Re: DKIM (was: Google thinks GNHLUG is spam now)
On Wed, 2015-07-29 at 14:56 -0400, Joshua Judson Rosen wrote: > > Might be we should setup DKIM on the GNHLUG server. Anyone know > how > > to do that, and have the time? CentOS 5.x, Sendmail, and GNU > Mailman. > > I could, but I don't think it's actually meaningful to "set up DKIM" > for a mailing-list: the domain in the "From:" header in the message > is that one that requests (or doesn't request) DKIM verification > and specific failure-handling via either ADSP (old) or DMARC (newer); > the subscribers' original sending servers have already inserted > their own DKIM signatures for the ultimate receiving servers to check. > The only reason for the list sever to check the signatures itself > would be for it to throw mail away instead of relaying it; > and there's probably not much point in the list adding its own > signatures. > > Unless you want to emulate what the yahoos at Yahoo! did > and make the mailing list actually pretend that it's > actually the original author all of the mail that passes through > it > > The (non-yahoo) way you'd make the list comply with senders' > overzealous signing > is to just restrict the parts of the message the the list munges-- > e.g.: don't modify the "Subject:" header with the list-name > (and we're already not-doing that), and don't add the helpful > footer to the end of the message-body (but continuing to add > the helpful "List-*:" headers should be fine). DKIM fouled up a list I manage when the sender was @comcast.com or @yahoo.com. mailman broke the signatures and people using comcast and yahoo could not receive the messages. My fix in /etc/mailman/mm_cfg.py #~ DKIM Handling #~ set up allow author is list REMOVE_DKIM_HEADERS = 1 ALLOW_FROM_IS_LIST = Yes DEFAULT_FROM_IS_LIST = 1 Now all the emails are getting delivered. I do NOT claim this is better than the earlier advice, merely that this got email flowing again. -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/catalog/dlslug&sort=stamp http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: DKIM (was: Google thinks GNHLUG is spam now)
Thanks Joshua, now I know a lot more about DKIM! (Let's not do what Yahoo! did.) And by the sounds of it, we really don't have to do anything. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
DKIM (was: Google thinks GNHLUG is spam now)
On 2015-07-29 13:08, Ben Scott wrote:
>
> I believe mailing lists break DKIM, if they don't take special
> actions for it. (Since mail originating from one domain, and
> cryptographically authenticated to that domain, is now originating
> from a completely different mail exchanger.)
Mailing lists sometimes break DKIM, depending on how the originating
_sender_ has it configured, but that's not how/why it breaks--
because DKIM is content-based, not origin-based.
The DKIM breakage Greg was indicating was because the googlemail sender
indicated that it wanted the message _body_ verified against the
signature, and gnhlug-discuss added a footer to the body.
When I've set up DKIM, IIRC I just told it to sign/verify
only the subset of headers that mailing-lists almost never munged
("To", "From", probably "Date", maybe a couple others; not the
"Subject" header and definitely not the body).
On the up side, it looks like Google's DKIM settings request
that failures be _ignored_, so it shouldn't actually matter
that they're signing overzealously
You can think of DKIM as being somewhat like PGP-signed e-mail;
they have similar (though somewhat different) failure-scenarios
In this case, an inline ASCII PGP signature wouldn't have broken
because the mailing-list footer would have been added *after*
the PGP "END" line; DKIM has a similar `END' provision, but
Google has apparently opted not to use it, so their messages-bodies
have no predetermined END.
> Might be we should setup DKIM on the GNHLUG server. Anyone know how
> to do that, and have the time? CentOS 5.x, Sendmail, and GNU Mailman.
I could, but I don't think it's actually meaningful to "set up DKIM"
for a mailing-list: the domain in the "From:" header in the message
is that one that requests (or doesn't request) DKIM verification
and specific failure-handling via either ADSP (old) or DMARC (newer);
the subscribers' original sending servers have already inserted
their own DKIM signatures for the ultimate receiving servers to check.
The only reason for the list sever to check the signatures itself
would be for it to throw mail away instead of relaying it;
and there's probably not much point in the list adding its own
signatures.
