Author: Rick Moen Date: To: dng Subject: Re: [DNG] Excessive bounces
Quoting Jaromil (jaromil@???):
> I am a bit puzzled about this one, we had some reports of the problem
> so far, which hasn't occurred before on any other dyne list and is not
> really reproducible.
>
> what we notice is that our mail server is under some quite heavy load
> and we are working to move it to a bigger infrastructure by september
>
> however it is highly available already and seems to process
> everything, so I'm not really sure what is happening... any insight is
> welcome.
Might be DMARC validation failure. (Gods, do I ever detest that stuff.)
DMARC is proving to be an utter nightmare for mailing lists, in as much
as they are mail forwarders, and DMARC was IMO botched in its ability to
accomodate the way they work. From memory, and so I'm probably dropping
a bunch of detail: Because MLMs such as Mailman (appropriately) change
the internal SMTP headers upon retransmitting the poster's mail to
subscribers (notably the To: header), it no longer validates against the
sender's domain if it is a DMARC-using one with a strict policy. Yahoo
and Gmail are examples of sending domains with strict DMARC policies.
There is an (IMO unhappy but least-bad-available) kludge setting in
Mailman's admin WebUI to make the MLM compensate for DMARC brain-damage:
You go to Privacy Options, Sender Filters, item 'Action to take when
anyone posts to the list from a domain with a DMARC Reject/Quarantine
Policy' aka dmarc_moderation_action. Change the radio button from
Accept (default) to Munge from.
To quote the help text:
from_is_list (general): Replace the From: header address with the
list's posting address to mitigate issues stemming from the original
From: domain's DMARC or similar policies.
Several protocols now in wide use attempt to ensure that use of the
domain in the author's address (ie, in the From: header field) is
authorized by that domain. These protocols may be incompatible with
common list features such as footers, causing participating email
services to bounce list traffic merely because of the address in the
From: field. This has resulted in members being unsubscribed despite
being perfectly able to receive mail.
The following actions are applied to all list messages when selected
here. To apply these actions only to messages where the domain in the
From: header is determined to use such a protocol, see the
dmarc_moderation_action settings under Privacy options... -> Sender
filters.
Settings:
[...]
Munge From
This action replaces the poster's address in the From: header with the
list's posting address and adds the poster's address to the addresses in
the original Reply-To: header.
So, for example, _if_ my sending domain linuxmafia.com had a strong
DMARC policy (which it doesn't, because I hate DMARC with a passion),
then the 'Munge from' setting would cause my post to Dng to get this
'From: ' header upon retransmission to subscribers:
From: Rick Moen via Dng <dng@???>
instead of the normal
From: Rick Moen <rick@???>
The reason this helps sidestep DMARC validation is that it's now no longer
considered needing validation against linuxmafia.com's (hypothetical)
DMARC policy, but rather dyne.org's.
I personally detest this solution because, when I send out my sending
address on a mailing list, it is deliberately there so that people can,
if necessary, contact me offlist. The kludge complicates this, albeit,
if I remember correctly, it tries to compensate for the brain-damage by
inserting a Reply-To as well.
It should be noted that the Munge from kludge thus alters -only- the
postings of subscribers from DMARC-damaged^H^H^H^W^W^W^Wusing domains,
so only _some_ postings will get disfigured in this manner.
Sadly, I recommend opting for this kludge, because otherwise
deliverability suffers.