Kala Balik writes:
> Dear Mailman-Users,
>
> I have a Mailman instance running on a vServer with Plesk, but am using
> email services from my provider (different IP and MX-Domain than the
> Mailman machine). Emails in the format n...@domain.tld generally seem
> to work. However, when I send an email from the same adress to one of
> my Mailman lists at subdomain.domain.tld, I get many bouncees who will
> eventually be removed from the list.
>
> My question is: What is wrong here, my SPF or DKIM settings
Can't speak to those, but only guess, since you don't provide them.
SPF is irrelevant to mailman; it will always fail unless the original
sender and the mailing list use the same IP address. My guess is that
there is a problem with your DKIM setup, see below.
> OR my Mailman-DMARC settings?
>
> My Mailman-DMARC settings are the following:
>
> from_is_list: No
> anonymous_list: No
> dmarc_moderation_action: Munge from
> dmarc_quarantine_moderation_action: Yes
> dmarc_none_moderation_action: No
These are expected and should be sufficient to prevent DMARC rejects.
I do not understand the behavior you describe. Some guesses below,
and a description of what I think "should" be happening. Maybe that
will spark a thought as to what's going one here.
Wild guess: There is also a setting in Mailman to remove DKIM
signatures. If Google is only evaluating the broken DKIM SIG#1, and
not the good SIG#2, this should help. (SIG#1 and SIG#2 are explained
below.)
> From Google I received reports of which the following XML is a
> clipping:
> <policy_published>
> <domain>subdomain.domain.tld</domain>
> <adkim>r</adkim>
> <aspf>r</aspf>
> <p>reject</p>
> <sp>reject</sp>
> <pct>100</pct>
> </policy_published>
The Munge_from action replaces the From email address of the author
with the From address of the list. Google is saying that you have set
the DMARC policy for your subdomain to "p=reject". Is that correct?
Then it says
> <dkim>fail</dkim>
> <spf>fail</spf>
so the authentication of this message against your server has failed.
I can't say why SPF failed; if there are any MXes between you and
Google that would do the trick. It is strange that DKIM fails. What
I would expect to happen is
1. You compose mail "From: y...@subdomain.domain.tld", and pass it
to your MTA.
2. The MTA signs the mail with DKIM (SIG#1), and passes the mail
to Mailman.
3. Mailman adds stuff to the mail and breaks SIG#1.
4. Mailman checks your DMARC policy, which is "p=reject".
5. Mailman changes From from "y...@subdomain.domain.tld" to
"l...@subdomain.domain.tld".
4. Mailman passes the mail (back) to the MTA.
5. The MTA signs the mail (as altered by Mailman) with DKIM (SIG#2).
6. The MTA passes the mail to Google.
7. Google checks SPF, SIG#2, and SIG#1, getting (fail, pass, fail).
#### This is what's different. Maybe Google only checks SIG#1?
But DKIM signatures are treated as "trace" fields, which means
that SIG#2 should come *first* in the message. So I would think
if Google only checks one, that would be the one to check.
8. Google checks your DMARC policy, which is "p=reject".
9. Since SIG#2, which passed, is from subdomain.domain.tld and so
is From, DMARC passes.
But for some reason DKIM fails. Without more information, I can't say
why. Perhaps your MTA isn't signing outgoing from Mailman? Perhaps
your submission server does the signing for individual mail and the
MTA doesn't sign at all? Perhaps the signing milter in the MTA is
configured before some other milter that changes things? Perhaps
there's something else between the MTA Mailman talks to and Google
that is altering the mail?
> <reason>
> <type>forwarded</type>
> <comment>looks forwarded, downgrade to quarantine with
> phishing warning</comment>
> </reason>
> </policy_evaluated>
I'm not sure what this is about. I would expect Google to see your
list traffic as list traffic, so that "looks forwarded" is normal and
should not be considered a reason for quarantine. Do you have the RFC
2369 "List-*" headers enabled?
Hope this helps.
Steve
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
