Re: [DNG] excessive bounces

[Rowland Penny via Dng]

On Fri, 4 Jan 2019 21:26:45 +
Rowland Penny via Dng  wrote:

> On Fri, 4 Jan 2019 12:53:48 -0800
> Rick Moen  wrote:
> 
> > Quoting Rowland Penny via Dng (dng@lists.dyne.org):
> > 
> > > Rick, please stop name dropping and please stop, just stop.
> > 
> > Seriously?  I merely asked you, while thanking you for your work on
> > Samba, to please say hullo to three of my friends and sometime
> > co-workers, as they are on the Samba Team with you.  They are in
> > fact exactly that, I like them quite a lot, and I haven't seen them
> > in far too long -- in some cases, since the dot-com collapse.
> 
> Two of the names you mentioned aren't involved much in Samba any more
> and the other lives nearer to you than me. I only mentioned I was a
> member of the Samba team to try and show I know that the problem is
> unlikely to be at my end.
>  
> > 
> > For the rest, I have been trying to assist you -- using my longtime
> > knowledge of how to investigate Mailman/MTA problems involving my
> > own server and that of a number of groups where I'm a longtime
> > listadmin. As such, I've told you who can gather the required
> > data.  If you don't believe me and would rather just pound the
> > table about how you believe the problem isn't at Samba's e-mail
> > server (which is entirely possible, and examining the logs would
> > confirm of deny), then best of luck to you, but I'll definitely not
> > repeat the mistake of trying to help you again.
> 
> Thanks, because you were not helping, I need to know when the mails
> bounced and why and you cannot help with this. Once I get this info, I
> can ssh in and read the relevant logs
> 

OK, after help from Katolaz and Jaromil (again thanks for the help),
and with help from one of my Samba team mates the problem has been
found.
It is all down to an anti-spam rule that Samba uses, the rule is for
any address that is info@, so when 'info at smallinnovations
dot nl' sent an email to the Devuan mailing list and it was then sent
to me, it bounced.

Perhaps that user would like to change to change their email address,
it wont affect me in future because lists.dyne.org has now been added
as an exception, but it could affect others.

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Mike Bird (mgb-dev...@yosemite.net):

> I've got a test message trying to go to Rowland and it's running
> into the same problem at samba.org.  

*chuckle*

Don't mind me.  I'm just enjoying this timely visit from the Irony Fairy.


I'd be very surprised if Dng has the bounce processing values set at
anything but Mailman defaults.  Those are described here:
https://www.gnu.org/software/mailman/mailman-admin/node25.html
Oddly, that page doesn't state default values, so those are:

bounce_processing: yes
bounce_score_threshold: 5.0
bounce_info_stale_after: 7
bounce_you_are_disabled_warnings: 3
bounce_you_are_disabled_warnings_interval: 7
bounce_unrecognized_goes_to_list_owner: yes
bounce_notify_owner_on_disable: yes
bounce_notify_owner_on_removal: yes

Softfails such as those you describe from the samba.org SMTP host cause
(when delivered back to Mailman) Mailman to increment subscriber's
bounce score by 0.5 for each softfail notice from the subscriber's MTA.

You speak of 'the retry parameters of this list':  That's decided by MTA 
policy (on the mailing list host), not by the MLM software.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Mike Bird]

On Fri January 4 2019 13:33:57 marc wrote:
> Also: This isn't strictly a problem, but the highest priority
> mail handler for samba.org doesn't seem to be running a mail server
> at the moment:
>
> samba.org.  7200IN  MX  5 ns1.samba.org.
> samba.org.  7200IN  MX  9 ns1.samba.org.
> samba.org.  7200IN  MX  7 smtp.samba.org.
>
> ;; Query time: 441 msec
> ;; SERVER: 196.22.160.5#53(196.22.160.5)
> ;; WHEN: Fri Jan  4 21:26:52 2019
> ;; MSG SIZE  rcvd: 84
>
> ~$ telnet ns1.samba.org 25
> Trying 144.76.82.137...
> Connection failed: Connection refused
> Trying 2a01:4f8:192:486::b0...
> telnet: Unable to connect to remote host: Network is unreachable

I've got a test message trying to go to Rowland and it's running
into the same problem at samba.org.  That test message should go
through eventually but I don't know the retry and bounce parameters
of this list so it's quite possible that a few failures could result
in a bounce.

Rowland, it looks like you need to ssh in and fix samba.org's MX.

--Mike

[Rowland cc'd because of bounces]
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting marc (marc...@welz.org.za):

> I see that smtp.samba.org seems to run exim - are the others 
> experiencing bounces and disabled subscriptions also running exim ? 

[Just so Dyne.org volunteers needn't explore that:]

Exim runs SMTP on my linuxmafia.org host:   No pattern of bounces, no
MLM-disabling of my subscription's delivery.   I've been subscribed since
mid-2016.

-- 
Cheers,"He who laughs last, lasts."
Rick Moen   -- Leo Rosten
r...@linuxmafia.com
McQ! (4x80)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Mike Bird]

On Fri January 4 2019 13:31:59 Rick Moen wrote:
> As I've mentioned upthread, I am a (friendly) _outsider_ to Dyne.org, who
> runs and administers Mailman and MTAs elsewhere -- and as such have no
> access to Dyne's MTA and MLM logs (nor samba.org's MTA logs).  The best
> help I could think of to give Rowland was to strongly suggest that he
> contact the sysadmin teams (not the listadmns) of the hosts involved.

TTBOMK bounce notifications if they happen happen immediately following
a bounce.

Assuming Rowland has received one or more bounce notifications from
Mailman he can "ssh in and read the relevant logs" for a short period
of time leading up to each bounce notification, as there should be
at least one bounce during that time period.

--Mike
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[marc]

> Yes, I am totally aware of the above, but, as there is absolutely no
> reason for the dng mails sent to me being bounced and that others have
> had this happen to them, I feel the problem could be at the dng end.

Maybe it is emergent (heh!) problem requiring a particular combination
of sending and receiving software ? 

I see that smtp.samba.org seems to run exim - are the others 
experiencing bounces and disabled subscriptions also running exim ? 

Also: This isn't strictly a problem, but the highest priority
mail handler for samba.org doesn't seem to be running a mail server
at the moment:

samba.org.  7200IN  MX  5 ns1.samba.org.
samba.org.  7200IN  MX  9 ns1.samba.org.
samba.org.  7200IN  MX  7 smtp.samba.org.

