[Mailman-Users] Problem with SPF, DKIM or Mailman-DMARC settings

2020-11-07 Thread Stephen J. Turnbull 
Kala Balik writes:
 >Dear Mailman-Users,
 > 
 >I have a Mailman instance running on a vServer with Plesk, but am using
 >email services from my provider (different IP and MX-Domain than the
 >Mailman machine). Emails in the format n...@domain.tld generally seem
 >to work. However, when I send an email from the same adress to one of
 >my Mailman lists at subdomain.domain.tld, I get many bouncees who will
 >eventually be removed from the list.
 > 
 >My question is: What is wrong here, my SPF or DKIM settings

Can't speak to those, but only guess, since you don't provide them.
SPF is irrelevant to mailman; it will always fail unless the original
sender and the mailing list use the same IP address.  My guess is that
there is a problem with your DKIM setup, see below.

 >OR my Mailman-DMARC settings?
 > 
 >My Mailman-DMARC settings are the following:
 > 
 >from_is_list: No
 >anonymous_list: No
 >dmarc_moderation_action: Munge from
 >dmarc_quarantine_moderation_action: Yes
 >dmarc_none_moderation_action: No

These are expected and should be sufficient to prevent DMARC rejects.
I do not understand the behavior you describe.  Some guesses below,
and a description of what I think "should" be happening.  Maybe that
will spark a thought as to what's going one here.

Wild guess: There is also a setting in Mailman to remove DKIM
signatures.  If Google is only evaluating the broken DKIM SIG#1, and
not the good SIG#2, this should help.  (SIG#1 and SIG#2 are explained
below.)

 >From Google I received reports of which the following XML is a
 >clipping:
 >  
 >subdomain.domain.tld
 >r
 >r
 >reject
 >reject
 >100
 >  

The Munge_from action replaces the From email address of the author
with the From address of the list.  Google is saying that you have set
the DMARC policy for your subdomain to "p=reject".  Is that correct?

Then it says

 >fail
 >fail

so the authentication of this message against your server has failed.
I can't say why SPF failed; if there are any MXes between you and
Google that would do the trick.  It is strange that DKIM fails.  What
I would expect to happen is

1.  You compose mail "From: y...@subdomain.domain.tld", and pass it
to your MTA.
2.  The MTA signs the mail with DKIM (SIG#1), and passes the mail
to Mailman.
3.  Mailman adds stuff to the mail and breaks SIG#1.
4.  Mailman checks your DMARC policy, which is "p=reject".
5.  Mailman changes From from "y...@subdomain.domain.tld" to
"l...@subdomain.domain.tld".
4.  Mailman passes the mail (back) to the MTA.
5.  The MTA signs the mail (as altered by Mailman) with DKIM (SIG#2).
6.  The MTA passes the mail to Google.
7.  Google checks SPF, SIG#2, and SIG#1, getting (fail, pass, fail).

 This is what's different.  Maybe Google only checks SIG#1?

But DKIM signatures are treated as "trace" fields, which means
that SIG#2 should come *first* in the message.  So I would think
if Google only checks one, that would be the one to check.
8.  Google checks your DMARC policy, which is "p=reject".
9.  Since SIG#2, which passed, is from subdomain.domain.tld and so
is From, DMARC passes.

But for some reason DKIM fails.  Without more information, I can't say
why.  Perhaps your MTA isn't signing outgoing from Mailman?  Perhaps
your submission server does the signing for individual mail and the
MTA doesn't sign at all?  Perhaps the signing milter in the MTA is
configured before some other milter that changes things?  Perhaps
there's something else between the MTA Mailman talks to and Google
that is altering the mail?

 >
 >  forwarded
 >  looks forwarded, downgrade to quarantine with
 >phishing warning
 >
 >  

I'm not sure what this is about.  I would expect Google to see your
list traffic as list traffic, so that "looks forwarded" is normal and
should not be considered a reason for quarantine.  Do you have the RFC
2369 "List-*" headers enabled?

Hope this helps.

Steve
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: Problem with SPF, DKIM or Mailman-DMARC settings

2020-11-07 Thread Mark Sapiro 

On 11/5/20 4:54 PM, Kala Balik wrote:


My question is: What is wrong here, my SPF or DKIM settings OR my
Mailman-DMARC settings?



I suspect it is your DKIM signing settings that sign the mail if it is 
To: n...@domain.tld but not if it is To:n...@subdomain.domain.tld.


Are you signing with opendkim? If so, what are your opendkin.conf 
settings for SenderHeaders and SigningTable and what is the content of 
the file referred to by SigningTable?


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] mailman3 installation

2020-11-07 Thread Christian Stalberg via Mailman-Users 
Ubuntu 20.04.1 LTS / apache 2.4.41 / postfix 3.4.13

 

I am following the installation guidance at
https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-virtualenv


 

Question: where should I place the available
 mailman-suite repo in
my filesystem?

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/

[Mailman-Users] Re: mailman3 installation

2020-11-07 Thread Mark Sapiro 

On 11/7/20 8:18 AM, Christian Stalberg via Mailman-Users wrote:

Ubuntu 20.04.1 LTS / apache 2.4.41 / postfix 3.4.13

  


I am following the installation guidance at
https://docs.mailman3.org/en/latest/install/virtualenv.html#setup-virtualenv


  


Question: where should I place the available
 mailman-suite repo in
my filesystem?



I assume you are asking what your current working directory should be 
when you run the `git clone` command shown at 
.


If you go back to 
, 
you'll see that this is the /opt/mailman directory, although it really 
shouldn't matter as long as you are in the 
mailman-suite/mailman-suite_project/ directory when you run the various 
manage.py commands.


--
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/