Unless you want to emulate what the yahoos at Yahoo! did
and make the mailing list actually pretend that it's
actually the original author all of the mail that passes through it
The (non-yahoo) way you'd make the list comply with senders' overzealous signing
is to just restrict the parts of the message the the list munges--
e.g.: don't modify the "Subject:" header with the list-name
(and we're already not-doing that), and don't add the helpful
footer to the end of the message-body (but continuing to add
the helpful "List-*:" headers should be fine).
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr."
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
On Wed, Jul 29, 2015 at 1:08 PM, Ben Scott wrote: > On Wed, Jul 29, 2015 at 12:54 PM, Greg Rundlett (freephile) > wrote: > > Anyway, I'm using GMail here and received your "Google thinks GNHLUG is > spam > > now" msg in my regular inbox. > > Interesting. I presume you mean the original message? > > Do you have any filters configured to exempt any gnhlug lists from > spam filtering? > > I mean I did receive your first message (not marked as spam), and the only filter I have for GNHLUG is to apply a label. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
On Wed, Jul 29, 2015 at 1:48 PM, Tom Buskey wrote: > I'm using gmail and have a filter for gnhlug that says never treat as spam Likewise, i've checked "Never send to spam" on most of my Gmail Rules that apply topical tags to Lists. Which is the only reason i saw this thread, since it was flagged. -- Bill Ricker bill.n1...@gmail.com https://www.linkedin.com/in/n1vux ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
On Wed, Jul 29, 2015 at 12:54 PM, Greg Rundlett (freephile) < g...@freephile.com> wrote: > Sorry for the brevity of my earlier "Is there an SPF record?" response... > (I hate using a phone to type messages.) > > Anyway, I'm using GMail here and received your "Google thinks GNHLUG is > spam now" msg in my regular inbox. > > FWIW I'm using gmail and have a filter for gnhlug that says never treat as spam. I got a similar message from google. Hopefully gmail will no longer teat it as spam now that I've looked at it. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
On Wed, Jul 29, 2015 at 12:54 PM, Greg Rundlett (freephile) wrote: > Anyway, I'm using GMail here and received your "Google thinks GNHLUG is spam > now" msg in my regular inbox. Interesting. I presume you mean the original message? Do you have any filters configured to exempt any gnhlug lists from spam filtering? > Here is the original of what I received earlier... I notice that there is a > DKIM signature failure in the middle. I don't know much about DKIM, but > maybe that is the source of the issue. I'm not familiar with DKIM, either, but that DKIM stuff is not something GNHLUG's systems are adding, AFAIK. DKIM was also not involved in my original test messages. I believe mailing lists break DKIM, if they don't take special actions for it. (Since mail originating from one domain, and cryptographically authenticated to that domain, is now originating from a completely different mail exchanger.) Might be we should setup DKIM on the GNHLUG server. Anyone know how to do that, and have the time? CentOS 5.x, Sendmail, and GNU Mailman. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
Sorry for the brevity of my earlier "Is there an SPF record?" response... (I hate using a phone to type messages.) Anyway, I'm using GMail here and received your "Google thinks GNHLUG is spam now" msg in my regular inbox. Here is the original of what I received earlier... I notice that there is a DKIM signature failure in the middle. I don't know much about DKIM, but maybe that is the source of the issue. Delivered-To: greg.rundl...@gmail.com Received: by 10.36.78.134 with SMTP id r128csp37496ita; Wed, 29 Jul 2015 07:28:16 -0700 (PDT) X-Received: by 10.107.132.19 with SMTP id g19mr1438420iod.3.1438180096053; Wed, 29 Jul 2015 07:28:16 -0700 (PDT) Return-Path: Received: from eforward3e.registrar-servers.com (eforward3e.registrar-servers.com. [38.101.213.201]) by mx.google.com with ESMTP id hv6si775133igb.11.2015.07.29.07.28.15 for ; Wed, 29 Jul 2015 07:28:16 -0700 (PDT) Received-SPF: pass (google.com: domain of SRS0+WTTz=IF=mail.gnhlug.org=gnhlug-sysadmin-boun...