Re: Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Stephen Frost]

Greetings,

* Russ Allbery (r...@debian.org) wrote:
> Cord Beermann  writes:
> 
> > As listmaster i can confirm that it is a big problem to deliver Mails to
> > gmail/outlook/yahoo. Yahoo Subscribers are mostly gone by now because
> > they bounced a lot, for gmail it is so much that we just ignore bounces
> > because of those rules.
> 
> Yes, I gave up for the mailing lists I run and just rewrite the From
> address to be the address of the list and move the actual sender to
> Reply-To, and I see other technical mailing lists like the glibc lists
> have started doing this as well (using the built-in Mailman feature, which
> can optionally do this only if the sender domain has SPF/DMARC records).

The answer that we (PostgreSQL folks, at least) went with was to stop
breaking DKIM because that's just a bad approach to take these days with
mailing lists.  If you're curious about what PostgreSQL and now SPI are
using for our lists, it's called pgLister and is here: 

https://gitlab.com/pglister/pglister

Others have hacked up mailman to make it stop breaking DKIM too (though
it's pretty grotty how they did it, I'll admit).

Yes, yes, I know that means a bunch of mailman features aren't
available.  We've managed to survive even without them.

Thanks,

Stephen


signature.asc
Description: PGP signature

Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Stephen Frost]

Greetings,

* Cord Beermann (c...@debian.org) wrote:
> As listmaster i can confirm that it is a big problem to deliver Mails to
> gmail/outlook/yahoo. Yahoo Subscribers are mostly gone by now because they
> bounced a lot, for gmail it is so much that we just ignore bounces because of
> those rules. 

As a maintainer or some pretty big lists ... we don't have *that* much
trouble delivering to gmail, or others for that matter.

> | helgefjell.de descriptive text "v=spf1 ip4:142.132.201.35 mx ~all"
> 
> so you flagged your mail has to come from that IP (or the MX) and from other
> sources it should be considered suspicious.

... but if it's DKIM signed, then it'll generally get delivered
properly.

> SRS/ARC and so on are just dirty patches that try to fix things that were
> broken before, but they will break even more things like Mail signing.

ARC doesn't break DKIM signatures (unless someone's got a very broken
DKIM setup which over-signs ARC headers ... but if so, then that's on
them).

Thanks,

Stephen


signature.asc
Description: PGP signature

Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Stephen Frost]

Greetings,

* Mattia Rizzolo (mat...@debian.org) wrote:
> Alternatively, I wonder if ARC nowadays is respected enough (and if
> Google cares about it)... I personally don't have any system with ARC
> under my care.

Sadly, no, they don't seem to care one bit about ARC, except possibly if
it's their own ARC sigs.

If someone has some idea how to get them to care about ARC, I'd love to
hear about it, as I have folks on the one hand who view DKIM/DMARC as
too painful to set up but then they end up with bounces from gmail due
to my forwarding of messages through my server (which are being
ARC-signed by it and pass on that the SPF check was successful when they
arrived to my server)...

I'd encourage everyone running their own email servers to please get
DKIM/DMARC/ARC/SPF set up.  Yeah, it's annoying, but it's not actually
all *that* bad to do.

Thanks,

Stephen


signature.asc
Description: PGP signature

Re: Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Russ Allbery]

Cord Beermann  writes:

> As listmaster i can confirm that it is a big problem to deliver Mails to
> gmail/outlook/yahoo. Yahoo Subscribers are mostly gone by now because
> they bounced a lot, for gmail it is so much that we just ignore bounces
> because of those rules.

Yes, I gave up for the mailing lists I run and just rewrite the From
address to be the address of the list and move the actual sender to
Reply-To, and I see other technical mailing lists like the glibc lists
have started doing this as well (using the built-in Mailman feature, which
can optionally do this only if the sender domain has SPF/DMARC records).

-- 
Russ Allbery (r...@debian.org)  

Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Cord Beermann]

Hallo! Du (Russ Allbery) hast geschrieben:

>The problem I suspect is with email forwarding, and specifically email
>forwarding to Gmail, which has recently ramped up the amount of
>verification it does on messages.  Because of email forwarding, Gmail sees
>a message purportedly from helgefjell.de but actually delivered by
>debian.org mail servers, and has now decided to be suspicious of that.

>If that's correct, you'll only have this problem with Debian developers
>who forward their @debian.org addresses to Gmail.  Gmail handles some
>large percentage of all email on the Internet, so this probably isn't
>rare, but Debian developers are less likely to use it than random Internet
>users for obvious reasons, so it doesn't surprise me you've not run into
>the problem before.  (In other words, I doubt this is a problem with your
>local configuration.)

As listmaster i can confirm that it is a big problem to deliver Mails to
gmail/outlook/yahoo. Yahoo Subscribers are mostly gone by now because they
bounced a lot, for gmail it is so much that we just ignore bounces because of
those rules. 

If you decide to handle your mails to be curated by someone else you have to
live with an incomplete mailbox. 

| helgefjell.de descriptive text "v=spf1 ip4:142.132.201.35 mx ~all"

so you flagged your mail has to come from that IP (or the MX) and from other
sources it should be considered suspicious.

Thats the result.

SRS/ARC and so on are just dirty patches that try to fix things that were
broken before, but they will break even more things like Mail signing.

As long as we have this Oligopol that doesn't care about what they send out
(i.e. Spamfloods through Outlook) things will only get worse.

Cord

Bug#1043539: project: Forwarding of @debian.org mails to gmail broken

[Adam D. Barratt]

On Sat, 2023-08-12 at 23:13 +0200, Mattia Rizzolo wrote:
> On Sat, Aug 12, 2023 at 01:41:46PM -0700, Russ Allbery wrote:
> > The problem I suspect is with email forwarding, and specifically
> > email
> > forwarding to Gmail, which has recently ramped up the amount of
> > verification it does on messages.  Because of email forwarding,
> > Gmail sees
> > a message purportedly from helgefjell.de but actually delivered by
> > debian.org mail servers, and has now decided to be suspicious of
> > that.
> 
> This is the exact use case that SRS was developer for, however
> gmail's documentation does not recommend that (but the situation, as
> you noted, worsened, so I tried it in some other similar setups and
> everything is great, so...).

They sort of recommend it now. But also not. It's complicated. [tm]

> My understanding is that several DSA members were opposed to using
> SRS for @debian.org forwarding, but maybe it's now time?
> 

That's essentially what's being worked on. But life, and free time, and
other priorities, keep getting in the way.

Regards,

Adam