Re: [arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
Hi, FWIW most mailing lists (if not all) that still work with Yahoo/Rocketmail can't send mails from the subscriber to the subscriber and mailman confirmation mails are not a good replacement to receiving the own mails sent to the list. Step by step I switch from Rocketmail to Zoho. Arch Audio and AUR will follow within the next days. I didn't receive mails from any Arch related mailing list since around end of December. Several subscribers perhaps aren't aware that something is fishy. I noticed it randomly after sending a mail to the list a few days ago. Rocketmail even didn't deliver the mailman information mail, that list delivery was disabled regarding a high bounce score. Regards, Ralf PS: My apologies assumed the thread should be broken, I needed to reply using the gmane reply option, since I didn't receive mails from the list with my "old" address.
Re: [arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
Hey, > Also as for rejecting invalid DKIM mails: People should really not do > that unless DMARC tells them to. That _is_ a problem already and will get worse this year. Yahoo has already published a "reject invalid" policy nearly two years ago[1]. See: [0 mosu@sweet-chili ~] host -t txt _dmarc.yahoo.com _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_...@yahoo.com;; It's known that Google will switch from "report" to "reject" this year, too[2]. At the moment they're only at "quarantine" which is bad enough already: [0 mosu@sweet-chili ~] host -t txt _dmarc.googlemail.com _dmarc.googlemail.com descriptive text "v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:mailauth-repo...@google.com; Mailing list administrators have to act _now_ and make their lists DKIM compliant; otherwise more and more list mails will not reach their intended destinations. I already had to change my own DMARC policy from "reject" to "report" because I'm subscribed to too many mailing lists that break DKIM. Yes, this may not be the reason Yahoo currently rejects our mails, but it _is_ a problem on our side that the Arch lists haven't addressed yet. As long as there's such a known problem on our side speculating about _other_ potential reasons why Yahoo is rejecting mails is moot. Please, dear Arch list maintainers, change the mailman settings accordingly. Please. See [3] for how mailman can deal with DMARC. Kind regards, mosu [1] http://sendgrid.com/blog/update-yahoos-dmarc-policy/ [2] https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protect-users/ [3] http://wiki.list.org/DEV/DMARC signature.asc Description: PGP signature
Re: [arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
On 16.01.2016 05:38, Natu wrote: > You don't say what yahoo's reject message is, ... I guess it's possible that some users simply marked mailing list mails as spam and we got blacklisted because of that. The reject message is this: 421 4.7.1 [TS03] All messages from 5.9.250.164 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html > but I suspect you may be > having issues with DMARC/DKIM and mailman's forwarding of DKIM > signed messages. I've finally gotten around to setting up and testing DMARC for my domain and I've set up mailman to munge From for DMARC messages. Sadly, I still haven't heard back from yahoo, but I guess their postmaster@ address really just goes to /dev/null. Too bad. I don't know when yahoo will start accepting mail again though and from a quick look at the log it seems that they always reject the mail directly at MAIL FROM time or don't even accept the connection/let it time out. That also means they will probably not notice that we've changed the configuration for DMARC mails. Thanks for your input I guess, but this will probably not be resolved any time soon. signature.asc Description: OpenPGP digital signature
Re: [arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
This may be part of the problem. The arch mail server is passing thru contributers DKIM signatures leading to list mail being DKIM invalid. You domain has DKIM signed mail and therefore suffers this problem For example, looking at your last message. The message from you to the list is DKIM signed and appears to check out - but the outgoing message from the arch mail server fails DKIM. So anyone rejecting invalid DKIM will reject list mail - yahoo may be doing that now I don't know. Florian, in the last message you sent the headers as received by me from the list server contain: gene - details below - Authentication-Results: serv4.intern.sapience.com; dkim=fail reason="signature verification failed" (4096-bit key) header.d=xinu.at header.i=@xinu.at header.b=y7t4Lr2Z ... (I note that spamassasin running on the arch server sees the incoming mail to the list as having DKIM being valid) X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.1 (the DKIM sig is clearly not from the list server) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xinu.at; s=main; t=1453641870; bh=rZxwblrwgsmPgwr3+Dlau+WI4w5pu6ne3PyhTRSKtc8=; h=Subject:To:References:From:Date:In-Reply-To; b= ...
Re: [arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
On 24.01.2016 16:14, Genes Lists wrote: > The message from you to the list is DKIM signed and appears to check out > - but the outgoing message from the arch mail server fails DKIM. So > anyone rejecting invalid DKIM will reject list mail - yahoo may be doing > that now I don't know. That's possible, but we can only speculate. While these are certainly issues to be addressed, yahoo might be blocking us for some completely different reason that may very well be outside of our control (like someone marking our mail as spam). The goal here is to get yahoo to accept our mails again. Everything else is nice, but not too important right now. Also as for rejecting invalid DKIM mails: People should really not do that unless DMARC tells them to. Large providers might still use the information to generate internal blacklists though. I wish they were more transparent or, better yet, they'd respond to postmaster mail. Sadly, large providers seem to not care about postmaster which kind of puts me off because delivering email is really a team effort. The way to go is probably to register as a bulk sender on their website, but I'm not a fan of giving them my birthday and phone number, which seems to be required because they send a confirmation SMS, and creating an email account with their service just because they think they do not have to read postmaster mail. I'll probably still do it at some point, but I really really dislike the idea. I guess I'm somewhat of an idealist in that regard. On the other hand, I do also dislike taking this out on our users because it's really not their fault. *sigh* Anyway, back to the quote. What is interesting is that the mail was still signed. Since I've enabled From munging mailman correctly changes the sender, but it doesn't strip the existing (now invalid) signature. Should be simple enough to remove it in postfix. I'll set that up tomorrow. As for real solutions: I guess we can either stop changing mails or drop DKIM signatures and sign the mails ourselves. If we want to keep the signatures valid that would require us to remove the subject prefix (list name in brackets). I find this rather unnecessary to begin with, but there are probably lots of people who disagree with me. If we want to sign the mails ourselves, we'd have to munge the From header which is also somewhat ugly. Especially when DKIM/DMARC usage, and thus the amount of mail affected, is growing. I'll think about what to do here at some later date. Florian signature.asc Description: OpenPGP digital signature