@eforward3e.registrar-servers.com designates 38.101.213.201 as permitted sender) client-ip=38.101.213.201; Authentication-Results: mx.google.com; spf=pass (google.com: domain of SRS0+WTTz=IF=mail.gnhlug.org=gnhlug-sysadmin-boun...@eforward3e.registrar-servers.com designates 38.101.213.201 as permitted sender) smtp.mail=SRS0+WTTz=IF=mail.gnhlug.org=gnhlug-sysadmin-boun...@eforward3e.registrar-servers.com; dkim=pass header.i=@registrar-servers.com; dkim=neutral (body hash did not verify) header.i=@gmail.com; dmarc=fail (p=NONE dis=NONE) header.from=gmail.com Received: from eforward3d0.registrar-servers.com (eforward3d0.registrar-servers.com [199.229.254.203]) by eforward3e.registrar-servers.com (Postfix) with ESMTP id 81E4228071E for ; Wed, 29 Jul 2015 10:28:15 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.9.2 eforward3e.registrar-servers.com 81E4228071E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=registrar-servers.com; s=default; t=1438180095; bh=nFjk8ZDJk5/Mc2bVCwXpLiK689yhCilgAgpkxdd6M94=; h=From:Date:Subject:To:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=avjuU7xnNrzJs9qobfuIYfgZzc0Q8bVmi59rlZg8GUAutMBogWBUCsSLyUEh2YybA +CrFdvzWyH7WP4znxOkPgR2QXhfA7aVItM7MLOtvgH+EBe9ixtyXM/xkDRAvpIEv+S f96JOrX0z0wkZ1TLLxPgsgWNSAbkSthYa65EVJFM= X-DKIM-Failure: signature_incorrect Received: from justice.gnhlug.org ([104.131.202.47]) by eforward3d.registrar-servers.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.85) (envelope-from ) id 1ZKSL4-0005WF-JU for g...@freephile.com; Wed, 29 Jul 2015 10:28:15 -0400 Received: from justice.gnhlug.org (localhost.localdomain [127.0.0.1]) by justice.gnhlug.org (8.13.8/8.13.8) with ESMTP id t6TERZ4m012364; Wed, 29 Jul 2015 10:27:36 -0400 Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by justice.gnhlug.org (8.13.8/8.13.8) with ESMTP id t6TERYIs012360 for ; Wed, 29 Jul 2015 10:27:34 -0400 Received: by ioii16 with SMTP id i16so23067861ioi.0 for ; Wed, 29 Jul 2015 07:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=vBAt4yz+6mlGjA2YCAYL0ezCbXa7dHeoZbIhWj36kwg=; b=j17U1H+S1T8SEs6xyiRv+rxSsFYOxIuLJa3Aa2FnQ099r+fSqOobzjiqNX3zBxae61 oVqtPH+fxFS/XjqUVpzf8isEIg3ZFTv4+r/4PieebopFpl2DjFtfTVbcsStWOhdX6W6T 4+WIX9jgwQlLzEwPs3BK1Gwcep7w8Lwbv/YzureW/EqI71qGDszc8XlFswG1u/c7YKaj 5BE2tl3S8xSVh3SJsNdFvcUEpzVv6HQzB124RTslvR3GMZgodMTVZoDyPHLYwHDlATnD 31sLwHX2FlBu1XqEwqY4aFiWVBuOLTBURyzFAYVvhP4yNMVAZAaSTijtEOulQvKydIRZ n/MA== X-Received: by 10.107.160.196 with SMTP id j187mr2155958ioe.80.1438180078776; Wed, 29 Jul 2015 07:27:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.24.196 with HTTP; Wed, 29 Jul 2015 07:27:39 -0700 (PDT) From: Ben Scott Date: Wed, 29 Jul 2015 10:27:39 -0400 Message-ID: Subject: Google thinks GNHLUG is spam now To: GNHLUG Sys Admin X-BeenThere: gnhlug-sysad...@mail.gnhlug.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: GNHLUG IT System Administration List-Unsubscribe: <http://mail.gnhlug.org/mailman/listinfo/gnhlug-sysadmin>, <mailto:gnhlug-sysadmin-requ...@mail.gnhlug.org?subject=unsubscribe> List-Archive: <http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin> List-Post: <mailto:gnhlug-sysad...@mail.gnhlug.org> List-Help: <mailto:gnhlug-sysadmin-requ...@mail.gnhlug.org?subject=help> List-Subscribe: <http://mail.gnhlug.org/mailman/listinfo/gnhlug-sysadmin>, <mailto:gnhlug-sysadmin-requ...@mail.gnhlug.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7b
Re: Google thinks GNHLUG is spam now
I accidentally sent a previous reply to the wrong address, which resulted in a thread getting copied to -discuss mid-thread. Sorr for the confusion. But, since we're here: On Wed, Jul 29, 2015 at 12:07 PM, Bill Ricker wrote: > I suspect Gmail is objecting to receiving mail with sender=gmail.com from > outside. I've found that messages sent from non-Google systems, using a non-Google address, to a GNHLUG address, on the GNHLUG server (not hosted with Google), which are then relayed to a @gmail.com address, are getting tagged with a "Spam" label in Gmail. The originating domains do *not* have SPF records. So it's not that we're claiming to be Google. Not just that, anyway. My