Re: [Mailman-Users] dkim for several mailman lists on one server

2020-04-24 Thread Mark Sapiro 
On 4/24/20 2:36 PM, csa--- via Mailman-Users wrote:
> Ubuntu 16, Mailman 2.1.20, postfix 3.1.0
> 
> I'm running several mailing lists each with a virtual domain. I set up DKIM
> for lists.domainname.tld but am getting DKIM signature missing at
> https://dkimvalidator.com . It's saying it wants a DKIM for
> hostname.domainname.tld. When I look at the mail log I see entries like this


The configuration of opendkim is outside the scope of this list. As an
example however, the server that sends this list's mail is
mail.python.org, but it dkim signs from the python.org domain.

In any case, the public key text record needs to be in DNS at
sss._domainkey.ddd where sss is the selector and ddd is the domain in
the DKIM signature.


> Apr 19 07:49:42 hostname opendkim[1738]: 091CE1205AE: s=ppsdkim d=ucsf.edu
> SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
> 
> Apr 24 09:25:31 hostname opendkim[1738]: 3B7CA120431: s=mail
> d=domainname.tld SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad
> signature
> 
> Lastly, I'm confused by the term in the Mailman interface of  ' host_name'
> where it says
> 
...> Is the host-name literal for my server? Right now I have it set at
> lists.domainname.tld. Is that incorrect?


Mailman's host_name setting should be the domain to wich you send list
mail. If the list's posting address is listn...@lists.domainname.tld,
then lists.domainname.tld is correct, but if you post to
listn...@domainname.tld, then host_name should be domainname.tld.


> Finally, my mailing list distribution success is mixed. Some users get them,
> while others do not.


And without information from the failed recipients ISPs as to why they
discarded or spam filtered the mail, you won't know why, unless of
course they outright bounce it in which case the reason should be in the
bounce DSNs.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM

2018-12-12 Thread Mark Sapiro 
On 12/12/18 2:32 PM, Christoffer Hansen wrote:
> "Reply-To:" field can be set with the original senders email address.[0]
> (This is configurable by list admins as configuration option out of
> several possible)
> 
> Cheers
> 
> Christoffer
> 
> [0]: https://www.gnu.org/software/mailman/mailman-admin/node11.html


I'm not sure what you are trying to say, but the manual page you point
to discusses the settings first_strip_reply_to, reply_goes_to_list and
reply_to_address and these cannot in general be used to set Reply-To: to
the original senders email address.

In particular, reply_goes_to_list = Poster sets nothing in Reply-To:
allowing From: to control the reply address.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM

2018-12-12 Thread Mark Sapiro 
On 12/12/18 11:35 AM, Bernie Cosell wrote:
> I have two questions about the DKIM/spf munging that mailman does.
> 
> First: when it replaces the 'from' with a munged address [replacing the name 
> with "name via thislist" does it stick the original email address somewhere 
> in the 
> message, so if a listmember wanted to reply to the original sender they'd be 
> able 
> to?  I thought it did but I just looked through one and didn't see the 
> poster's 
> original email.  [actually, let me amend that: I see that his email addr is 
> in the 'cc' 
> field -- did mailman do that or did he?]


Mailman did that. Mailman puts the original From: address in either Cc:
or Reply-To:; which one depends on other list settings. The intent is
that a reasonably comliant MUA will do the same thing with 'reply' and
'reply all' whether or not the From: is munged.

This generally means the original From goes in Reply-To: unless the list
mungs the Reply-To: in which case it goes in Cc:


> Second, I'm a bit shaky [to say the least..:o)] about how the DKIM stuff all 
> works.  
> I do have access to Unix shell account, so I can do dig and host and such.   
> If a 
> listmember asks me if "@randomserver.com" is OK to not-get-munged when it 
> posts to the list, what would I do?Thanks


This is actually, DMARC, not DKIM per se, but use 'dig' or some other
DNS query tool to look up a TXT record associated with the name
_dmarc.randomserver.com. For example

dig txt _dmarc.aol.com

finds

"v=DMARC1; p=reject; pct=100; rua=mailto:d...@rua.agari.com;
ruf=mailto:d...@ruf.agari.com;;

host -t txt _dmarc.aol.com

returns the same text.

What you are looking for is 'v=DMARC1' which says this is a DMARC policy
record and then the p= value which is the policy which is one of
'reject', 'quarantine' or 'none'.

If your list is set with dmarc_moderation_action other than accept, that
action will be applied to mail From: domains with a policy of 'reject'
and possibly 'quarantine' or 'none' depending on the settings of
dmarc_quarantine_moderation_action and dmarc_none_moderation_action.

