see.)

Maybe we should stop rewriting Subjects, but this solves only one of two
problem categories (it wouldn't help in this specific example), and it's
also something I'd rather not do.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.