:: [devuan-dev] (forw) [DNG] Excessive…
Top Page
Delete this message
Reply to this message
Author: Rick Moen
To: golinux
CC: devuan-dev
Subject: [devuan-dev] (forw) [DNG] Excessive Bounces
Golinux --

I have a hunch this vague report on Dng (below) is the tip o'the iceberg
of a very familiar and nagging problem, and wish to recommend a fix.
(You may wish to consult other Dyne/Devuan technical people about what
I'm saying. I srongly urge _not_ just putting the issue off.)

The problem is DMARC, a (in my opinion) badly botched but increasingly
common antiforgery technique that numerous sites apply to their outgoing
SMTP e-mail. As described on this GNU Mailman page
(https://wiki.list.org/DEV/DMARC) DMARC causes serious collateral damage
to mailing lists, in that mail transiting a mailing list that originated
from a domain with a strongly asserted DMARC antiforgery policy arrives
at subscribers' mail servers in a condition that then _fails_ DMARC
forgery testing. Receiving sites that check DMARC attestation and
enforce it on behalf of sending domains thus tend to reject perfectly
legitimate mail from those domains because of the handling the mail
encounters transiting through mailing lists.

It's probably not a coincidence that a GMail user reported the problem.
DMARC isn't Google's fault (it is/was Yahoo's fault), but Google/GMail
makes a point of enforcing other domains' antiforgery techniques as
published, so it is very common for this problem to be first reported by
GMail users.

The link above describes several interim measures offered by Mailman
2.1.18 and later (Dng fortunately uses 2.1.23) to _mitigate_ the
collateral damage. I can tell you from my own experience that you
should follow the advice on that page, but I can elaborate with
more-specific instructions;

1 of 2: In the Mailman admin WebUI, visit Privacy options, Sender
filters. Find item 'Action to take when anyone posts to the list from a
domain with a DMARC Reject/Quarantine Policy' (short name
'dmarc_moderation_action'). If my guess is correct, that set of radio
buttons will still be at the Mailman-default setting of 'Accept' (which
means apply no mitigations for the DMARC problem). I recommend this be
changed to 'Munge from',

Help text about 'Munge from' says:

Munge From -- applies the from_is_list Munge From transformation to
these messages.

2 of 2: On the same page, next item is 'Shall the above
dmarc_moderation_action apply to messages From: domains with DMARC
p=quarantine as well as p=reject' (short name
'dmarc_quarantine_moderation_action') I recommend this be changed from
'No' (Mailman default) to 'Yes'.

Then, apply the 'Submit Your Changes' button at page bottom, to make the
two changes take effect.

Here is what the built-in help text has to say about from_is_list, and
its 'Munge From' choice:

from_is_list (general): Replace the From: header address with the
list's posting address to mitigate issues stemming from the original
From: domain's DMARC or similar policies.

Several protocols now in wide use attempt to ensure that use of the
domain in the author's address (ie, in the From: header field) is
authorized by that domain. These protocols may be incompatible with
common list features such as footers, causing participating email
services to bounce list traffic merely because of the address in the
From: field. This has resulted in members being unsubscribed despite
being perfectly able to receive mail.

The following actions are applied to all list messages when selected
here. To apply these actions only to messages where the domain in the
From: header is determined to use such a protocol, see the
dmarc_moderation_action settings under Privacy options... -> Sender

  Munge From
     This action replaces the poster's address in the From: header with
     the list's posting address and adds the poster's address to the
     addresses in the original Reply-To: header.

The effect of this two-part change is to, on any subscriber mail
originating from a domain, on all of the retransmitted copies sent out
to subscribers, with a strongly asserted DMARC policy, rewrite the From:
header, stripping out the real sender and substituting a variant of the
mailing list's address. Meanwhile, the real sender address gets
preserved by being recorded to a new Reply-To header.

The reason this fixes violation of DMARC is that the retransmitted copy
sent out to subscribers will no longer be vetted against the original
sender's domain's DMARC policy, but rather the mailing list domain's
DMARC policy (if any).

The above is an ugly kludge, but is the least-bad way to deal with the
DMARC problem that is currently available in Mailman.

I strongly, strongly urge the above be done fairly soon, otherwise you
really _are_ going to suffer many people getting 'excessive bounces',
which are actually rejections at the GMail inbound receipt stage on
grounds of DMARC failure, and then those people getting unsubscribed.

(It's not a GMail-specific problem, I should repeat.)

----- Forwarded message from Linux O'Beardly <linux.obeardly@???> -----

Date: Sun, 28 Oct 2018 21:40:57 -0400
From: Linux O'Beardly <linux.obeardly@???>
To: dng@???
Subject: [DNG] Excessive Bounces

Hey all,

Is anyone else using a gmail account getting excessive bounce errors from
the DNG mailing list? It keeps locking out my account. I'm not having any
issues with any of my other mailing lists.

Linux O'Beardly

Dng mailing list

----- End forwarded message -----