Also, if the From: domain is not what is known as an organizational
domain, e.g., some.subdomain.aol.com and that domain doesn't publish a
DMARC policy, you then have to look up the policy of the organizational
domain. For common TLDs like .com, .net, .gov, .org, .edu, etc. the
organizational domain is just the top two levels, e.g. python.org,
aol.com, etc.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM

2018-12-12 Thread Christoffer Hansen 
Bernie,

On 12/12/2018 20:35, Bernie Cosell wrote:
> First: when it replaces the 'from' with a munged address [replacing the name 
> with "name via thislist" does it stick the original email address somewhere 
> in the 
> message, (...)
"Reply-To:" field can be set with the original senders email address.[0]
(This is configurable by list admins as configuration option out of
several possible)

Cheers

Christoffer

[0]: https://www.gnu.org/software/mailman/mailman-admin/node11.html





signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM signing issue - relaying mailman e-mails from third party sources

2017-10-12 Thread Mark Sapiro 
On 10/12/2017 02:15 PM, Grant Taylor via Mailman-Users wrote:
> On 10/11/2017 12:12 PM, Mark Sapiro wrote:
>> solution 2). Your mail relaying process can rewrite the envelope
>> sender to your domain, e.g., campa...@myserver.com or some other
>> appropriate @myserver.com address. This will break mailman's automated
>> bounce processing for mail from mailman-boun...@external-company.com
>> that is relayed by you, but if you can verify the deliverability of
>> that mail before relaying it and if it's not deliverable, reject it
>> before rewriting the envelope sender, that won't be an issue.
> 
> Would something like configuring the MTA to use Sender Rewrite Scheme
> help avoid this issue?


Yes. SRS, as I understand it from
, would solve the
whole problem.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM signing issue - relaying mailman e-mails from third party sources

2017-10-12 Thread Grant Taylor via Mailman-Users 

On 10/11/2017 12:12 PM, Mark Sapiro wrote:
solution 2). Your mail relaying process can rewrite the envelope sender 
to your domain, e.g., campa...@myserver.com or some other appropriate 
@myserver.com address. This will break mailman's automated bounce 
processing for mail from mailman-boun...@external-company.com that is 
relayed by you, but if you can verify the deliverability of that mail 
before relaying it and if it's not deliverable, reject it before 
rewriting the envelope sender, that won't be an issue.


Would something like configuring the MTA to use Sender Rewrite Scheme 
help avoid this issue?


SRS would mean that the MTA would rewrite the SMTP envelope from address 
to be a local domain that is permitted by SPF.  SRS would also decode 
any bounces and send the original address into Mailman.  -  I think.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM signing issue - relaying mailman e-mails from third party sources

2017-10-11 Thread Mark Sapiro 
On 10/11/2017 01:23 AM, Dlugasny via Mailman-Users wrote:
> 
> The problem is that we are sending an E-mail which looks as follow:
> 
> From: campa...@myserver.com
> Return-Path: mailman-boun...@external-company.com
> To: @gmail.com
> 
> The problem is that DKIM check on the gmail server server (and all others) 
> returning error:
> [...mailman-boun...@external-company.com](mailto:mailman-boun...@external-company.com)
>  does not designate xx.xx.xx.xx as permitted sender


This is not DKIM. it is SPF. external-company.com publishes an SPF
record that doesn't allow myserver.com as a sender. Start at
 to learn more
about SPF.

There are two solutions to this. The

Return-Path: mailman-boun...@external-company.com

header indicates that mailman-boun...@external-company.com is the
envelope sender of the message and SPF is based on the domain of the
envelope sender.

solution 1). external-company.com can augment its published SPF record
to designate your myserver.com server as a permitted sender.

solution 2). Your mail relaying process can rewrite the envelope sender
to your domain, e.g., campa...@myserver.com or some other appropriate
@myserver.com address. This will break mailman's automated bounce
processing for mail from mailman-boun...@external-company.com that is
relayed by you, but if you can verify the deliverability of that mail
before relaying it and if it's not deliverable, reject it before
rewriting the envelope sender, that won't be an issue.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-10-03 Thread Grant Taylor via Mailman-Users 

On 10/03/2017 10:24 AM, Mark Sapiro wrote:

It is not a list setting. It applies to the entire installation. It is
documented in Mailman/Defaults.py and if you want to change the default,
set it in Mailman/mm_cfg.py.


Thank you Mark.

Sorry if I'm asking obvious questions.  I've not admined Mailman in 
quite a while and I'm trying to help someone else admin Mailman remotely 
without access.  :-/




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-10-03 Thread Mark Sapiro 
On 10/02/2017 11:24 PM, Grant Taylor via Mailman-Users wrote:
> 
> Is the REMOVE_DKIM_HEADERS option a per mailing list setting?  Or is it
> Mailman wide?
> 
> I'm looking through the list admin interface for Mailman 2.1.20 and not
> finding it.


It is not a list setting. It applies to the entire installation. It is
documented in Mailman/Defaults.py and if you want to change the default,
set it in Mailman/mm_cfg.py.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-10-03 Thread Grant Taylor via Mailman-Users 

On 09/21/2017 03:23 PM, Mark Sapiro wrote:

The default behavior does nothing to DKIM related headers. This is from
Defaults.py


Is the REMOVE_DKIM_HEADERS option a per mailing list setting?  Or is it 
Mailman wide?


I'm looking through the list admin interface for Mailman 2.1.20 and not 
finding it.




--
Grant. . . .
unix || die
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-09-21 Thread Mark Sapiro 
On 09/21/2017 02:43 PM, Grant Taylor via Mailman-Users wrote:
> 
> Would I be correct in assuming that REMOVE_DKIM_HEADERS needs to be set
> to 2 or 3 to remove the DKIM headers if no from header munging is
> happening?  (from_is_list or dmarc_moderation_action both at their
> default value.)


