[Mailman-Users] CenturyTel bouncing mail from one specific AOL list member
Hi, I'm having trouble with one of my lists. CenturyTel is bouncing mail from one specific AOL user. The Mailman munge from is working as expected, and I even tried configuring mm_cfg.py to strip incoming DKIM signatures. However, as you'll see, CenturyTel is still complaining of a bad DKIM signature. No one else is. The incoming mail seems to include a DKIM signature as a nonstandard header, maybe CenturyTel knows to look for this, and is throwing a fit when it fails to verify? I've pasted below the bounce and the headers of the original message, with all private info X'd out. Any thoughts about what's going on, or what to do about it? Thanks, Jayson The original message was received at Tue, 15 Jun 2021 06:21:30 -0400 from localhost [127.0.0.1] - The following addresses had permanent fatal errors - (reason: 554 5.7.1 [P-101] Failed DKIM Authentication: permfail (signature did not verify)) - Transcript of session follows - ... while talking to mx.centurylink.net.: >>> DATA <<< 554 5.7.1 [P-101] Failed DKIM Authentication: permfail (signature did not verify) 554 5.0.0 Service unavailable == Return-Path: Received: from [127.0.0.1] (localhost [127.0.0.1]) by bluegrasspals.com (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTP id 15FALSRU026677 for ; Tue, 15 Jun 2021 06:21:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bluegrasspals.com; s=default; t=1623752490; bh=24CUhP05iIsyC0G3FHT2ldx12tu+uz6AwzHIUiMK7Kg=; h=Date:References:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:To:From; b=jkYBn/0VT0JJCiFDtNHp+iKo1jFwm2SSVrRa61q39SMFlMH7t9239eJ1icplXJ0LK n0U29ph/i4g+R3SClDOwHylZ2Hu3dhsKqsRygyWc27obmbgrBE0QDsJAeIyJ9NFmTy 1/I+ZvFTnPu2Ks0+m+Pzhs6KsTEdcS5k08auq1ao= Received: from sonic302-2.consmr.mail.bf2.yahoo.com (sonic302-2.consmr.mail.bf2.yahoo.com [74.6.135.41]) by bluegrasspals.com (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 15FALOhI026595 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 15 Jun 2021 06:21:25 -0400 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1623752483; bh=Ds3LXRx+BOvjxdRl25AO7ofXzYqWCrmKvce2gThkX/H=; h=X-Sonic-MF:From:Date:Subject:To:From:Subject; b=CBgThKtZkAQo7thcnyqsK4Gj9aHFj2u4LIbWzQD4DwhOTWayZAhCf705dAnfjwq05KeBa5rObxyPxM//bwG9rQfGO46Sn6I0ghTuYyPN/u16yocbAw/mU+QI24lVInoFCpMtWoaTybZAvlrQdq6dVbkrsVTneMI5SQVibcKtilkoBE6h6l3usK5NiUB5/wniQ7ix6zgDirR8apQmDLNIohVY0OVm5JhMifig45LmFrWimjmeJi3XnawZ/NoQomcC8A9KBWV7Hm82nekoNTsx8DNbfK02IYXClJhqgEABEF+lSbHf7PBF0fg6gz0yAWqoJ5WCcoRql+tv0SY+aIiRaA== X-YMail-OSG: XfIgwYIVM1nHydw5YfeXAbXdIV8C_q_OSd.mDYUbE9ExjzkDbxxXp0OF8dxQlHU XWhf_KlnSW00w2qJbd0OsWSMaEYR3Esi.kap4EdUdx6bVQwhKstNt9hsiUaQLISfLwItU.kWGsXQ .WJe9yVyuXfLnY2gkk24OTMCTCcb9lY8AVYcS9sl9JWieYqiV8wiud1usqBYs7D4EP44sAoiNV_A I97_JC1Wmv.h3PEoI_ylekw5LXChz00Bx96Bx11la4SS.g6XnrXeHzYHl_coXkEt4FMlF1TjzKmn GhUKPr7_l7wsC3uH1gF5zhmiYsqIgQDmQFPX26PEW7IW7tY_65h3lOXLu9dlITwh408DlkL1WNN2 4LD0kezio5BSYEic5KpsNoFYVbb4FWS7qZfJQlA7iG27_i.YQfWTTP0GbTk4L4YgH1GgT7ixADIH kFsjE5oZyAL2wA5DNeGVHzhIUcDMHBeaReyPu8DcwKo1NM29_9Fpszkcy5rVvAabSrT.0Ac4ePdW Qqi_vAUA2s1f0Hf9yl6CB73skXrNOvLWpU9JIlmi1.DYk6Q3GveH9XOp6vJ9RTykKqdOG1p3_fiL L3j9vnzYaaIpL_KNtJDU2eWHrkuFR3QxlC61TAi2OvNQNRguzgZvCLtHxnR1_FwzJzXFIWw23U_F 8.UCN3jzQj2eTmYWOeyHqwSS0lf0b3C49.nUtYvMuTchliknCwUANAihpg1w8Tlw3UIoWOb7vS81 0GlrYRgE4Z8PGQp2oefuY3mgrGHNzVeA1r0U804GXzYByrcMC8SAPcPpBvA63P4XbfwQFzxur1en