Kala Balik writes: > Dear Mailman-Users, > > I have a Mailman instance running on a vServer with Plesk, but am using > email services from my provider (different IP and MX-Domain than the > Mailman machine). Emails in the format n...@domain.tld generally seem > to work. However, when I send an email from the same adress to one of > my Mailman lists at subdomain.domain.tld, I get many bouncees who will > eventually be removed from the list. > > My question is: What is wrong here, my SPF or DKIM settings
Can't speak to those, but only guess, since you don't provide them. SPF is irrelevant to mailman; it will always fail unless the original sender and the mailing list use the same IP address. My guess is that there is a problem with your DKIM setup, see below. > OR my Mailman-DMARC settings? > > My Mailman-DMARC settings are the following: > > from_is_list: No > anonymous_list: No > dmarc_moderation_action: Munge from > dmarc_quarantine_moderation_action: Yes > dmarc_none_moderation_action: No These are expected and should be sufficient to prevent DMARC rejects. I do not understand the behavior you describe. Some guesses below, and a description of what I think "should" be happening. Maybe that will spark a thought as to what's going one here. Wild guess: There is also a setting in Mailman to remove DKIM signatures. If Google is only evaluating the broken DKIM SIG#1, and not the good SIG#2, this should help. (SIG#1 and SIG#2 are explained below.) > From Google I received reports of which the following XML is a > clipping: > <policy_published> > <domain>subdomain.domain.tld</domain> > <adkim>r</adkim> > <aspf>r</aspf> > <p>reject</p> > <sp>reject</sp> > <pct>100</pct> > </policy_published> The Munge_from action replaces the From email address of the author with the From address of the list. Google is saying that you have set the DMARC policy for your subdomain to "p=reject". Is that correct? Then it says > <dkim>fail</dkim> > <spf>fail</spf> so the authentication of this message against your server has failed. I can't say why SPF failed; if there are any MXes between you and Google that would do the trick. It is strange that DKIM fails. What I would expect to happen is 1. You compose mail "From: y...@subdomain.domain.tld", and pass it to your MTA. 2. The MTA signs the mail with DKIM (SIG#1), and passes the mail to Mailman. 3. Mailman adds stuff to the mail and breaks SIG#1. 4. Mailman checks your DMARC policy, which is "p=reject". 5. Mailman changes From from "y...@subdomain.domain.tld" to "l...@subdomain.domain.tld". 4. Mailman passes the mail (back) to the MTA. 5. The MTA signs the mail (as altered by Mailman) with DKIM (SIG#2). 6. The MTA passes the mail to Google. 7. Google checks SPF, SIG#2, and SIG#1, getting (fail, pass, fail). #### This is what's different. Maybe Google only checks SIG#1? But DKIM signatures are treated as "trace" fields, which means that SIG#2 should come *first* in the message. So I would think if Google only checks one, that would be the one to check. 8. Google checks your DMARC policy, which is "p=reject". 9. Since SIG#2, which passed, is from subdomain.domain.tld and so is From, DMARC passes. But for some reason DKIM fails. Without more information, I can't say why. Perhaps your MTA isn't signing outgoing from Mailman? Perhaps your submission server does the signing for individual mail and the MTA doesn't sign at all? Perhaps the signing milter in the MTA is configured before some other milter that changes things? Perhaps there's something else between the MTA Mailman talks to and Google that is altering the mail? > <reason> > <type>forwarded</type> > <comment>looks forwarded, downgrade to quarantine with > phishing warning</comment> > </reason> > </policy_evaluated> I'm not sure what this is about. I would expect Google to see your list traffic as list traffic, so that "looks forwarded" is normal and should not be considered a reason for quarantine. Do you have the RFC 2369 "List-*" headers enabled? Hope this helps. Steve ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/