Yes, that is correct.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-09-21 Thread Grant Taylor via Mailman-Users 

Thank you for the reply Mark.

On 09/21/2017 03:23 PM, Mark Sapiro wrote:

The default behavior does nothing to DKIM related headers. This is from
Defaults.py


Would I be correct in assuming that REMOVE_DKIM_HEADERS needs to be set 
to 2 or 3 to remove the DKIM headers if no from header munging is 
happening?  (from_is_list or dmarc_moderation_action both at their 
default value.)




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM / DMARC woes...

2017-09-21 Thread Mark Sapiro 
On 09/21/2017 12:37 PM, Grant Taylor via Mailman-Users wrote:
> 
> Does setting from_is_list and / or dmarc_moderation_action to munge
> cause Mailman to do anything with existing DKIM-Signature headers?  Will
> they be removed or left there?


The default behavior does nothing to DKIM related headers. This is from
Defaults.py

> # Some list posts and mail to the -owner address may contain DomainKey or
> # DomainKeys Identified Mail (DKIM) signature headers .
> # Various list transformations to the message such as adding a list header or
> # footer or scrubbing attachments or even reply-to munging can break these
> # signatures.  It is generally felt that these signatures have value, even if
> # broken and even if the outgoing message is resigned.  However, some sites
> # may wish to remove these headers.  Possible values and meanings are:
> # No, 0, False -> do not remove headers.
> # Yes, 1, True -> remove headers only if we are munging the from header due
> # to from_is_list or dmarc_moderation_action.
> # 2 -> always remove headers.
> # 3 -> always remove, rename and preserve original DKIM headers.
> REMOVE_DKIM_HEADERS = No

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM, SPF, DMARC, Mail_as_list all working, but MUAs not happy

2016-04-05 Thread Arlen Raasch 
Mark:

Thanks much.  I think I will give Munge From and see what happens.

Computers are supposed to be deterministic.  This stuff, well, not so much.

Thanks again,

Arlen Raasch

On Tue, Apr 5, 2016 at 4:00 PM, Mark Sapiro  wrote:

> On 04/05/2016 12:14 PM, Arlen Raasch wrote:
> >
> > A large number of our users are not happy with how mail is presented when
> > Mail_as_list is active.  They messages appear as attachments in some
> MUAs.
> >
> > If I change from Mail_as_list to Mung From, DKIM does not validate.
>
>
> I'm guessing you are talking about the from_is_list setting and you are
> using 'Wrap Message'.
>
>
> > I noticed from previous emails I received from this list that DKIM does
> not
> > validate here either.
>
>
> The original, incoming DKIM signature doesn't validate because list
> transformations such as prefixing the subject or adding msg_footer break
> the sig.
>
> I just checked and found that mail.python.org was not DKIM signing
> outgoing list mail because it was checking only the From: domain for
> python.org. I have hopefully just corrected that.
>
>
> > Can I just switch the list to Mung From with some certainty that the
> email
> > providers will continue to relay our traffic as we have valid SPF and
> DMARC
> > records?
>
>
> If Wrap Message is currently working for you, I don't know why Munge
> From would not work, but there is little difference between these
> actions in Mailman 2.1.21 vs 2.1.16. However, 2.1.21 does offer
> dmarc_moderation_action so you can apply Wrap Message or Munge From only
> to those messages which are From: a domain which publishes a DMARC
> p=reject (and optionally p=quarantine) policy.
>
>
> > Would switching to a later version of mailman make this any better (and
> > why)?
>
>
> Maybe. As I say above, it would allow you to only apply DMARC
> mitigations to those posts that need it. Whether it would make Munge
> From any better depends on what the current issue is. I know of no
> reason why Wrap Message would be effective in avoiding DMARC rejects and
> Munge From would not, but ISPs do funny things and are secretive about
> it, so who knows.
>
> My own lists and the python.org lists do Munge From and we don't see
> DMARC bounces.
>
> --
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives:
> http://www.mail-archive.com/mailman-users%40python.org/
> Unsubscribe:
> https://mail.python.org/mailman/options/mailman-users/araasch%40gmail.com
>
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM, SPF, DMARC, Mail_as_list all working, but MUAs not happy

2016-04-05 Thread Mark Sapiro 
On 04/05/2016 12:14 PM, Arlen Raasch wrote:
> 
> A large number of our users are not happy with how mail is presented when
> Mail_as_list is active.  They messages appear as attachments in some MUAs.
> 
> If I change from Mail_as_list to Mung From, DKIM does not validate.


I'm guessing you are talking about the from_is_list setting and you are
using 'Wrap Message'.


> I noticed from previous emails I received from this list that DKIM does not
> validate here either.


The original, incoming DKIM signature doesn't validate because list
transformations such as prefixing the subject or adding msg_footer break
the sig.

I just checked and found that mail.python.org was not DKIM signing
outgoing list mail because it was checking only the From: domain for
python.org. I have hopefully just corrected that.