n7_WZm1fvr0mxLPN8BX1AfEB5Q0q7Kc9M8B8XpKLlEdeXKFs2b5nfjGzxGd9sMOBMc2gq0gjkl2W jK6SGFglyas8ePanukAWM68CKMl6ekkQ4gpqZxda7BGDvAhaFFozexnDd9TAK139mZRuL45PEwva nxYhfOqWMLI6c_HAb343_b9fzQBaXgidYJGsY57Tqfgdsw5LvykExp7La5TmJDQcfnZKfahhUets jEM4znJ2pVgMbUEwJRPbZO.RgUnnbVh9AT.TLvPcm5OIlwvExPXHI00ipIufMQYwRyrAfgdvabyK BwFnEhz63jw84WzXoTMirIfgd5AbuLpEwieXG5PbWZ.69.bp8Im2LXcyNb9QhjptJGgZ9gPTeO9h 3rqmk.Jxl913pyJbZ02Wqx6D1Lj8k7xaiavmifi.iu_zGlGEJbjzsZtqCvqcTbuea6bhihU6T6n1 lYT7C2BIfc_W99a_o4CwCRVBrAZ_jAuP7Ij6EJ6IWAfyBIOe28w4de3Ya4yH30gphcz7UkFpjU7c Ycl4oHnRX.Ijw.p1HGq6UECGahYMW0TjwwXI85nDMi9C3BWqe0nGDElPsAZSC.H_GeDeZY8V2E3. r4TlNXifjB2N93elfzYQojmZZEG3MKp9P5c6ykXY3k24ZYf1qWrFJzUNERWoFXBXqcUCTf7Dtni2 11hXBAEji6DkO6h2mLruknU8yxfMenyiZ415RWvvE1pHA6dgtJy.HWlXD.6.j2L_g0VEDYjAXAeB iEAPYnWyiY0jdHB2pq4t_1ya0wKi21VNdf9FnYBgvQyvYNkaRHxsjfv0hLuqy9j1HfczCQYeTcNz ASMAGDGkY_1zNf4X_KwhueY2hOtd8pEt15b2wmaJPkqtD_k3Cjy6UvNIYeXm41QZlxB4k5MPWw14 ntKQ0QqdNd7VKsEzwM1lyNySfKob_C.Gqlbrx.UmpGmnvyba9rRt0YDm5aklxNJfOBoPdnyU5gpH lEU_Yl_Bad48NIfDxhvRsbZYmIzi_8.sgiw9Xp_I4Y2J9eNE03Uk0grRD97Sz2xv7Q2y3ZMCDZwl 9tatBxM8WIeh9zmwTtxY8y3w_3BkbwpA3lnWUlxsBvFkfK0UvBqJKv5z0VCURzCtaETQCk5LkdIl vW9OumaF6EDxzE0nVLiBJZ3jjn.dCR1LxM8mVGzpMCNzqbpS3mCCki6KPkv5ojIE0mrrVQicVWdJ rZpLxNFODr0DKrrVLg3VwWFbjLEaxCvWiJowS_N.3nuyY4v7xXktInvx6VoUvXeBk6aJiHtWEJMd sQ4dsqU07mHi3h20pCXby5hKNiFO3KwHSpk0IM6bNHdILk.hhKInGRodD
[Mailman-Users] Re: CenturyTel bouncing mail from one specific AOL list member
At Tue, 15 Jun 2021 09:18:40 -0400 Jayson Smith wrote: > > Hi, > > > I'm having trouble with one of my lists. CenturyTel is bouncing mail > from one specific AOL user. The Mailman munge from is working as > expected, and I even tried configuring mm_cfg.py to strip incoming DKIM > signatures. However, as you'll see, CenturyTel is still complaining of a > bad DKIM signature. No one else is. The incoming mail seems to include a > DKIM signature as a nonstandard header, maybe CenturyTel knows to look > for this, and is throwing a fit when it fails to verify? > > > I've pasted below the bounce and the headers of the original message, > with all private info X'd out. Any thoughts about what's going on, or > what to do about it? I have a couple of questions. The headers show that this user is using "iPad Mail (18F72)". 1) Is this the *only* @aol.com user on your list? 1A) Do you have any @yahoo.com or @verizon.net users? 2) Do you know if any of the other @aol.com, @yahoo.com, or @verizon.net users also using "iPad Mail (18F72)"? > > > Thanks, > > > Jayson > > > > > > The original message was received at Tue, 15 Jun 2021 06:21:30 -0400 > from localhost [127.0.0.1] > > - The following addresses had permanent fatal errors - > > (reason: 554 5.7.1 [P-101] Failed DKIM Authentication: permfail > (signature did not verify)) > > - Transcript of session follows - > ... while talking to mx.centurylink.net.: > >>> DATA > <<< 554 5.7.1 [P-101] Failed DKIM Authentication: permfail (signature > did not verify) > 554 5.0.0 Service unavailable > > > > == > > Return-Path: > Received: from [127.0.0.1] (localhost [127.0.0.1]) > by bluegrasspals.com (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTP > id > 15FALSRU026677 > for ; Tue, 15 Jun 2021 06:21:30 -0400 > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bluegrasspals.com; > s=default; t=1623752490; > bh=24CUhP05iIsyC0G3FHT2ldx12tu+uz6AwzHIUiMK7Kg=; > h=Date:References:Subject:List-Id:List-Unsubscribe:List-Archive: > List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:To:From; > b=jkYBn/0VT0JJCiFDtNHp+iKo1jFwm2SSVrRa61q39SMFlMH7t9239eJ1icplXJ0LK > n0U29ph/i4g+R3SClDOwHylZ2Hu3dhsKqsRygyWc27obmbgrBE0QDsJAeIyJ9NFmTy > 1/I+ZvFTnPu2Ks0+m+Pzhs6KsTEdcS5k08auq1ao= > Received: from sonic302-2.consmr.mail.bf2.yahoo.com > (sonic302-2.consmr.mail.bf2.yahoo.com [74.6.135.41]) > by bluegrasspals.com (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id > 15FALOhI026595 > (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) > for ; Tue, 15 Jun 2021 06:21:25 -0400 > X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; > s=s2048; > t=1623752483; bh=Ds3LXRx+BOvjxdRl25AO7ofXzYqWCrmKvce2gThkX/H=; > h=X-Sonic-MF:From:Date:Subject:To:From:Subject; > > b=CBgThKtZkAQo7thcnyqsK4Gj9aHFj2u4LIbWzQD4DwhOTWayZAhCf705dAnfjwq05KeBa5rObxyPxM//bwG9rQfGO46Sn6I0ghTuYyPN/u16yocbAw/mU+QI24lVInoFCpMtWoaTybZAvlrQdq6dVbkrsVTneMI5SQVibcKtilkoBE6h6l3usK5NiUB5/wniQ7ix6zgDirR8apQmDLNIohVY0OVm5JhMifig45LmFrWimjmeJi3XnawZ/NoQomcC8A9KBWV7Hm82nekoNTsx8DNbfK02IYXClJhqgEABEF+lSbHf7PBF0fg6gz0yAWqoJ5WCcoRql+tv0SY+aIiRaA== > X-YMail-OSG: XfIgwYIVM1nHydw5YfeXAbXdIV8C_q_OSd.mDYUbE9ExjzkDbxxXp0OF8dxQlHU > > XWhf_KlnSW00w2qJbd0OsWSMaEYR3Esi.kap4EdUdx6bVQwhKstNt9hsiUaQLISfLwItU.kWGsXQ > > .WJe9yVyuXfLnY2gkk24OTMCTCcb9lY8AVYcS9sl9JWieYqiV8wiud1usqBYs7D4EP44sAoiNV_A > > I97_JC1Wmv.h3PEoI_ylekw5LXChz00Bx96Bx11la4SS.g6XnrXeHzYHl_coXkEt4FMlF1TjzKmn > > GhUKPr7_l7wsC3uH1gF5zhmiYsqIgQDmQFPX26PEW7IW7tY_65h3lOXLu9dlITwh408DlkL1WNN2 > > 4LD0kezio5BSYEic5KpsNoFYVbb4FWS7qZfJQlA7iG27_i.YQfWTTP0GbTk4L4YgH1GgT7ixADIH > > kFsjE5oZyAL2wA5DNeGVHzhIUcDMHBeaReyPu8DcwKo1NM29_9Fpszkcy5rVvAabSrT.0Ac4ePdW > > Qqi_vAUA2s1f0Hf9yl6CB73skXrNOvLWpU9JIlmi1.DYk6Q3GveH9XOp6vJ9RTykKqdOG1p3_fiL > > L3j9vnzYaaIpL_KNtJDU2eWHrkuFR3QxlC61TAi2OvNQNRguzgZvCLtHxnR1_FwzJzXFIWw23U_F > > 8.UCN3jzQj2eTmYWOeyHqwSS0lf0b3C49.nUtYvMuTchliknCwUANAihpg1w8Tlw3UIoWOb7vS81 > > 0GlrYRgE4Z8PGQp2oefuY3mgrGHNzVeA1r0U804GXzYByrcMC8SAPcPpBvA63P4XbfwQFzxur1en > > n7_WZm1fvr0mxLPN8BX1AfEB5Q0q7Kc9M8B8XpKLlEdeXKFs2b5nfjGzxGd9sMOBMc2gq0gjkl2W > > jK6SGFglyas8ePanukAWM68CKMl6ekkQ4gpqZxda7BGDvAhaFFozexnDd9TAK139mZRuL45PEwva > > nxYhfOqWMLI6c_HAb343_b9fzQBaXgidYJGsY57Tqfgdsw5LvykExp7La5TmJDQcfnZKfahhUets > > jEM4znJ2pVgMbUEwJRPbZO.RgUnnbVh9AT.TLvPcm5OIlwvExPXHI00ipIufMQYwRyrAfgdvabyK > > BwFnEhz63jw84WzXoTMirIfgd5AbuLpEwieXG5PbWZ.69.bp8Im2LXcyNb9QhjptJGgZ9gPTeO9h > > 3rqmk.Jxl913pyJbZ02Wqx6D1Lj8k7xaiavmifi.iu_zGlGEJbjzsZtqCvqcTbuea6bhihU6T6n1 > > lYT7C2BIfc_W99a_o4CwCRVBrAZ_jAuP7Ij6EJ6IWAfyBIOe28w4de3Ya4yH30gphcz7UkFpjU7c > > Ycl4oHnRX.Ijw.p1HGq6UECGahYMW0TjwwXI
[Mailman-Users] CenturyTel bouncing mail from one specific AOL list member
Jayson Smith writes: > I'm having trouble with one of my lists. CenturyTel is bouncing mail > from one specific AOL user. The Mailman munge from is working as > expected, and I even tried configuring mm_cfg.py to strip incoming DKIM > signatures. However, as you'll see, CenturyTel is still complaining of a > bad DKIM signature. No one else is. Have you checked if everyone is seeing the email (see below)? > The incoming mail seems to include a DKIM signature as a > nonstandard header, maybe CenturyTel knows to look for this, and is > throwing a fit when it fails to verify? The X-SONIC-DKIM-SIGN field is just an unknown field as far as a properly