;; Query time: 441 msec
;; SERVER: 196.22.160.5#53(196.22.160.5)
;; WHEN: Fri Jan  4 21:26:52 2019
;; MSG SIZE  rcvd: 84

~$ telnet ns1.samba.org 25
Trying 144.76.82.137...
Connection failed: Connection refused
Trying 2a01:4f8:192:486::b0...
telnet: Unable to connect to remote host: Network is unreachable

regards

marc
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Mike Bird (mgb-dev...@yosemite.net):

> I've been running mail servers and mailing lists for more than two
> decades.
> 
> Rick if you can give Rowland specific times (+timezone) of some
> bounces that would assist Rowland's admins in finding the actual
> reason for the bounces in his mail server's logs.

Thank you, Mike, for attempting to help.  

As I've mentioned upthread, I am a (friendly) _outsider_ to Dyne.org, who
runs and administers Mailman and MTAs elsewhere -- and as such have no
access to Dyne's MTA and MLM logs (nor samba.org's MTA logs).  The best
help I could think of to give Rowland was to strongly suggest that he
contact the sysadmin teams (not the listadmns) of the hosts involved.

FWIW, Mailman listadmins cannot produce the timestamps of 'bounce'
events unless they are also shell users.  I assist Dyne.org's listadmins
on some matters, and know that at least one of those listadmins lacks
shell access (and would speculate that the others do, too).  As I
mentioned, reading MTA logs typically requires root shell, while Mailman
logs merely require shell.

I wish Rowland luck, but will not be assisting further with this
problem.  (If you can think of a way for Dyne.org's listadmin to look up
'bounce' timestamps without host shell access, please help them do so.
Thanks.)

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rowland Penny via Dng]

On Fri, 4 Jan 2019 12:53:48 -0800
Rick Moen  wrote:

> Quoting Rowland Penny via Dng (dng@lists.dyne.org):
> 
> > Rick, please stop name dropping and please stop, just stop.
> 
> Seriously?  I merely asked you, while thanking you for your work on
> Samba, to please say hullo to three of my friends and sometime
> co-workers, as they are on the Samba Team with you.  They are in fact
> exactly that, I like them quite a lot, and I haven't seen them in far
> too long -- in some cases, since the dot-com collapse.

Two of the names you mentioned aren't involved much in Samba any more
and the other lives nearer to you than me. I only mentioned I was a
member of the Samba team to try and show I know that the problem is
unlikely to be at my end.
 
> 
> For the rest, I have been trying to assist you -- using my longtime
> knowledge of how to investigate Mailman/MTA problems involving my own
> server and that of a number of groups where I'm a longtime listadmin.
> As such, I've told you who can gather the required data.  If you don't
> believe me and would rather just pound the table about how you believe
> the problem isn't at Samba's e-mail server (which is entirely
> possible, and examining the logs would confirm of deny), then best of
> luck to you, but I'll definitely not repeat the mistake of trying to
> help you again.

Thanks, because you were not helping, I need to know when the mails
bounced and why and you cannot help with this. Once I get this info, I
can ssh in and read the relevant logs

Rowland
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Mike Bird]

I've been running mail servers and mailing lists for more than two
decades.

Rick if you can give Rowland specific times (+timezone) of some
bounces that would assist Rowland's admins in finding the actual
reason for the bounces in his mail server's logs.

--Mike
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Rowland Penny via Dng (dng@lists.dyne.org):

> Rick, please stop name dropping and please stop, just stop.

Seriously?  I merely asked you, while thanking you for your work on
Samba, to please say hullo to three of my friends and sometime
co-workers, as they are on the Samba Team with you.  They are in fact
exactly that, I like them quite a lot, and I haven't seen them in far
too long -- in some cases, since the dot-com collapse.

For the rest, I have been trying to assist you -- using my longtime
knowledge of how to investigate Mailman/MTA problems involving my own
server and that of a number of groups where I'm a longtime listadmin.
As such, I've told you who can gather the required data.  If you don't
believe me and would rather just pound the table about how you believe
the problem isn't at Samba's e-mail server (which is entirely possible,
and examining the logs would confirm of deny), then best of luck to you,
but I'll definitely not repeat the mistake of trying to help you again.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rowland Penny via Dng]

On Fri, 4 Jan 2019 11:56:29 -0800
Rick Moen  wrote:

> Correcting mistype:
> 
> > Please, let's work through the scenario.  You as rpe...@samba.org
> > subscribe to dng@lists.dyne.org.  Hypothetically for purposes of
> > discussion, for some reason the samba.org SMTP host occasionally 
> > does either SMTP error code 45x tempfail or 45x hardfail of
> > subscriber
>   ^^^   '55x'
> > copies of a Dng post addressed to you.
> 

Rick, please stop name dropping and please stop, just stop.

I have no reason to believe the problem is at the Samba's email server,
very little gets stopped by it.

All I am asking is for some one (probably the person who gets the
bounce reports, if there are such things) to tell me when the mails
were bounced and why.

If you can do this Rick, then great, otherwise, please keep quite.

This happens on a regular basis and not just to me.

Rowland


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Correcting mistype:

> Please, let's work through the scenario.  You as rpe...@samba.org
> subscribe to dng@lists.dyne.org.  Hypothetically for purposes of
> discussion, for some reason the samba.org SMTP host occasionally 
> does either SMTP error code 45x tempfail or 45x hardfail of subscriber
  ^^^   '55x'
> copies of a Dng post addressed to you.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Rowland Penny via Dng (dng@lists.dyne.org):

> Because, if the mails were bouncing, someone would get the bounce
> reports and tell me. I get bounce reports for the samba and
> samba-technical mailing lists (I am one of the moderators), so I know
> what they look like.

Please, let's work through the scenario.  You as rpe...@samba.org
subscribe to dng@lists.dyne.org.  Hypothetically for purposes of
discussion, for some reason the samba.org SMTP host occasionally 
does either SMTP error code 45x tempfail or 45x hardfail of subscriber
copies of a Dng post addressed to you.  Any SMTP Non-Delivery Report
(NDR) or Delivery Status Notification (DSN) notice would be generated
not at samba.org but rather at lists.dyne.org, right?  

Moreover, if for some reason a report were generated at samba.org about
the SMTP refusal, logically it would go to the samba.org sysadmins, not
to Samba 'list moderators' (or listadmins), because the latter have
responsibility for Samba's mailing lists, not Dyne.org's.