> Can I just switch the list to Mung From with some certainty that the email
> providers will continue to relay our traffic as we have valid SPF and DMARC
> records?


If Wrap Message is currently working for you, I don't know why Munge
>From would not work, but there is little difference between these
actions in Mailman 2.1.21 vs 2.1.16. However, 2.1.21 does offer
dmarc_moderation_action so you can apply Wrap Message or Munge From only
to those messages which are From: a domain which publishes a DMARC
p=reject (and optionally p=quarantine) policy.


> Would switching to a later version of mailman make this any better (and
> why)?


Maybe. As I say above, it would allow you to only apply DMARC
mitigations to those posts that need it. Whether it would make Munge
>From any better depends on what the current issue is. I know of no
reason why Wrap Message would be effective in avoiding DMARC rejects and
Munge From would not, but ISPs do funny things and are secretive about
it, so who knows.

My own lists and the python.org lists do Munge From and we don't see
DMARC bounces.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

2015-08-12 Thread Mark Sapiro 
On 08/12/2015 06:21 AM, Peter Bossley wrote:

 The MTA was configured to reject DKIM failures.

This is wrong and is the cause of your issue. See RFC 6376
http://www.rfc-editor.org/rfc/rfc6376.txt sec 4.4, sec 6.1 and sec 6.3.

The issue is your mail list transformations break gmail's DKIM signature
and you are rejecting the outgoing mail because of the invalid
signature, in spit of the fact that it may also contain a valid
signature. Even if it doesn't also contain a valid signature, mail
should not be rejected just because of an invalid DKIM signature. In
most cases an invalid DKIM signature should be treated the same as no
signature.


 The domain was configured to sign outgoing messages with DKIM.


OK.


 So, next, thinking that the DMARC issues that have been plaguing the internet 
 lately were to blame, I tried changing the DMARC_Moderation setting to munge. 
 This failed to change the situation as well.


This is not a DMARC issue per se as gmail's DMARC policy is p=none.


 I then attempted to set this setting to wrap message, which again did not fix 
 the issue.


Because gmail's DMARC policy is p=none, dmarc_moderation_action won't
apply to this mail.


 At this point, I moved on to the from as list global setting, and tried munge 
 here as well. This didn't work.
 Last, I tried wrap message, which did seem to work.


Because the outer wrapper message only contains your DKIM signature.
Gmail's is in the wrapped message which is part of the message body and
not checked by your MTA.


 Given the functionality issues this created, however, I decided to keep 
 investigating.
 It was at this point that I decided to turn off DKIM failure rejection. I 
 initially dismissed this course of action because I felt that changing the 
 from as list setting to munge should have prevented this from becoming an 
 issue.


No. Turning off DKIM failure rejection or at least changing it to ignore
a failure if there is also a valid DKIM sig present was the correct
solution.


 Since the initial posts were making it to the web-based archives I figured 
 the gmail signature was fine.


The sig was fine in the incoming mail, but transformations like subject
prefixing and the addition of a message header or footer break the sig
in the outgoing mail.


 I'm at a loss of where to go from here. I would like to still reject DKIM 
 failures, but my mailing lists need to work properly as well. Does anyone 
 have any suggestions or ideas on why the Munge setting didn't seem to have an 
 impact?


All Munging the From: does is create one more failure in gmail's DKIM
sig. This is not a DMARC issue. Do not reject messages just because they
happen to contain one invalid DKIM sig. This is wrong. Read the RFC
sections I refer to above.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

2015-08-12 Thread Brad Rogers 
On Wed, 12 Aug 2015 10:04:14 -0400
Barry Warsaw ba...@list.org wrote:

Hello Barry,

FWIW, lists.debian.org does not run Mailman.

Fair enough.  Seems to me to be less likely that Peter's problem is the
same, as other list owners of mailman run lists would probably be
reporting similar errors.

-- 
 Regards  _
 / )   The blindingly obvious is
/ _)radnever immediately apparent
Sign away your life
Tin Soldiers - Stiff Little Fingers


pgpkvEgxFw_MT.pgp
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

2015-08-12 Thread Mark Sapiro 
On 08/12/2015 06:44 AM, Brad Rogers wrote:
 
 *All* lists run from list.debian.org are to have their footers turned off
 because of valid DKIM signature breakage.


In order to avoid DKIM signature breakage, you also have to turn off
subject prefixing, content filtering, reply-to header munging and
message headers.

See item 2) at http://wiki.list.org/x/17891458 although the OP's issue
is not with DMARC; it is with his own outgoing MTA being too fussy about
a broken sig.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



signature.asc
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM Failures cause posts from gmail users to not be relayed to the list

2015-08-12 Thread Brad Rogers 
On Wed, 12 Aug 2015 13:21:58 +
Peter Bossley p...@bossley.me wrote:

Hello Peter,

mailing lists need to work properly as well. Does anyone have any
suggestions or ideas on why the Munge setting didn't seem to have an
impact?

I'm far from being an expert regarding DKIM, DKMS and mailman, but what
I can say is this;

*All* lists run from list.debian.org are to have their footers turned off
because of valid DKIM signature breakage.

Maybe this is an option you could also explore.