implemented MTA is concerned. Theoretically CenturyTel is upset about that, but there's a much simpler explanation: failed DMARC >From alignment (to use the technical term), which is what I suspect "Failed DKIM Authentication" means. AOL publishes a DMARC p=reject policy, which means that a recipient must reject (return to sender) or discard the email (without notifying the sender) if From alignment fails. (This cannot be enforced. Gmail, for example, usually puts these in the spam folder rather than rejecting them.) From alignment means that the domain of the email in the From header matches the domain in the d= field of at least one valid DKIM-Signature in the header. In the case of the header you appended, there is one valid DKIM signature, it is the one very near the top of the header, and it has d=bluegrasspals.com. The domain of the From address is aol.com, so they are not aligned, and conforming MTAs will reject. Almost all non-conforming MTAs that implement DMARC will quarantine the email, usually in the spam folder. So as far as I can tell, CenturyTel is a conforming implementation, and behaving correctly given the header you posted. I suspect the reason that you're not hearing complaints from other MTAs is that they're all discarding the email with extreme prejudice. I guess that X-SONIC-DKIM-SIGN was originally a valid DKIM-Signature header. By the time it got to sonic302.consmr.mail.bf2.yahoo.com, either the message was corrupt (so DKIM validation failed) or sonic302 recognized that DMARC From alignment was sure to fail, and so "fixed up" the header (perhaps for debugging purposes). So, this user's emails are going to be discarded by a large minority, if not the vast majority, of sites because they're using an AOL address in From and sending via Yahoo!: Received: by kubenode547.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 754de18d9b1eebb7367c2043d8067b87; Tue, 15 Jun 2021 10:21:22 + (UTC) Tell them to stop doing that. Although I recognize that's often easier said than done, unfortunately, that's where my advice ends (I live in Japan, so mercifully never have to deal with the goat rodeo that is Verizon/Yahoo/AOL). Perhaps somebody else can take it from here and explain how your poor AOL user can get their mail through. Of course, their best course of action is to switch to Gmail or some other competent provider, but users often resist that. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] #mailman irc channel moving to libera.chat
Hey Everyone, As some of you might already know that Freenode IRC server now has new owners and most of the volunteer staff have decided to move away from it to create a new IRC server libera.chat[1] due to the policies of the new owners. Along with many other open source projects, we have also decided to move away from freenode to use libera.chat instead. We have registered #mailman there and will be using that as primary IRC channel for Mailman things. Freenode has also decided to drop all registrations, so, #mailman channel there is no longer registered to any member of Mailman Core team as of some time earlier today (Tue June 15th). [1]: https://libera.chat/ -- thanks, Abhilash Raj (maxking) -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
[Mailman-Users] Re: CenturyTel bouncing mail from one specific AOL list member