guess for most likely possibility is our new host gave us an IP address that had previously been a source of abuse. That is a common problem with the near-instant-provisioning available these days. That would explain why everything was fine until we changed servers. Possibly contributing is the fact that we are relaying mail for a domain not us. (That is, mail comes from @example.com, goes through a server at gnhlug.org, and is then given to @gmail.com.) Google has no way of knowing the mail we are claiming is from example.com is legit. I don't think it's just the latter, as things have been fine this way for years. But it's possible the relaying is contributing to a spam score, and the IP address change also increased that score, and in total, we've crossed a threshold. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
> Is there an SPF record? > With GMAIL "Show Original" i see > Received-SPF: pass (google.com: domain of > gnhlug-discuss-boun...@mail.gnhlug.org designates 104.131.202.47 as > permitted sender) client-ip=104.131.202.47; Authentication-Results: mx.google.com; spf=pass (google.com: domain of > gnhlug-discuss-boun...@mail.gnhlug.org designates 104.131.202.47 as > permitted sender) > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; > s=20120113; and no indication of why Spam was triggered. I have a filter that pulls Mailing list posts out of Spam folder, and Gmail reports *This message was not sent to Spam because of a filter you created.* on Ben's message (@gmail) but not on MadDog's (@comcast). Looks rather like how it treats YAHOO Strict DKIM. I suspect Gmail is objecting to receiving mail with sender=gmail.com from outside. Lists probably need a bit more header re-writing to make it happy - or they need to be smarter to see that yes, we did send that to the list, and it's back. -- Bill Ricker bill.n1...@gmail.com https://www.linkedin.com/in/n1vux ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
Ben, >Gee, thanks. Keep right on not being evil, GOOG. Welcome to "the cloud". md - Original Message - On Wed, Jul 29, 2015 at 10:32 AM, Greg Rundlett (freephile) wrote: > Is there an SPF record? That would depend on the sending domain. For at least one of the affected messages, there is no SPF record for the sending domain, and Google's added mail headers correctly reflect that. Remember, this is a list server, and AFAIK, SPF has no good mechanism to handle relaying. DKIM does, IIRC, but we don't have DKIM configured. Never needed to. The only things that should have changed are the name and the IP address. (I suppose I could tell the new server to call itself liberty and change DNS to match, and then the only change would be the IP address. Hmmm.) I found a form at Google for senders to report trouble. They say, "Thank you for your report. We will investigate this issue and take the necessary steps to resolve it. We will contact you if we need more details; however, you will not receive a response or email acknowledgment of your submission." Gee, thanks. Keep right on not being evil, GOOG. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Google thinks GNHLUG is spam now
On Wed, Jul 29, 2015 at 10:32 AM, Greg Rundlett (freephile) wrote: > Is there an SPF record? That would depend on the sending domain. For at least one of the affected messages, there is no SPF record for the sending domain, and Google's added mail headers correctly reflect that. Remember, this is a list server, and AFAIK, SPF has no good mechanism to handle relaying. DKIM does, IIRC, but we don't have DKIM configured. Never needed to. The only things that should have changed are the name and the IP address. (I suppose I could tell the new server to call itself liberty and change DNS to match, and then the only change would be the IP address. Hmmm.) I found a form at Google for senders to report trouble. They say, "Thank you for your report. We will investigate this issue and take the necessary steps to resolve it. We will contact you if we need more details; however, you will not receive a response or email acknowledgment of your submission." Gee, thanks. Keep right on not being evil, GOOG. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