See
https://lists.debian.org/debian-devel-announce/2015/08/msg3.html
for the announcement.  Sadly, very little in the way of details, but the
poster of the message may be able to help you.

-- 
 Regards  _
 / )   The blindingly obvious is
/ _)radnever immediately apparent
Drums quite good, bass is too loud, and I can't hear the words
Sound Of The Suburbs - Members


pgp1sE7iDWFNB.pgp
Description: OpenPGP digital signature
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-22 Thread Yasir Assam 

On 22/06/2015 1:58 PM, Stephen J. Turnbull wrote:
 As Mark already said, according to the standards it is correct and
 good practice to add a DKIM signature to every message you process
 outside of the MTA and then reinject into the Internet mail system.
 In more friendly terms, if you simply pass on the message *exactly* as
 received except for adding Received and 2List-Post to the front of
 the message, you don't need to DKIM sign but it doesn't hurt.  But if
 you change the message (eg, by adding a list signature or by adding
 the list name to the Subject field), you *should* DKIM sign.

Got it, thanks.

  
   I subscribed to mailman-users@python.org using a Yahoo address, and
   interestingly, 2 emails ended up in spam (one of which was my original
   post, which is from a non-yahoo address).

 Yahoo and Hotmail are a child's garden of diseases when it comes to
 their behavior in the mail system.  Outlook and Gmail also cause
 problems.  It would be OK if there was only one 800 pound gorilla
 around, you'd just adapt.  The problem is that there are several, and
 they have conflicting requirements.  You can't satisfy them all.

I was hoping there was a way to pacify all these gorillas, but it looks
like there isn't.

   This isn't quite true in my case. You're right about all the headers,
   except that Mailman is adding a CC field with the list address.

 I don't think that Mailman adds the CC:.

I think it does in my version of Mailman (2.1.18 on Debian Jessie).

So it sounds like I should do the following:

  * DKIM sign all mail sent by mailman
  * Don't remove existing DKIM headers
  * from_is_list = No
  * REMOVE_DKIM_HEADERS = No
  * dmarc_moderation_action = wrap message

I'll tell my users to keep checking their spam folders and marking my
mail as not spam, and hope that yahoo and others learn to flag my list
mail as not spam over time.

Thanks,
Yasir

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-22 Thread Mark Sapiro 
On 06/21/2015 08:58 PM, Stephen J. Turnbull wrote:
 Yasir Assam writes:
 
   I noticed that this list, mailman-users@python.org, doesn't add a
   DKIM header unless the list itself generates the email, i.e. the
   email you sent to this list only has your DKIM header
   (d=msapiro.net), whereas the original welcome email has DKIM with
   d=python.org.
 
 IIUC, Mark has input into, but does not control, policy on
 mail.python.org.  People have different experience with, and therefore
 opinions on policy, about these things.


Steve's understanding is correct.


 As Mark already said, according to the standards it is correct and
 good practice to add a DKIM signature to every message you process
 outside of the MTA and then reinject into the Internet mail system.
 In more friendly terms, if you simply pass on the message *exactly* as
 received except for adding Received and 2List-Post to the front of
 the message, you don't need to DKIM sign but it doesn't hurt.  But if
 you change the message (eg, by adding a list signature or by adding
 the list name to the Subject field), you *should* DKIM sign.


Right.

But, we are actually dealing with two issues here: DKIM signing as a
general practice and DKIM signing specifically to address DMARC issues.

Yes, it is good practice to DKIM sign for your domain all mail which is
sent by servers in your domain. You are essentially saying yes, I made
transformations to this message that broke its original DKIM signature,
but I am taking responsibility for this message and if my DKIM sig is
valid, I vouch for this mail.

DMARC however puts a more stringent requirement on a message. It says
that if a message is From: a domain that publishes a DMARC policy, and
there isn't a valid SPF or DKIM signature whose domain 'aligns' (i.e. is
the same as in some sense) with the domain in the From: address,
recipients should handle the message in accord with the From: domain's
DMARC policy.

Thus, as a mailing list that makes modifications to messages that break
DKIM sigs, it doesn't help a message From: ...@yahoo.com pass DMARC for
me to DKIM sign it with my domain unless I also change the From: address
to my domain or at least to a domain without a DMARC policy other than
none.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-21 Thread Mark Sapiro 
On 06/20/2015 06:39 PM, Yasir Assam wrote:
 
 I'm using mailman 2.1.18 on Debian Jessie with exim4. I have full
 personlisation and verp turned on.
 
 What should I do about DKIM?
 
 At the moment I preserve the original poster's DKIM header and my list's
 MTA also adds DKIM to all outgoing mail.


This is the good and is the best you can do.


 If I set from_is_list to Munge, hotmail users can't reply to the list,
 even when they hit Reply All (if I try doing Reply All from a hotmail
 account, I only see the sender's address, not the list address). If it
 wasn't for this hotmail problem, I'd probably prefer to have a munged
 from header.


With Munge From and Full Personalization, delivered posts will be From:
the list with Reply-To: the poster and To: the recipient. Hotmail is
taking the Reply-To: as overriding the From: even for reply-all and with
Full Personalization, the From: is the only header (other than
List-Post) with the list address.