Hi, I tend to disagree, based on the following line: From: "F XxxxL via wxxxe" From what I see in this line, it seems that Mailman is properly munging the problematic AOL From: line, which should in theory make the whole AOL/Yahoo DMARC policy irrelevant. Thoughts? Jayson On 6/15/2021 1:24 PM, Stephen J. Turnbull wrote: Jayson Smith writes: > I'm having trouble with one of my lists. CenturyTel is bouncing mail > from one specific AOL user. The Mailman munge from is working as > expected, and I even tried configuring mm_cfg.py to strip incoming DKIM > signatures. However, as you'll see, CenturyTel is still complaining of a > bad DKIM signature. No one else is. Have you checked if everyone is seeing the email (see below)? > The incoming mail seems to include a DKIM signature as a > nonstandard header, maybe CenturyTel knows to look for this, and is > throwing a fit when it fails to verify? The X-SONIC-DKIM-SIGN field is just an unknown field as far as a properly implemented MTA is concerned. Theoretically CenturyTel is upset about that, but there's a much simpler explanation: failed DMARC >From alignment (to use the technical term), which is what I suspect "Failed DKIM Authentication" means. AOL publishes a DMARC p=reject policy, which means that a recipient must reject (return to sender) or discard the email (without notifying the sender) if From alignment fails. (This cannot be enforced. Gmail, for example, usually puts these in the spam folder rather than rejecting them.) From alignment means that the domain of the email in the From header matches the domain in the d= field of at least one valid DKIM-Signature in the header. In the case of the header you appended, there is one valid DKIM signature, it is the one very near the top of the header, and it has d=bluegrasspals.com. The domain of the From address is aol.com, so they are not aligned, and conforming MTAs will reject. Almost all non-conforming MTAs that implement DMARC will quarantine the email, usually in the spam folder. So as far as I can tell, CenturyTel is a conforming implementation, and behaving correctly given the header you posted. I suspect the reason that you're not hearing complaints from other MTAs is that they're all discarding the email with extreme prejudice. I guess that X-SONIC-DKIM-SIGN was originally a valid DKIM-Signature header. By the time it got to sonic302.consmr.mail.bf2.yahoo.com, either the message was corrupt (so DKIM validation failed) or sonic302 recognized that DMARC From alignment was sure to fail, and so "fixed up" the header (perhaps for debugging purposes). So, this user's emails are going to be discarded by a large minority, if not the vast majority, of sites because they're using an AOL address in From and sending via Yahoo!: Received: by kubenode547.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 754de18d9b1eebb7367c2043d8067b87; Tue, 15 Jun 2021 10:21:22 + (UTC) Tell them to stop doing that. Although I recognize that's often easier said than done, unfortunately, that's where my advice ends (I live in Japan, so mercifully never have to deal with the goat rodeo that is Verizon/Yahoo/AOL). Perhaps somebody else can take it from here and explain how your poor AOL user can get their mail through. Of course, their best course of action is to switch to Gmail or some other competent provider, but users often resist that. Steve -- Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