That's the model I've been used to, so unless I'm missing something very
different about your situation, the right people to check logs would be
the ones I described.

> Are you aware that I am one of the Samba team members ?

I am, indeed, and I sincerely thank you and the rest of your and the
rest of the Samba Team's work.  Please say a cheery 'Hullo' to my
friends and erstwhile co-workers Andrew Tridgell, Jeremy Allison, and
Rusty Russell.



> Yes, I am totally aware of the above, but, as there is absolutely no
> reason for the dng mails sent to me being bounced and that others have
> had this happen to them, I feel the problem could be at the dng end.

If so, that's good news, because once appropriate people look at the
appropriate log files, it should be possible to figure out why (it is
claimed) some Dng mail addressed to you from lists.dyne.org keeps
getting either tempfailed or hardfailed.  I would encourage you to
concentrate on contacting one or both sysadmin teams.

If I had shell with root privilege on either the samba.org or
lists.dyne.org host, I'd have been glad to do that work, but sadly I'm
an outsider to both projects.

I apologoise for requiring _three_ responses last night to cover this
matter, but it was quite late in my time zone, and I was rather tired.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rowland Penny via Dng]

On Fri, 4 Jan 2019 04:21:28 -0800
Rick Moen  wrote:

> Quoting Rowland Penny via Dng (dng@lists.dyne.org):
> > 
> > It has happened again, my membership to this list has been disabled
> > due to excessive bounces. I am fairly sure this isn't true, or I
> > would have told by one of the Samba team list moderators.
>
> 
> Sorry, just noticed the underlined bit.  {scratches head}  It's a
> mystery to me how and why Samba's _list moderators_ (by which I'm
> guessing you mean Samba's listadmins) would even have relevant data,
> let alone convey it to you.

Because, if the mails were bouncing, someone would get the bounce
reports and tell me. I get bounce reports for the samba and
samba-technical mailing lists (I am one of the moderators), so I know
what they look like.

Are you aware that I am one of the Samba team members ?
 
> 
> Solving these problems, in my experience, requires at minimum
> involvement by site sysadmins with access to read MTA logs one one or
> both end (mailing list manager = MLM host and your receiving SMTP
> host), and preferably also the MLM's logs.  Mailman's logs are by
> default world-readable by shell users.  Typically, MTA logs are not.
> 

Yes, I am totally aware of the above, but, as there is absolutely no
reason for the dng mails sent to me being bounced and that others have
had this happen to them, I feel the problem could be at the dng end.

Rowland
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Rowland Penny via Dng (dng@lists.dyne.org):
> 
> It has happened again, my membership to this list has been disabled due to
> excessive bounces. I am fairly sure this isn't true, or I would have
> told by one of the Samba team list moderators.
   

Sorry, just noticed the underlined bit.  {scratches head}  It's a
mystery to me how and why Samba's _list moderators_ (by which I'm
guessing you mean Samba's listadmins) would even have relevant data,
let alone convey it to you.

Solving these problems, in my experience, requires at minimum
involvement by site sysadmins with access to read MTA logs one one or
both end (mailing list manager = MLM host and your receiving SMTP host), and
preferably also the MLM's logs.  Mailman's logs are by default
world-readable by shell users.  Typically, MTA logs are not.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

I wrote:

> dyne.org system administrators can investigate this matter, by
> examining the /var/lib/mailman/logs/bounce* log files and 
> corresponding MTA log entries on lists.dyne.org -- to see when and why
> and when the bounce scores for your Dng membership for rpe...@samba.org
> has increased, each time that has happened.

Equally, the samba.org system administrators could examine _their_ 
MTA logs to see if/when mail attempts to rpe...@samba.org have recently
been softfail or hardfail refused, and the reasons cited.  You can and
should ask them to.

The advantage of having the var/lib/mailman/logs/bounce* entries from
the Dyne.org end is to get the timestamps of when the bounce score for
subscriber rpe...@samba.org on Dng was incremented -- to then correlate
with MTA events.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] excessive bounces

[Rick Moen]

Quoting Rowland Penny via Dng (dng@lists.dyne.org):

> It has happened again, my membership to this list has been disabled
> due to excessive bounces. I am fairly sure this isn't true, or I would
> have told by one of the Samba team list moderators.

dyne.org system administrators can investigate this matter, by
examining the /var/lib/mailman/logs/bounce* log files and 
corresponding MTA log entries on lists.dyne.org -- to see when and why
and when the bounce scores for your Dng membership for rpe...@samba.org
has increased, each time that has happened.

(My understanding is that the listadmins for Dng don't have the root
shell access required for such investigation, but of course other
Dyne.org core people do.)


Bounce processing in GNU Mailman is adjustable as to a number of
parameters used, both site-wide and per-mailing list, but here is how it
goes if using default values:

Each time for whatever reason the MTA detects non-delivery of a
subscriber's copy, subscriber's bounce score gets incremented by 1 if
parsing the MTA diagnostic appears to show a permanent failure, or by
0.5 if the MTA diagnostic appears to show a tempfail.  Each day, if the
subscriber hasn't had a new bounce event within the past 7 days,
subscriber's bounce score resets to zero.  Any day when the subscriber's
bounce score has risen to 5.0, subscription delivery gets disabled.
Once delivery has been disabled (which I gather is what you say was done
to your subscription), the subscriber then gets three 'Your membership
is disabled' autowarning mails, at intervals of a week, explaining what
happened and how to re-enable delivery.  If the subscriber doesn't
respond, after a month, the subscriber gets unsubscribed.

I personally am a (friendly) outsider to dyne.org -- but administer
Mailman elsewhere, and so can explain in general terms how the mechanics
works.  Here's example content from log file
/var/lib/mailman/logs/bounce on my own server, linuxmafia.com:


Dec 24 18:26:43 2018 (23567)  processing 1 queued 
bounces
Dec 24 18:26:43 2018 (23567) skeptic: adity...@sbcglobal.net current bounce 
score: 2.0


Here is the matching MTA error:

# zgrep adity...@sbcglobal.net /var/log/exim4/* | grep 2018-12-24 | grep "SMTP 
error"
/var/log/exim4/mainlog.10.gz:2018-12-24 18:26:42 1gbcPW-00033B-SM ** 
adity...@sbcglobal.net R=dnslookup T=remote_smtp: SMTP error from remote mail 
server after MAIL FROM:: host 
al-ip4-mx-vip2.prodigy.net [144.160.235.144]: 550 5.7.1 Connections not 
accepted from servers without a valid sender domain.alph739 Fix reverse DNS for 
198.144.195.186
#


(FWIW, I was somewhat startled to see the claim that my IP address, 
198.144.195.186,
lacks valid DNS reverse pointing back to my mail domain, as that's just not the 
case:

$ dig -x 198.144.195.186 +short
linuxmafia.COM.
$

Someone at prodigy.net is screwing things up, it appears -- maybe
falsely triggering on the FQDN lettercase difference?