 If I set from_is_list to No, the hotmail Reply All problem goes away,
 but now Yahoo-sent email ends up in Yahoo's spam (i.e. if
 b...@yahoo.com.au sends to l...@example.com, bob receives the email he
 just posted in his spam folder, not in his inbox). I'm specifically
 talking about a yahoo.com.au address (I haven't tried yahoo.com yet).


Yahoo.com.au publishes DMARC p=none. Yahoo.com publishes DMARC p=reject.
Without some Munge From, Wrap Message or anonymous_list transformation,
yahoo.com mail will not be accepted by Yahoo, Hotmail and many other ISPs.

As far as the mail from yahoo.com.au ending up in spam, removing the
broken DKIM sig may help (REMOVE_DKIM_HEADERS = 2). It shouldn't matter
(see below), but it may help.


 Just to be clear, when from_is_list is No, the DKIM header I'm adding is
 for the list domain, e.g. if the list is l...@example.com then
 d=example.com in my added DKIM header.

 Here's an example Authentication-Results added by a gmail subscriber
 receiving a post from a yahoo.com.au subscriber (names changed):
 
 Authentication-Results: mx.google.com;
spf=pass (google.com: domain of
 list-bounces+bob=gmail@example.com designates x.x.x.x as permitted
 sender) smtp.mail=list-bounces+bob=gmail@example.com;
dkim=pass header.i=@example.com;
dmarc=fail (p=NONE dis=NONE) header.from=yahoo.com.au
 
 So what is the recommended way of doing this? Should I not bother adding
 a DKIM header to mailman-sent emails? Should I strip the original DKIM
 header (REMOVE_DKIM_HEADERS) ?


What you are doing is correct and good practice. Removing incoming DKIM
headers probably won't help. The DKIM standard says an invalid DKIM
signature and no DKIM signature SHOULD be treated the same (RFC 6376/STD
76, sec 6.3)


 Is there any way I can get hotmail to reply to the list when the From:
 header is munged? Is munging considered bad form (when not mitigating
 DMARC reject policies)?


There are a few things you can do.

You can turn off Full Personalization which will leave the list address
in To: and Hotmail's reply-all should include it.

You can set reply_to_list to this list which will put the list address
in Reply-To: (along with the poster's address), but this will make it
more difficult to reply only to the poster as a simple reply will also
include the list.

There are some changes in this area in 2.1.19 (see
https://bugs.launchpad.net/mailman/+bug/1407098), but I don't think
they help your situation.

You could modify CookHeaders.py to add the poster's address to Cc:
rather than Reply-To: in your case.

You should also consider using dmarc_moderation_action rather than
from_is_list to only Munge From when 'necessary'.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-21 Thread Yasir Assam 
Thanks Mark.

What you describe below makes sense, and I agree hotmail is behaving
badly, but I'm stuck with its bad behaviour.

In any case, if From Munging is not good to do generally then I have to
figure out another way placate Yahoo's spam filter.

Yasir

On 22/06/2015 12:33 PM, Mark Sapiro wrote:
 On 06/20/2015 06:39 PM, Yasir Assam wrote:
 Is there any way I can get hotmail to reply to the list when the From:
 header is munged? Is munging considered bad form (when not mitigating
 DMARC reject policies)?

 It may not have been clear from my earlier reply, but yes, From Munging
 is considered bad form. It violates the basic email RFCs definition of
 the meaning of the From: header. It is best not to do it
 unconditionally, and a better response to DMARC mitigation is Wrap
 Message, but that said we recognize that Wrap Message creates issues for
 some (particularly moblie device) MUAs so that in some cases at least,
 Munge From is the most acceptable mitigation. It is best if only applied
 when needed via dmarc_moderation_action and not unconditionally via
 from_is_list.

 On a different subject, I have looked a bit further, and with what I
 understand your list settings to be, i.e. Full Personalization,
 from_is_list = Munge From, reply_goes_to_list = Poster; I think even
 with 2.1.18 the list posting address will be put in or added to Cc:, and
 the original From: will be in Reply-To:.

 Thus any reasonable MUA should 'reply' to the original From: and
 'reply-all' to the original From: and the list. If the headers are as I
 say and Hotmail is not doing this, then Hotmail is behaving badly as the
 Reply-To: should override the list address in the From:, but it
 shouldn't affect replying-all to a Cc:.


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-21 Thread Yasir Assam 
Many thanks for your response Mark.

Comments below.

On 22/06/2015 1:46 AM, Mark Sapiro wrote:
 On 06/20/2015 06:39 PM, Yasir Assam wrote:
 I'm using mailman 2.1.18 on Debian Jessie with exim4. I have full
 personlisation and verp turned on.

 What should I do about DKIM?

 At the moment I preserve the original poster's DKIM header and my list's
 MTA also adds DKIM to all outgoing mail.

 This is the good and is the best you can do.

