On Wed, Oct 19, 2016 at 8:59 PM, Mark Sapiro <[email protected]> wrote: > On 10/11/2016 09:11 AM, Mark Sapiro wrote: >> On 10/11/2016 08:37 AM, Jim Popovitch wrote: >>> >>> The emails fail DMARC because the From: is the virtual list domain, >>> but the Sender is set to the site-list (often a neutral domain used >>> for the MTA that hosts the virtual lists). OpenDKIM signs based on >>> the Sender (see: "MAILING LISTS" at >>> http://www.opendkim.org/opendkim-README), so the sig is NOT aligned >>> with From, thus failing DMARC...and getting notification emails >>> de-prioritized or worse. >> >> >> I haven't yet looked at your suggested changes, and I will. > > > I haven't forgotten. I still have only briefly looked at your changes, > but I'm concerned about your rev 1381 in light of the two comment lines > that precede the change.
Hi Mark, I'll be the first to say that a lot of these changes still aren't clearly vetted and/or necessary. That said, my process has been simple. I set a DMARC quarantine on a virtual mailinglist, and then started to look at the mod/owner/password/bounce messages that failed DMARC. One by one I dug into the code to try and figure out where/how the sitelist hostname was being used. Rev 1380 and 1381 deal with "Bounce action notification" messages... and to be honest I'm not 100% sure those changes are all that complete. :-) Note: this also assumes that one is following the point #3 under "MAILING LISTS" advice on http://www.opendkim.org/opendkim-README which says: In opendkim.conf(5), configure the option SenderHeaders to "Sender,From". The above statement makes sense for mailinglist traffic, BUT no so much for mailinglist notifications.... but if DKIM is configure as stated, then Mailman list notifications (owner/bounces/passwords/etc) need to set Sender: headers that align with the virtual domain not the sitelist domain. That looked be the default intention of using Message.OwnerNotification() > The issue is if owner notifications come from the list-bounces rather > than the site email bounces. Then if an owner notice bounces, the owner > is sent a notice of the bounce and it bounces again and so on in a > bounce loop. But that would be a general MTA/config issue, whereas clearly mixing From:list-owner@virtual with Sender:mailman-bounces@site is going to break DMARC. > I don't understand why you are making this change as the sender > originally is Utils.get_site_email(mlist.host_name, 'bounces'), so it > already has the list's domain. > The change baffled me too. It wasn't visually necessary by looking at the code, but in practice it needed to be changed. I verified list settings to make sure mlist.host_name was the virtual, I dug into Utils.get_site_email(), and everything seemed to be coded correctly. But it was only after I removed the call to Utils.get_site_email(...) and replaced it with mlist.getListAddress('bounces') that the "Bounce action notification" emails started to be delivered as From:list-bounces@virtal, Sender:list-bounces@virtual, To:list-owner@virtual. I'm not in over my head on this, I'm literally floating on the bottom :-) -Jim P. ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
