[Techtalk] Opinions/Experiences Needed: Mailing list bouncing problem
Sarah Newman
newmans at sonic.net
Sun Aug 2 23:16:30 UTC 2015
Looking at http://wiki.list.org/DEV/DMARC I think my preference is for the 'from_is_list' option with munging. I dislike selective rewriting because
that makes searches or filters more likely to be wrong.
For the behavior with reply-to, my email client (Thunderbird) has a 'Reply to List'. I think, but am not certain, that 'Reply to List' uses the
List-Post header. Mailman already sets the List-Post header.
If 'reply to list' is available, I see no reason why reply-to couldn't go to only the original sender. Unfortunately I don't know how many email
clients have the 'reply to list' option. Anybody know?
On 08/01/2015 02:59 PM, Terry wrote:
> Hi folks,
>
> LinuxChix had an issue earlier this week with the Newchix mailing list
> where over 200 members had their subscriptions disabled due to bounces.
> We re-enabled everyone's subscription and tracked down the problem.
> Unfortunately, it wasn't a glitch in our system. We violated Yahoo's
> DMARC policy because we use the poster's address in the From:header. To
> mitigate the problem, we've changed the bounce processing options for
> our mailing lists until a solution can be implemented.
>
> To keep this message as brief as possible, this is not a technical
> discussion of DMARC, DKIM or SPF but rather a discussion on the
> practical impact on LinuxChix's mailing lists and members when a domain
> has a DMARC policy of reject.
>
> Yahoo's policy: See https://help.yahoo.com/kb/SLN24016.html.
> "In 2014 Yahoo updated the DMARC record with "p=reject" for the
> "yahoo.com" domain. This means all DMARC compliant mail receivers
> (including Yahoo, Hotmail, and Gmail) are now bouncing emails sent as
> "@yahoo.com" addresses that aren't sent through Yahoo servers. Any
> messages without a proper Domain Keys Identified Mail (DKIM) signature
> or Sender Policy Framework (SPF) alignment will be rejected."
>
> Yahoo is not the only mail provider to implement a DMARC
> reject/quarantine policy nor is it the only one with DMARC compliant
> mailservers. At least 49 domains on LinuxChix mailing lists are DMARC
> compliant. As best we can tell, *this affects at least 65.5% (1,555) of
> our members*.
>
> The bottom line is that DMARC breaks mailing list software, including
> Mailman. See this post:
> http://www.circleid.com/posts/20140408_yahoo_addresses_a_security_problem_by_breaking_every_mailing_list/
>
> We're not the first list this has happened to. See
> http://www.gossamer-threads.com/lists/nanog/users/175053 for an
> enlightening discussion on the NANOG list. There's been a huge amount of
> debate about this. If you want hours of reading fun, search for "DMARC
> and Mailman". The purpose of this email is not to reignite the debate
> but to:
>
> 1. Ask for your opinions on how LinuxChix should handle this because it
> will affect our members, and
> 2. Solicit any experiences you may have had on other mailing lists in
> relation to the DMARC issue.
>
> The problem for LinuxChix is three-fold:
> - legitimate mail isn't getting through,
> - the bounces are disabling members' subscriptions, and
> - we risk getting blacklisted due to "excessive bouncing therefore we're
> spamming" or "you're a spammer because you keep showing up in our held
> messages/junk folder".
>
> Mailman has been patched for DMARC compliance, offering two methods. One
> is called "from_is_list" and implements DMARC compliance for *all* posts
> with two options:
>
> - Rewrite the From: header with the poster's name 'via the list' and the
> list's address and merge the poster's address into Reply-To:
> or
> - Wrap the message as a message/rfc822 sub-part in a MIME format outer
> message with From: and Reply-To: as above.
>
> Mailman does not recommend "from_is_list" because, as best as I can
> figure out, while all messages become DMARC compliant, you then break
> RFCs and you should break RFCs only when there is no other choice.
>
> The second, "dmarc_moderation_action", *selectively* acts on poster
> domains with a DMARC policy of reject or quarantine. It has five options:
>
> - the two above
> - accept
> - reject
> - discard
>
> The LinuxChix sysadmins and coordinators are now considering how to
> handle this. Each method and each option has practical effects for our
> members.
>
> Accept - This, in effect, changes nothing as this is what we're doing
> now. Mail from members with Yahoo, et al, addresses will still be
> bounced by any DMARC compliant receiving server (Gmail, Yahoo, Hotmail,
> etc). Our list admins will need to deal with all the bounces and
> re-enabling of subscriptions, unless we turn off bounce processing. In
> short, it does nothing to solve the problem and increases the burden on
> the sysadmins and mailing list admins.
>
> Reject - Reject messages from a poster with a DMARC policy of
> reject/quarantine with an explanation as to why. This would affect
> 10.57% (251) of our members.
>
> Discard - Drops any message from a poster with a DMARC policy of
> reject/quarantine. Same as rejecting, 10.57% (251) of our members, only
> they'd have no clue.
>
> Munging/Wrapping - Both of these options impact all members because both
> change the Reply-To and From headers. If done selectively, only
> messages from domains with policies of reject/quarantine will be
> changed. The message From: header would be "abc via techtalk
> <techtalk at linuxchix.org>". Reply-To would be abc at yahoo.com AND
> techtalk at linuxchix.org.
>
> Currently, the poster's address is in the From: header and utilizing the
> Reply-To function in your mail client will result in the message being
> directed to the original poster. If we munge or wrap, the Reply-To will
> now go to the poster AND the list.
>
> *This is a significant deviation from how our lists currently work.* We
> assume a private reply unless Reply-To-All or Reply-To-List is used.
> This could result in someone replying to the list inadvertently when the
> reply was meant to be private.
> See http://archive.linuxchix.org/reply-policy.html.
>
> *Depending on how you filter (if you do) LinuxChix messages, this would
> require changes/additions to your current filters.*
>
> Opinions/comments/experiences of how other lists handled this are welcome.
>
> I've been reading this stuff for 4 days straight now and my brain hurts.
> Apologies if it's less than clear.
>
More information about the Techtalk
mailing list