I noticed that this list, mailman-users@python.org, doesn't add a DKIM
header unless the list itself generates the email, i.e. the email you
sent to this list only has your DKIM header (d=msapiro.net), whereas the
original welcome email has DKIM with d=python.org. On my list, I'm
adding a DKIM header for the list domain, even though the From: header
isn't the list. In other words, if al...@gmail.com posts to
l...@example.com, my MTA was still adding a d=example.com DKIM header
when resending her email via the list, even when From: is al...@gmail.com.

Is it right to do this?

I subscribed to mailman-users@python.org using a Yahoo address, and
interestingly, 2 emails ended up in spam (one of which was my original
post, which is from a non-yahoo address).

 If I set from_is_list to Munge, hotmail users can't reply to the list,
 even when they hit Reply All (if I try doing Reply All from a hotmail
 account, I only see the sender's address, not the list address). If it
 wasn't for this hotmail problem, I'd probably prefer to have a munged
 from header.

 With Munge From and Full Personalization, delivered posts will be From:
 the list with Reply-To: the poster and To: the recipient. Hotmail is
 taking the Reply-To: as overriding the From: even for reply-all and with
 Full Personalization, the From: is the only header (other than
 List-Post) with the list address.

This isn't quite true in my case. You're right about all the headers,
except that Mailman is adding a CC field with the list address. To be
clear, using Full Personalisation and Munge From:

From: list address
Reply-to: poster
To: recipient
CC: list address

Given that CC contains the list address, you'd expect Hotmail to include
it as a recipient when doing Reply All, but it doesn't!

 If I set from_is_list to No, the hotmail Reply All problem goes away,
 but now Yahoo-sent email ends up in Yahoo's spam (i.e. if
 b...@yahoo.com.au sends to l...@example.com, bob receives the email he
 just posted in his spam folder, not in his inbox). I'm specifically
 talking about a yahoo.com.au address (I haven't tried yahoo.com yet).

 Yahoo.com.au publishes DMARC p=none. Yahoo.com publishes DMARC p=reject.
 Without some Munge From, Wrap Message or anonymous_list transformation,
 yahoo.com mail will not be accepted by Yahoo, Hotmail and many other ISPs.

Yes, I read about this recently. My test list doesn't yet contain any
yahoo.com addresses.

 As far as the mail from yahoo.com.au ending up in spam, removing the
 broken DKIM sig may help (REMOVE_DKIM_HEADERS = 2). It shouldn't matter
 (see below), but it may help.

I think I tried this but it didn't make a difference to Yahoo's spam filter.

 Just to be clear, when from_is_list is No, the DKIM header I'm adding is
 for the list domain, e.g. if the list is l...@example.com then
 d=example.com in my added DKIM header.
 Here's an example Authentication-Results added by a gmail subscriber
 receiving a post from a yahoo.com.au subscriber (names changed):

 Authentication-Results: mx.google.com;
spf=pass (google.com: domain of
 list-bounces+bob=gmail@example.com designates x.x.x.x as permitted
 sender) smtp.mail=list-bounces+bob=gmail@example.com;
dkim=pass header.i=@example.com;
dmarc=fail (p=NONE dis=NONE) header.from=yahoo.com.au

 So what is the recommended way of doing this? Should I not bother adding
 a DKIM header to mailman-sent emails? Should I strip the original DKIM
 header (REMOVE_DKIM_HEADERS) ?

 What you are doing is correct and good practice. Removing incoming DKIM
 headers probably won't help. The DKIM standard says an invalid DKIM
 signature and no DKIM signature SHOULD be treated the same (RFC 6376/STD
 76, sec 6.3)


 Is there any way I can get hotmail to reply to the list when the From:
 header is munged? Is munging considered bad form (when not mitigating
 DMARC reject policies)?

 There are a few things you can do.

 You can turn off Full Personalization which will leave the list address
 in To: and Hotmail's reply-all should include it.

Hotmail doesn't include it. I tried Full Personalisation off, Munge on,
with the following headers:

From: list address
Reply-to: poster
To: list address

In Hotmail, Reply All only includes poster, not list address (despite
list address appearing in To field)

 You can set reply_to_list to this list which will put the list address
 in Reply-To: (along with the poster's address), but this will make it
 more difficult to reply only to the poster as a simple reply will also
 include the list.

I used

Re: [Mailman-Users] DKIM best practise

2015-06-21 Thread Stephen J. Turnbull 
Yasir Assam writes:

  I noticed that this list, mailman-users@python.org, doesn't add a
  DKIM header unless the list itself generates the email, i.e. the
  email you sent to this list only has your DKIM header
  (d=msapiro.net), whereas the original welcome email has DKIM with
  d=python.org.

IIUC, Mark has input into, but does not control, policy on
mail.python.org.  People have different experience with, and therefore
opinions on policy, about these things.

As Mark already said, according to the standards it is correct and
good practice to add a DKIM signature to every message you process
outside of the MTA and then reinject into the Internet mail system.
In more friendly terms, if you simply pass on the message *exactly* as
received except for adding Received and 2List-Post to the front of
the message, you don't need to DKIM sign but it doesn't hurt.  But if
you change the message (eg, by adding a list signature or by adding
the list name to the Subject field), you *should* DKIM sign.