But otherwise, I hope the above properly illustrates how Dyne.org sysadmins 
could
research this matter.)


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Clarke Sideroad]

I too get 'em on my gmail account once in a while and have to confirm my 
subscription.
It happens once every 2 months or so, therefore in my case I would not 
consider it excessive. (-;


Clarke
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Joril]

On 29/10/2018 02:40, Linux O'Beardly wrote:


Hey all,

Is anyone else using a gmail account getting excessive bounce errors 
from the DNG mailing list? It keeps locking out my account.  I'm not 
having any issues with any of my other mailing lists.


Happened to me too.

Bye!
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Gastón]

On Sun, Oct 28, 2018 at 09:40:57PM -0400, Linux O'Beardly wrote:
> Hey all,
> 
> Is anyone else using a gmail account getting excessive bounce errors from
> the DNG mailing list? It keeps locking out my account.  I'm not having any
> issues with any of my other mailing lists.
> 
> -- 
> Linux O'Beardly
> @LinuxOBeardly
> http://o.beard.ly
> linux.obear...@gmail.com

Yes, the same thing happened to me


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[spiralofhope]

I don't know if it's related, but I noticed that some emails aren't
getting put in the lists.dyne.org mailing list archives.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Arnt Karlsen]

On Mon, 29 Oct 2018 09:44:43 +, Rowland wrote in message 
<20181029094443.146cb...@devstation.samdom.example.com>:

> On Mon, 29 Oct 2018 10:38:47 +0100
> Harald Arnesen  wrote:
> 
> > Linux O'Beardly [10/29/18 2:40 AM]:
> >   
> > > Is anyone else using a gmail account getting excessive bounce
> > > errors from the DNG mailing list? It keeps locking out my
> > > account.  I'm not having any issues with any of my other mailing
> > > lists.  
> > 
> > Yes, same here.  
> 
> I get them as well, but I don't use a gmail account.
> 
> Rowland

..me too, me too, about once a month.

-- 
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Rowland Penny]

On Mon, 29 Oct 2018 10:38:47 +0100
Harald Arnesen  wrote:

> Linux O'Beardly [10/29/18 2:40 AM]:
> 
> > Is anyone else using a gmail account getting excessive bounce errors
> > from the DNG mailing list? It keeps locking out my account.  I'm not
> > having any issues with any of my other mailing lists.
> 
> Yes, same here.

I get them as well, but I don't use a gmail account.

Rowland
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive Bounces

[Harald Arnesen]

Linux O'Beardly [10/29/18 2:40 AM]:

> Is anyone else using a gmail account getting excessive bounce errors
> from the DNG mailing list? It keeps locking out my account.  I'm not
> having any issues with any of my other mailing lists.

Yes, same here.
-- 
Hilsen Harald
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Rick Moen]

Daniel, again, thank you for your efforts to collect diagnostic data for
the Devuan Project, and for your care and precision.

I respect the reasons you're making DMARC work for your domain, and
certainly have no argument with you doing so (though I do not come to
the same conclusion for my own domain).  A few comments that come
to mind:


Quoting Daniel Abrecht (d...@danielabrecht.ch)

> The SPF checks from the report have currently the result None, which
> usually indicates that domain does not have an SPF record. I did add
> ?mx:lists.dyne.org to my SPF record, which should have resulted in an
> SPF result of Neutral, so either the mailing list needs an SPF record,
> or google & co. are wrongly reporting a None result instead of a
> Neutral one.

Let's be careful about what we're speaking about, here.  By definition,
a posting that transits a mailing list goes through two phases, where
to the best of my understanding a different SPF RR is relevant for each.

In the first phase, mail arrives at (say) the lists.dyne.org MTA
purporting to be from your domain.  If the receiving MTA is checking SPF
on arriving mail, then it seeks to validate the envelope header of
arrived mail against the published SPF RR of the claimed sender domain
as reflected in the envelope.  A forged mail at this point would have an
envelope claiming it's from danielabrecht.ch, but the IP would fail
vetting against your A and MX records (declared as authorised senders in
your domain's SPF RR).  If it's genuine, otherwise.

The accepted posting gets handed by the receiving MTA to the MLM
software.  The MLM software now remails, or to put it another way,
creates fresh mails (thus, second phase), with an entirely different
SMTP envelope reflecting the MLM's host identity.  The internal 'From: '
header is (ideally) left intact, the internal 'To: ' header is
customised for each subscriber, and some number of other additions and
changes get made by the MLM software prior to handing it off to the
outbound MTA.

If subscribers' receiving MTAs now attempt, during this second phase, to
validate the SMTP envelope, they will do so based on the MLM host's
domain, not the original sender's.


> When a mail is sent, there are the envelope-to and the envelope-from
> (which aren't mail headers), but also To and From headers.[...]

Yes, I'm extremely well aware of this.  The latter 'From header' is
traditionally called the internal 'From:' header to distinguish it from
the envelope 'From ' header.

I was on NANAE during the incident in which envelope forgery was
invented and demonstrated in the famous revenge-spam attack against Joe
Doll of Joe's Cyberpost.

> Normally when an SPF check is made, the envelope from address is used.
> If the mail server doesn't have an SPF header, the SPF result is None
> and the receiving mail server should accept the mail.

To my knowledge, there is no such thing as an 'SPF header' (except see
below).  No extra headers get used to implement SPF.  It's just a DNS RR
that declares what authorised sending MTA hosts exist, and gets used by
supporting (receiving) MTAs to vet the envelope sender.  (There's also
an optional 'Authentication-Results' header that's similar, except for
recording border MTAs' results.)

My understanding is that some MTAs add a Received-SPF header to
all emails arriving via SMTP that test to any result other than 'fail'.
This is added _after_ SPF evaluation to record the results of that
check.  It's advisory, and merely a place to record the result.


> There is no point in getting notified if nothing happens or everything
> works as expected, but if something didn't work or someone tried to
> send a mail in my name and failed, I certainly want to know about
> that.

Certainly your prerogative, but I personally don't care to get notified
when someone tries to forge my domain and fails, because that amounts to
getting spam about spam.

There's a reason why I've finely tuned logcheck to stop notifying me of
pointless and futile attempts to use generic username/password pairs on
my sshd, and a thousand other bits of basically meaningless noise that's
just part of the routine of having a 24x7 Internet server.


> >> 3) The recipient can check if the message content was changed
> > 
> > gpg signing alone can do that.
> 
> gpg and DKIM have a bit different scope.

Yes, but both can authenticate and attest to the integrity of whatever
dataset was signed.  And that thus matches 'can check if the message
content was changed'.  Just crypto-sign the message contents.  Anything
extraneous inserted into the signed bloc will cause validation failure.
Anything outside it will be obviously _not_ attested to, and recipients
should accordingly understand that.

You might have more reasonably made the objection 'Ordinary folks won't
check PGP attestation.'  Maybe not.  Personally, I regard this as Not My
Problem.  If I say something where text integrity really matters, like
the body of a CVE, I will PGP-sign it. 

Re: [DNG] Excessive bounces

[Rick Moen]

Quoting Simon Hobson (li...@thehobsons.co.uk):

> SPF breaks mailing lists and mail forwarders - and this is NOT (IMO)
> fixable without introducing a wide open front gate for spammers to
> ride through and completely bypass SPF.

No. it does not break mailing lists.  It _does_ break other common types
of forwarders unless they adopt SRS-wrapping.

The reason it does not adversely affect mailing lists is that SPF
validates only the envelope header:  The receving MTA verifies that the
delivering MTA's IP address is mentioned in the claimed sending domain's
SPF RR (if there is one in that domain's DNS).

Consider the envelope header of your own Dng posting, as received by
linuxmafia.com's MTA when it received my subscription's copy.  Here's
the way your post arrived:

  From dng-boun...@lists.dyne.org Thu Aug 03 05: 8:39 2017
  Return-path: 
  Envelope-to: r...@linuxmafia.com

So, the envelope sender's domain was dyne.org, not thehobsons.co.uk, and
my receiving MTA will perform a DNS check against the former.

:r! dig -t txt dyne.org +short

"google-site-verification=6FghqJroXIvBY8cutq6ouO0RC-a8qynFu6sJR3S-IbA"
"v=spf1 mx ip4:178.62.188.7/32 ip4:188.226.191.63/32 ip4:213.127.180.241/32 
-all"
"google-site-verification=2XoWrMMTQ7jmgcB_76Y_TQSnWDGhR4e-y_KLqoKOK1Q"


:r! dig lists.dyne.org +short
178.62.188.7

And, lo!  The envelope sender does validate.

You are probably confusing mailing lists, which provide new envelope
headers during forwarding citing the forwarding domain, with other
forwarders like /etc/alias entries and ~/.forward files.  It's the
_latter_ that SPF author Meng Wong invented that goofy Sender Rewriting
System.  Mailing lists, by contrast, don't have the problem he invented
that kludge to fix.


And, again, Simon, my mail domain linuxmafia.com has had an SPF hardfail
directive in its DNS since around 2003, and the specifier is extremely
narrow:

:r! dig -t txt linuxmafia.com +short
"v=spf1 a mx -all"

That says 'If a mail's envelope header claims it's from linuxmafia.com,
but the delivering MTA doesn't match either linuxmafia.com's DNS A
record or its MX record, please consider it definitively a forgery.'
I'm on _many_ mailing lists on many hosts.  If my mailing list mail had
a deliverability problem caused by hardfailing forgeries of my envelope
header, I'd have figured that out, some time over hte past 14 years.  It
does not happen, because mailing lists work better than /etc/alias
entries and ~/.forward files by design.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Arnt Gulbrandsen]

For what it's worth, SPF, DKIM and DMARC were developed by largely 
different sets of people, who disagreed without each other about what 
was acceptable tradeoffs, what was doable and more.


The "they" you 
mention act senselessly because it is not one set of people. Patching 
up email against spam is a hard problem and you cannot expect wide 
agreement about the best tradeoffs.


IMO the right solution to the 
problem at hand is to delete dkim signatures during list processing and 
to tell dmarc supporters to either have their cake or eat it.


Arnt
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Simon Hobson]

Narcis Garcia  wrote:

> 1. SPF is a friendlier solution and enough for this.

SPF breaks mailing lists and mail forwarders - and this is NOT (IMO) fixable 
without introducing a wide open front gate for spammers to ride through and 
completely bypass SPF.

So consider that *I* publish an SPF record for my domain(s). If I post on a 
mailing list then I need to include the IP address of the list server in my SPF 
record - if I don't, then any MX that checks SPF will reject the message. I 
need to keep the SPF record up to date whenever ANY of the mailers used by ANY 
of the lists I'm subscribed to changes.

Now, with my own mail server, it might just be practical to do that. If you use 
a hosted service such as hotmail, Gmail, ... then it isn't going to happen.

To work around that, the mail list must either be configured to munge the 
sender address - ugly and breaks traditional usage - or they must use SRS.

SRS is the wide open gate I referred to. It basically (AIUI) tells a downstream 
MX "I am relaying this on behalf of X, but for SPF purposes treat it as having 
come from me".
So all a spammer has to do is send out his spam with the right "looks like SRS" 
from address and you've bypassed SPF - AFAICS for ANY sender domain !


AFAICS, with SPF/DKIM/DMARC/whatever they come up with tomorrow they seem to be 
laying gaffer tape on gaffer tape trying to fix something that's fundamentally 
broken and which they keep breaking even worse with each layer of gaffer tape. 
And what's more, it seems that most outfits using all this gaffer tape are 
taping over problems in their own systems - if they didn't accept message they 
know they won't be delivering, then half the problem would disappear !

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Narcis Garcia]

1. SPF is a friendlier solution and enough for this.
3. GPG signatures is more standard and friendlier solution for this.

This kind of tricky solutions (as DKIM) only make people to move to
other easier but non-neutral technologies, hosted services such as
WhatsApp or web-based.



El 03/08/17 a les 00:44, Daniel Abrecht ha escrit:
> I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the
> bounced mails, probably because I forgot a DMARC DNS entry for the
> report receiving mail address. I have changed my DMARC policy from
> reject to quarantine for now.
> 
> That said, I won't remove the DMARC record completely, and I plan to
> switch my DMARC policy back to reject after this issue has been
> resolved. A lot of people claim that DMARC won't work with mailing
> lists, but this isn't correct, it's just that most mailing lists aren't
> configured in a way that makes DMARC usable, (and no, changing the from
> address isn't the correct solution.)
> 
> I use DMARC and believe it to be necessary because it allows me to:
>  1) Make sure nobody can use my E-Mail address to impersonate me or send
> spam
>  2) I will be notified if anyone attempts to do so
>  3) The recipient can check if the message content was changed
> 
> That said, the correct way to deal with DKIM, SPF and DMARC protected
> mails is to:
>  1) Provide an SPF record. This mailing list doesn't seam to have one
>  2) Don't change anything from the message below the DKIM headers, add
> the other headers before the DKIM signature instead. This will also
> solve the problem that some mail clients like the android mail client
> don't display text-only mails correctly.
> 
> In think the email body, subject and from header shouldn't be altered
> anyway. Of course, changing the from header and removing the DKIM header
> would avoid the problem as well, but I'm against that solution since it
> obscures who wrote the mail.
> 
> I haven't done much with mailman yet, so I don't know how it needs to be
> configured or if it can even be configured that way. I'll take a look at
> mailman in a few weeks.
> 
> I've attached two versions of an email I've sent to the list earlier.
> The first one contains the message as I received it again from the list.
> The second one is edited in such a way that the added headers and the
> original message body are preserved and the DKIM check succeeds, only
> the added mailing list signature was removed.
> 
> Daniel Abrecht
> 
> 
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Rick Moen]

Quoting Daniel Abrecht (d...@danielabrecht.ch):

> I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the
> bounced mails, probably because I forgot a DMARC DNS entry for the
> report receiving mail address. I have changed my DMARC policy from
> reject to quarantine for now.

It would be excellent if you could provide any DMARC reports you get to
the Dng listadmins.  Thank you.

Your point is well taken that DMARC and mailing lists can coexist (I've
always concurred with that).  It's just difficult, and creates adverse 
consequences.  (As background for this, it's useful to know that DMARC
is a composite and extension of SPF and DKIM.)

As part of the process, the domain's outgoing mail gets certain headers
and body text cryptographically signed and attested to (the DKIM =
DomainKeys Identified Mail part of the standard).  For such mail to 
successfully transit a mailing list without breaking validation, the
signed text and headers must be completely unchanged.  This is a very
difficult constraint for MLM software to meet, as occasionally something
gets inserted or changed in a header or elsewhere during normal MLM
processing, and in particular the To: header by design is supposed to
be set upon posting retransmission to the address of each subscriber.

To the best of my recollection (and I'm presently busy and cannot
double-check all of this), some subset of the full SMTP headers are 
included in the DKIM attestation.  I can't remember which, nor whether
the DKIM-issuing operator can decide which.  I vaguely recall that the
extra headers MLMs intentionally add, the MLM footer, the MLM
modification to the Subject header (like adding [DNG]), and more are all
somewhat problematic for DKIM validation.

There are a maddeningly large and diverse number of ways to deal with
the problem, and one can spend a lot of time reading about it.  E.g.:
https://dmarc.org/supplemental/mailman-project-mlm-dmarc-reqs.html
http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html
https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F


Just a point:

> I use DMARC and believe it to be necessary because it allows me to:
>  1) Make sure nobody can use my E-Mail address to impersonate me or send
> spam

SPF alone _can_ do exactly that without also needing DKIM/DMARC.  (So,
sufficient is correct, but necessary is not quite correct.)

>  2) I will be notified if anyone attempts to do so

SPF alone can prevent it from being possible, hence you don't need to be
notified.  (This of course assumes that receiving domains check SPF for
received mail.  Not all do, but more do than check DMARC.)

>  3) The recipient can check if the message content was changed

gpg signing alone can do that.

If your SMTP message content is being changed, though, you actually have
a lot bigger problems.

>  1) Provide an SPF record. This mailing list doesn't seam to have one

The mailing list isn't an orignator.  It's the originating domains that
ought (to the extent they wish to do so) to have SPF records.


>  2) Don't change anything from the message below the DKIM headers, add
> the other headers before the DKIM signature instead.

To the best of my recollection (I could be misremembering), this is
easier said than done.

Anyway, thank you for your substantive help to the Devuan Project.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Daniel Abrecht]

I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the
bounced mails, probably because I forgot a DMARC DNS entry for the
report receiving mail address. I have changed my DMARC policy from
reject to quarantine for now.

That said, I won't remove the DMARC record completely, and I plan to
switch my DMARC policy back to reject after this issue has been
resolved. A lot of people claim that DMARC won't work with mailing
lists, but this isn't correct, it's just that most mailing lists aren't
configured in a way that makes DMARC usable, (and no, changing the from
address isn't the correct solution.)

I use DMARC and believe it to be necessary because it allows me to:
 1) Make sure nobody can use my E-Mail address to impersonate me or send
spam
 2) I will be notified if anyone attempts to do so
 3) The recipient can check if the message content was changed

That said, the correct way to deal with DKIM, SPF and DMARC protected
mails is to:
 1) Provide an SPF record. This mailing list doesn't seam to have one
 2) Don't change anything from the message below the DKIM headers, add
the other headers before the DKIM signature instead. This will also
solve the problem that some mail clients like the android mail client
don't display text-only mails correctly.

In think the email body, subject and from header shouldn't be altered
anyway. Of course, changing the from header and removing the DKIM header
would avoid the problem as well, but I'm against that solution since it
obscures who wrote the mail.

I haven't done much with mailman yet, so I don't know how it needs to be
configured or if it can even be configured that way. I'll take a look at
mailman in a few weeks.

I've attached two versions of an email I've sent to the list earlier.
The first one contains the message as I received it again from the list.
The second one is edited in such a way that the added headers and the
original message body are preserved and the DKIM check succeeds, only
the added mailing list signature was removed.

Daniel Abrecht


mails.tar
Description: Unix tar archive


signature.asc
Description: OpenPGP digital signature
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Rick Moen]

Oh, follow-up (and this, too, is for Devuan's listadmins' attention in
particular):

> There is an (IMO unhappy but least-bad-available) kludge setting in
> Mailman's admin WebUI to make the MLM compensate for DMARC brain-damage:  
> You go to Privacy Options, Sender Filters, item 'Action to take when
> anyone posts to the list from a domain with a DMARC Reject/Quarantine
> Policy' aka dmarc_moderation_action.  Change the radio button from
> Accept (default) to Munge from.

I am specifically _not not not_ recommending the similar-looking setting
'Replace the From: header address with the list's posting address to
mitigate issues stemming from the original From: domain's DMARC or
similar policies' aka from_is_list on General Options.  My understanding
is that opting for _that_ version of the kludge unconditionally applies
it to all postings whether they are from DMARC-encumbered domains or
not.

My recommendations:

On Privacy options, Sender filters:
dmarc_moderation_action:  Munge from
dmarc_quarantine_moderation_action):  Yes
dmarc_none_moderation_action:  no

On General options:
change nothing.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Rick Moen]

Quoting Simon Hobson (li...@thehobsons.co.uk):

> That's the important thing to look for - and my money is it's related to SPF 
> and/or DMARC.

It won't be SPF.

My domain has a strong SPF policy:

:r! dig -t txt linuxmafia.com +short
"v=spf1 a mx -all"

...and no mailing list post from me or my users violates it.

It'll be DMARC.  (Long experience says.)

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Rick Moen]

Quoting Jaromil (jaro...@dyne.org):

> I am a bit puzzled about this one, we had some reports of the problem
> so far, which hasn't occurred before on any other dyne list and is not
> really reproducible.
> 
> what we notice is that our mail server is under some quite heavy load
> and we are working to move it to a bigger infrastructure by september
> 
> however it is highly available already and seems to process
> everything, so I'm not really sure what is happening... any insight is
> welcome.

Might be DMARC validation failure.  (Gods, do I ever detest that stuff.)

DMARC is proving to be an utter nightmare for mailing lists, in as much
as they are mail forwarders, and DMARC was IMO botched in its ability to
accomodate the way they work.  From memory, and so I'm probably dropping
a bunch of detail:  Because MLMs such as Mailman (appropriately) change
the internal SMTP headers upon retransmitting the poster's mail to
subscribers (notably the To: header), it no longer validates against the
sender's domain if it is a DMARC-using one with a strict policy.  Yahoo
and Gmail are examples of sending domains with strict DMARC policies.

There is an (IMO unhappy but least-bad-available) kludge setting in
Mailman's admin WebUI to make the MLM compensate for DMARC brain-damage:  
You go to Privacy Options, Sender Filters, item 'Action to take when
anyone posts to the list from a domain with a DMARC Reject/Quarantine
Policy' aka dmarc_moderation_action.  Change the radio button from
Accept (default) to Munge from.

To quote the help text:

  from_is_list (general): Replace the From: header address with the
  list's posting address to mitigate issues stemming from the original
  From: domain's DMARC or similar policies.

  Several protocols now in wide use attempt to ensure that use of the
  domain in the author's address (ie, in the From: header field) is
  authorized by that domain. These protocols may be incompatible with
  common list features such as footers, causing participating email
  services to bounce list traffic merely because of the address in the
  From: field. This has resulted in members being unsubscribed despite
  being perfectly able to receive mail.

  The following actions are applied to all list messages when selected
  here. To apply these actions only to messages where the domain in the
  From: header is determined to use such a protocol, see the
  dmarc_moderation_action settings under Privacy options... -> Sender
  filters.

  Settings:
[...]

  Munge From

  This action replaces the poster's address in the From: header with the
  list's posting address and adds the poster's address to the addresses in
  the original Reply-To: header.

So, for example, _if_ my sending domain linuxmafia.com had a strong
DMARC policy (which it doesn't, because I hate DMARC with a passion), 
then the 'Munge from' setting would cause my post to Dng to get this
'From: ' header upon retransmission to subscribers:

  From: Rick Moen via Dng 

instead of the normal

  From: Rick Moen 

The reason this helps sidestep DMARC validation is that it's now no longer
considered needing validation against linuxmafia.com's (hypothetical)
DMARC policy, but rather dyne.org's.


I personally detest this solution because, when I send out my sending
address on a mailing list, it is deliberately there so that people can,
if necessary, contact me offlist.  The kludge complicates this, albeit,
if I remember correctly, it tries to compensate for the brain-damage by 
inserting a Reply-To as well.

It should be noted that the Munge from kludge thus alters -only- the 
postings of subscribers from DMARC-damaged^H^H^H^W^W^W^Wusing domains,
so only _some_ postings will get disfigured in this manner.

Sadly, I recommend opting for this kludge, because otherwise
deliverability suffers.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Arnt Karlsen]

On Wed, 2 Aug 2017 16:21:34 +0200, Jaromil wrote in message 
<20170802142134.vlfhg5z4ccbrueb7@reflex>:

> On Wed, 02 Aug 2017, Emiliano Marini wrote:
> 
> >Sorry to bother, but it's the second time this happens to me:

..I have this happening all the time, 3 times in July now, on the 4th,
10'th and the 29'th.

> > 
> >"Your membership in the mailing list Dng has been disabled due to
> >excessive bounces The last bounce received from you was dated
> >23-Jul-2017."
> > 
> >I have a Gmail account, it's Google's fault? or maybe some issue
> > with Mailman?
> 
> I am a bit puzzled about this one, we had some reports of the problem
> so far, which hasn't occurred before on any other dyne list and is not
> really reproducible.
> 
> what we notice is that our mail server is under some quite heavy load
> and we are working to move it to a bigger infrastructure by september
> 
> however it is highly available already and seems to process
> everything, so I'm not really sure what is happening... any insight is
> welcome.

..I also see these bounce warnings coming from debian.org, but 
those are warnings, not unsubscribes, usually whining along the 
lines of "I bounce 8% and will get unsubcribed at 80%", to 
paraphrase. 


..maybe we should just set an higher bounce tolerance?

-- 
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[info at smallinnovations dot nl]

On 02-08-17 16:41, Simon Hobson wrote:

Antony Stone  wrote:


Is it possible to check the mail server logs for delivery failures on the
problematic addresses (which is presumably what the warning email means by
"bounces") to see what reason was given by the receiving server?

That's the important thing to look for - and my money is it's related to SPF 
and/or DMARC.


The supporters of SPF knew in advance that "it breaks stuff that's in widespread and valid 
use" but simply declared these activities to be "no longer valid"*. Key bits of the 
stuff it breaks are mailing lists and email forwarding.
The answer for SPF is SRS - which as far as I can tell means having the mailing 
list/forwarder modify the headers - which effectively means you can bypass SPF 
checks !

If the sender domain doesn't publish SPF records or the recipient server 
doesn't check them then all is fine - but if the sender has an SPF record AND 
the recipient server checks it, then it breaks all traditional mailing 
list/mail forwarding techniques.

So now almost all mailing list admins are having to deal with the pile of excrement handed down by 
"the big guys" who frankly don't give a  about anyone else as long as they can make 
it LOOK like they are dealing with spam for their customers. Unfortunately, MS (Hotmail, Office 
365, etc), Google (gmail etc), and Yahoo, between them have enough clout that you can't really do 
anything but ask "how high ?" when they ask you to jump :-(

Just one reason why I run my own mail server and neither publish nor check SPF 
records.


* Like in the old joke :
Q: how many Microsoft people does it take to change a lightbulb ?
A: none, they just change the industry standard to dark

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


My mailserver does give some warnings about dkim like:
Aug  2 16:40:48 mail opendkim[16133]: 5358E209: tupac2.dyne.org 
[178.62.188.7] not internal

Aug  2 16:40:48 mail opendkim[16133]: 5358E209: not authenticated
Aug  2 16:40:48 mail opendkim[16133]: 5358E209: s=20161025 d=gmail.com SSL
Aug  2 16:40:48 mail opendkim[16133]: 5358E209: bad signature data

And two hard errors last two days:
Aug  1 17:25:48 mail opendkim[16133]: E62803F0: key retrieval failed 
(s=mail, d=dyne.org): 'mail._domainkey.dyne.org' query timed out
Aug  2 16:29:03 mail opendkim[16133]: DD24A209: key retrieval failed 
(s=mail, d=dyne.org): 'mail._domainkey.dyne.org' query timed out


Not sure what get added when sending to a maillist but apparently not 
everything needed.



Grtz.

Nick

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Simon Hobson]

Antony Stone  wrote:

> Is it possible to check the mail server logs for delivery failures on the 
> problematic addresses (which is presumably what the warning email means by 
> "bounces") to see what reason was given by the receiving server?

That's the important thing to look for - and my money is it's related to SPF 
and/or DMARC.


The supporters of SPF knew in advance that "it breaks stuff that's in 
widespread and valid use" but simply declared these activities to be "no longer 
valid"*. Key bits of the stuff it breaks are mailing lists and email forwarding.
The answer for SPF is SRS - which as far as I can tell means having the mailing 
list/forwarder modify the headers - which effectively means you can bypass SPF 
checks !

If the sender domain doesn't publish SPF records or the recipient server 
doesn't check them then all is fine - but if the sender has an SPF record AND 
the recipient server checks it, then it breaks all traditional mailing 
list/mail forwarding techniques.

So now almost all mailing list admins are having to deal with the pile of 
excrement handed down by "the big guys" who frankly don't give a  about 
anyone else as long as they can make it LOOK like they are dealing with spam 
for their customers. Unfortunately, MS (Hotmail, Office 365, etc), Google 
(gmail etc), and Yahoo, between them have enough clout that you can't really do 
anything but ask "how high ?" when they ask you to jump :-(

Just one reason why I run my own mail server and neither publish nor check SPF 
records.


* Like in the old joke :
Q: how many Microsoft people does it take to change a lightbulb ?
A: none, they just change the industry standard to dark

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Emiliano Marini]

Thanks Jaromil,

This time happened while I was out, but next time I will report it right
away.

Cheers,
Emiliano.


On Wed, Aug 2, 2017 at 11:21 AM, Jaromil  wrote:

> On Wed, 02 Aug 2017, Emiliano Marini wrote:
>
> >Sorry to bother, but it's the second time this happens to me:
> >
> >"Your membership in the mailing list Dng has been disabled due to
> >excessive bounces The last bounce received from you was dated
> >23-Jul-2017."
> >
> >I have a Gmail account, it's Google's fault? or maybe some issue with
> >Mailman?
>
> I am a bit puzzled about this one, we had some reports of the problem
> so far, which hasn't occurred before on any other dyne list and is not
> really reproducible.
>
> what we notice is that our mail server is under some quite heavy load
> and we are working to move it to a bigger infrastructure by september
>
> however it is highly available already and seems to process
> everything, so I'm not really sure what is happening... any insight is
> welcome.
>
> ciao!
>
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Antony Stone]

On Wednesday 02 August 2017 at 16:21:34, Jaromil wrote:

> On Wed, 02 Aug 2017, Emiliano Marini wrote:
> >Sorry to bother, but it's the second time this happens to me:
> >
> >"Your membership in the mailing list Dng has been disabled due to
> >excessive bounces The last bounce received from you was dated
> >23-Jul-2017."
> >
> >I have a Gmail account, it's Google's fault? or maybe some issue with
> >Mailman?
> 
> I am a bit puzzled about this one, we had some reports of the problem
> so far, which hasn't occurred before on any other dyne list and is not
> really reproducible.
> 
> what we notice is that our mail server is under some quite heavy load
> and we are working to move it to a bigger infrastructure by september
> 
> however it is highly available already and seems to process
> everything, so I'm not really sure what is happening... any insight is
> welcome.

Is it possible to check the mail server logs for delivery failures on the 
problematic addresses (which is presumably what the warning email means by 
"bounces") to see what reason was given by the receiving server?


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Jaromil]

On Wed, 02 Aug 2017, Emiliano Marini wrote:

>Sorry to bother, but it's the second time this happens to me:
> 
>"Your membership in the mailing list Dng has been disabled due to
>excessive bounces The last bounce received from you was dated
>23-Jul-2017."
> 
>I have a Gmail account, it's Google's fault? or maybe some issue with
>Mailman?

I am a bit puzzled about this one, we had some reports of the problem
so far, which hasn't occurred before on any other dyne list and is not
really reproducible.

what we notice is that our mail server is under some quite heavy load
and we are working to move it to a bigger infrastructure by september

however it is highly available already and seems to process
everything, so I'm not really sure what is happening... any insight is
welcome.

ciao!

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] Excessive bounces

[Svante Signell]

On Wed, 2017-08-02 at 10:20 -0300, Emiliano Marini wrote:
> Sorry to bother, but it's the second time this happens to me:
> 
> "Your membership in the mailing list Dng has been disabled due to
> excessive bounces The last bounce received from you was dated
> 23-Jul-2017."
> 
> I have a Gmail account, it's Google's fault? or maybe some issue with
> Mailman?

I do also have a gmail account, and got the same message as you for the
second time.
 
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng