[Mailman-Users] AOL screening Reply-To header thru DMARC ?
I'm setting up a new Mailman server to replace an elderly MajorDomo that isn't DMARC-compatible. I set up the list to use the list's address as the From address and to put the sender's address in Reply-To:. I started playing around with a test list - in no time at all, AOL began bouncing all my mail. After researching AOL's error messages, it appeared that my server had been temporarily blacklisted. That went away but then I noticed this error: Oct 18 01:01:26 vc18 postfix/smtp[25098]: C77D416B4D9: host mailin-01.mx.aol.com[152.163.0.67] said: 421 4.2.1 : (RLY:SN) http://postmaster.info.aol.com/errors/421rlysn.html (in reply to end of DATA command) According to that URL on AOL's site, either my From or Reply-To is using an address in violation of DMARC. I had already checked the From address so it was apparent the Reply-To was at fault. Aalthough the mail was not being rejected, given AOL's hair-trigger sensors I figured it would be better to do it their way. Changing the Reply-To: to the list's address got rid of the 421 error. Has anyone else run into this? I hate doing this, since now we're going to see people sending what they think are private messages to the entire list. I see from the docs that Mailman can do different behavior on the From: address depending on whether it is in a DMARC-protected domain - are there any plans to do the same for the Reply-To? Looks to me like it will be necessary given what AOL is doing. Thanks, -- Ed -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
On 10/17/2014 10:33 PM, Ed Ravin wrote: I set up the list to use the list's address as the From address and to put the sender's address in Reply-To:. I started playing around with a test list - in no time at all, AOL began bouncing all my mail. After researching AOL's error messages, it appeared that my server had been temporarily blacklisted. That went away but then I noticed this error: Oct 18 01:01:26 vc18 postfix/smtp[25098]: C77D416B4D9: host mailin-01.mx.aol.com[152.163.0.67] said: 421 4.2.1 : (RLY:SN) http://postmaster.info.aol.com/errors/421rlysn.html (in reply to end of DATA command) I have a somewhat different issue. I am using dmarc_moderation_action = Munge From, and when an AOL user posts to the list, the list message sent back to the user bounces with 521 5.2.1 : AOL will not accept delivery of this message. (in reply to end of DATA command)). The same messages sent to other AOL users are accepted by AOL. According to that URL on AOL's site, either my From or Reply-To is using an address in violation of DMARC. I just read that link after writing all the rest of this reply (which now seems moot). It says 421 RLY:SNThis error indicates you are sending email using a disallowed AOL.COM screenname as your FROM or REPLY-TO address, or as one of AOL's affiliates from an unauthorized IP address. Example: bill...@aol.com. It doesn't mention DMARC. It says the specific address in (in this case) Reply-To: is a disallowed AOL.COM screenname or affiliate address. Assuming the aol.com address in question is valid, I don't know why AOL doesn't like it, but AOL isn't blaming DMARC. Interesting as there is nothing in the DMARC specification about Reply-To: headers. DMARC is only about From: header domains aligning with valid SPF or DKIM signature domains. If AOL is really checking Reply-To: domains for 'DMARC' compliance, this is outside the specification, but in my case at least they don't seem to be because the original message with From: address = the list address and Reply-To: address = the OP's aol.com address is accepted by AOL when sent to AOL addresses other than the OP's. Note also that in my case, I started DKIM signing these outgoing messages with the domain of the list, so they should pass DMARC as they are From: the list's domain and have both valid SPF and DKIM sig from that domain, but the OP's list copy is still rejected by AOL as above. I had already checked the From address so it was apparent the Reply-To was at fault. Aalthough the mail was not being rejected, given AOL's hair-trigger sensors I figured it would be better to do it their way. Changing the Reply-To: to the list's address got rid of the 421 error. Has anyone else run into this? I hate doing this, since now we're going to see people sending what they think are private messages to the entire list. And it may solve my issue too, but I'm not going to do it because of the above and since so far at least it only affects delivery to the poster. The poster does score bounces, but this can be avoided by setting non-digest AOL members to not receive their own posts which is effectively the case anyway. I see from the docs that Mailman can do different behavior on the From: address depending on whether it is in a DMARC-protected domain - are there any plans to do the same for the Reply-To? Looks to me like it will be necessary given what AOL is doing. If and when there is an accepted standard governing this behavior, I'll consider it. In the mean time, I'm not interested in accommodating non-compliant behavior by one rogue ESP. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
I have a somewhat different issue. I am using dmarc_moderation_action = Munge From, and when an AOL user posts to the list, the list message sent back to the user bounces with 521 5.2.1 : AOL will not accept delivery of this message. (in reply to end of DATA command)). The same messages sent to other AOL users are accepted by AOL. If you're munging with .INVALID or the like, I have observed that AOL and some other ISPs now refuse mail if the From: domain doesn't resolve. I've changed my hack so it now append a suffix that does resolve (I snagged dmarc.fail) and overimplemented it so the munged addresses actually work. I would be surprised if AOL were doing DMARC checks on Reply-To, and agree that it's not a problem worth solving. But I'll ask around. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
On 10/18/2014 11:26 AM, John Levine wrote: I have a somewhat different issue. I am using dmarc_moderation_action = Munge From, and when an AOL user posts to the list, the list message sent back to the user bounces with 521 5.2.1 : AOL will not accept delivery of this message. (in reply to end of DATA command)). The same messages sent to other AOL users are accepted by AOL. If you're munging with .INVALID or the like, I have observed that AOL and some other ISPs now refuse mail if the From: domain doesn't resolve. I've changed my hack so it now append a suffix that does resolve (I snagged dmarc.fail) and overimplemented it so the munged addresses actually work. No, I don't munge with .invalid or the like. In these cases, dmarc_moderation_action replaces the From: address with the list's posting address and adds the original From: address to Reply-To: if it isn't there already. These messages are then sent individually (VERPed) to the list members and DKIM signed on the way out by the list's domain. AOL accepts the message on behalf of every AOL recipient except the original poster. As far as I can see, the only thing in the message that can tie it to the original poster are the Reply-To: and Message-ID headers. One possibility is that AOL is doing what Google does and not accepting a message which duplicates (by message id) one you sent, but being more open about it and actually refusing the message rather than acceptiong and discarding it. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
John Levine writes: I would be surprised if AOL were doing DMARC checks on Reply-To, and agree that it's not a problem worth solving. I wouldn't. As you know, John, we (dm...@ietf.org) are all expecting the spammers to emulate these DMARC mitigation various tricks. If they have any success, I would expect folks like AOL to do something, anything! to mitigate *their* problem. However, looking at the error message and noting Mark's testimony that AOL accepts the message on behalf of every AOL recipient except the original poster. I guess that RLY:SN means relay: screen name, and AOL is filtering out spam to self, an ancient trick to get past filters. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
Mark Sapiro writes: If and when there is an accepted standard governing this behavior, I'll consider it. In the mean time, I'm not interested in accommodating non-compliant behavior by one rogue ESP. I'm in complete sympathy, but unfortunately that rogue provider is still the MTA for tens (hundreds?) of millions of users. Note that although wrap message is unpopular with users, it's unlikely to fall afoul of DMARC for quite a while (for that very reason, as well as because it's relatively difficult to write the checks, which would require bursting the message). -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] AOL screening Reply-To header thru DMARC ?
On Sat, Oct 18, 2014 at 11:03:11AM -0700, Mark Sapiro wrote: ... I have a somewhat different issue. I am using dmarc_moderation_action = Munge From, and when an AOL user posts to the list, the list message sent back to the user bounces with 521 5.2.1 : AOL will not accept delivery of this message. (in reply to end of DATA command)). The same messages sent to other AOL users are accepted by AOL. From your lips to AOL's ears! I'm seeing that too. A message from an AOL user was bounced when sent back to the original user, and AOL also bounced it going to the other AOL recipient on the test list. I think I'm going to have to set every AOL user to no metoo, and tell them if they want to see confirmation of their posts they need to turn ack on. I just tested it and there's no bouncing. But that's probably going to be a headache to maintain, so maybe I'll switch to wrapped messages. -- Ed -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org