  On my list, I'm adding a DKIM header for the list domain, even
  though the From: header isn't the list. In other words, if
  al...@gmail.com posts to l...@example.com, my MTA was still adding
  a d=example.com DKIM header when resending her email via the list,
  even when From: is al...@gmail.com.
  
  Is it right to do this?

Yes.

  I subscribed to mailman-users@python.org using a Yahoo address, and
  interestingly, 2 emails ended up in spam (one of which was my original
  post, which is from a non-yahoo address).

Yahoo and Hotmail are a child's garden of diseases when it comes to
their behavior in the mail system.  Outlook and Gmail also cause
problems.  It would be OK if there was only one 800 pound gorilla
around, you'd just adapt.  The problem is that there are several, and
they have conflicting requirements.  You can't satisfy them all.

  This isn't quite true in my case. You're right about all the headers,
  except that Mailman is adding a CC field with the list address.

I don't think that Mailman adds the CC:.

  Given that CC contains the list address, you'd expect Hotmail to
  include it as a recipient when doing Reply All, but it doesn't!

Then you can't workaround both Hotmail's broken MUA and yahoo.com's
idiotic DMARC policy, and provide full reply functionality to people
with decent MUAs.  There may be a workaround for both Hotmail's broken
MUA and yahoo.com.au's spam filtering policy, but we can't design one
without accurate information about yahoo.com.au's policy, and they are
very unlikely to provide it.

The only thing that will satisfy all parties is to turn off all list
decorations: no header or footer in the body, and no change to the
Subject field.

   You could modify CookHeaders.py to add the poster's address to Cc:
   rather than Reply-To: in your case.
  
  If munging is on, and I put the poster address in CC: rather than
  Reply-to: won't that mean a single Reply (not Reply All) will go to the
  list address?

Yes.  It definitely won't go to the poster.

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] DKIM best practise

2015-06-21 Thread Mark Sapiro 
On 06/20/2015 06:39 PM, Yasir Assam wrote:
 Is there any way I can get hotmail to reply to the list when the From:
 header is munged? Is munging considered bad form (when not mitigating
 DMARC reject policies)?


It may not have been clear from my earlier reply, but yes, From Munging
is considered bad form. It violates the basic email RFCs definition of
the meaning of the From: header. It is best not to do it
unconditionally, and a better response to DMARC mitigation is Wrap
Message, but that said we recognize that Wrap Message creates issues for
some (particularly moblie device) MUAs so that in some cases at least,
Munge From is the most acceptable mitigation. It is best if only applied
when needed via dmarc_moderation_action and not unconditionally via
from_is_list.

On a different subject, I have looked a bit further, and with what I
understand your list settings to be, i.e. Full Personalization,
from_is_list = Munge From, reply_goes_to_list = Poster; I think even
with 2.1.18 the list posting address will be put in or added to Cc:, and
the original From: will be in Reply-To:.

Thus any reasonable MUA should 'reply' to the original From: and
'reply-all' to the original From: and the list. If the headers are as I
say and Hotmail is not doing this, then Hotmail is behaving badly as the
Reply-To: should override the list address in the From:, but it
shouldn't affect replying-all to a Cc:.

-- 
Mark Sapiro m...@msapiro.netThe highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail. RESOLVED

2008-07-09 Thread bob 001 
awesome!!! It worked. Thanks so much Jason and everyone.

It was exactly same issue that you identified. Appreciate great help from
Jason, Mouss and team.

Following changes were done in mailman configuration to make it work.
--
REMOVE_DKIM_HEADER = YES in defaults.py
SMTPPORT=587  in mm_cfg.py - IMPORTANT,
POSTIX/DKIMPROXY.
--

after above changes and bounce using mailmanctl, yahoo shows domainkeys=pass
and gmail too , dkim=pass.

Thanks again.
Bob.

On Tue, Jul 8, 2008 at 7:26 AM, Jason Long [EMAIL PROTECTED] wrote:

 My first guess would be that Mailman is submitting the mail using port 25.
 See if you can configure Mailman to use port 587 instead.
 Jason



  bob 001 [EMAIL PROTECTED] 7/7/08 12:26 PM 
  Also,
 when I send the simple message from ageoftruth server on one-to-one basis
 to
 yahoo id, it says domainkeys=pass.
 That means it does add the signature.

 Only when listserv gets involved, postfix and dkimproxy for some reason
 are
 not adding the signature.

 Also, current setting in mailman's Defaults.py is :- REMOVE_DKIM_HEADERS =
 No.

 So, it seems postfix and dkimproxy is not adding the signature at all for
 some reason. It seems, my configuration is not OK :-(. Kindly help.

 - Regards,
 Bob.


--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] DKIM/DK-milter with Mailman

2006-05-23 Thread Mark Sapiro 
SM wrote:

The workaround is to configure Mailman as follows:

Change the Mailman/Handlers/CleanseDKIM.py lines from:

  def process(mlist, msg, msgdata):
  del msg['domainkey-signature']
  del msg['dkim-signature']

to

  def process(mlist, msg, msgdata):
  del msg['domainkey-signature']
  del msg['dkim-signature']
  del msg['authentication-results']


The above change is added to the subversion trunk. Thanks.

-- 
Mark Sapiro [EMAIL PROTECTED]   The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp