Hi Jeroen,
> On Feb 23, 2024, at 15:14, Jeroen Massar wrote:
>>
>> I'll spare you more of the idiotic details and the rest of the
>> self-inflicted pain, but I'll mention that we should now in theory have a
>> great brand new mail server, running at a Hetzner data center in Europe,
>> with a (**knocks wood**) clean IP address that is MINE to keep and control.
>
> It even came in on IPv6 ;)
Yeah, one of the surprising things in this move has been that IPv6 from Hetzner
has been gladly accepted by all the large mail providers. From my previous
hoster I could never reliably get IPv6 delivery to work.
> Keep in mind that Hetzner has rather busy address space with a large
> diversity of customers: https://bgp.tools/prefix/5.75.128.0/17#dns
Oh yes, without a doubt. I think my point was that Hetzner appears to do a good
job going after bad actors in their prefix. And that's what kept biting me in
the past. Not bad behavior of my server, but bad behavior in the "neighborhood"
and not enough willingness of the hoster to do something about it.
>> As a result, these emails now are delivered by Mailman3
>
> Check if you already have ARC options:
> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/arc_sign.html
> One really wants to enable that due to Google.
I hadn't done that, yet. I was under the impression the SPF, DKIM, and all that
announced via DMARC was enough.
I guess there's yet another thing to do ¯\_(ツ)_/¯
> As the body is changed (the mailinglist notice at the bottom), the original
> DKIM header is broken, ARC will say that the original header was fine at that
> point, and then show that it got resigned with the subsurface DKIM key.
Well - but since I am re-signing the emails after all modifications, and since
I am doing the DMARC mangling to have the email go out from the mailing list
address - should the email have a correct DKIM header?
In other words - when you receive the message, do you see a correct DKIM header?
I got myself spare email accounts at several of the large freeman hosters and
subscribed them to the mailing list and they all looked fine...
> In an extreme case (if deliveries fail or scoring is affected) you might have
> to enable 'munge_from' as per:
> https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
That's what we are doing.
> [..]
>> I really do hope that this will be the end of my sysadminning email problems
>> for a little while.
>
> In case there are further issues, do not hesitate to shout out and we can
> have a poke at it on how to resolve it.
I do appreciate the offer to help!
And I'd appreciate it especially if you could look at this response email
(which I intentionally only sent to the mailing list so that you only get it
via Mailman, not directly).
As I said above, it seems that for my accounts at gmail, outlook, etc, these
last few emails looked fine.
(and yes, that took a few tried - I of course created a test mail list that
contained all of these canary accounts)
/D
_______________________________________________
subsurface mailing list -- [email protected]
To unsubscribe send an email to [email protected]
