Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Hi, I may have missed some topic, but why SRS (http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) doesn't come to rescue here? It isn't its original purpose? Resigning outgoing messages with messaging server own DKIM's key. Seem to be available by setuping mm_cfg.py: - ALLOW_FROM_IS_LIST = Yes - REMOVE_DKIM_HEADERS = Yes - FROM_IS_LIST = 1 Did I miss something? Regards, Sylvain. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Fri, Apr 18, 2014 at 09:26:28AM +0200, Sylvain Viart wrote: Hi, I may have missed some topic, but why SRS (http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) doesn't come to rescue here? It isn't its original purpose? Resigning outgoing messages with messaging server own DKIM's key. Seem to be available by setuping mm_cfg.py: - ALLOW_FROM_IS_LIST = Yes - REMOVE_DKIM_HEADERS = Yes - FROM_IS_LIST = 1 Did I miss something? SRS rewrites the *envelope* sender. My understanding is that the YAHOO DKIM uses the From: header, not the envelope sender. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include std_disclaimer.h -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Le 18/04/2014 09:41, Alain Williams a écrit : I may have missed some topic, but why SRS (http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) doesn't come to rescue here? SRS rewrites the *envelope* sender. My understanding is that the YAHOO DKIM uses the From: header, not the envelope sender. Oh I see. Thanks. So to use mail's Header terminology, only the Return-path: is modified, not the From: Is this related to DMARC in general? May be not corrected by SRS, because of DMARC is more recent than SRS… Or this is a yahoo challenging with a somewhat too strong configuration? I mean, did they configure to specifically check the From: header? Regards, Sylvain. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Sylvain Viart writes: Le 18/04/2014 09:41, Alain Williams a écrit : I may have missed some topic, but why SRS (http://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) doesn't come to rescue here? SRS rewrites the *envelope* sender. My understanding is that the YAHOO DKIM uses the From: header, not the envelope sender. Oh I see. Thanks. So to use mail's Header terminology, only the Return-path: is modified, not the From: No, the envelope sender often does end up in Return-Path, but it need not. The envelope sender is the entity in the SMTP MAIL FROM command, not anything in the headers. Is this related to DMARC in general? Yes. DMARC is designed to work with From alignment, that is, authenticating the domain in the from header. It *can* also authenticate the mailbox using DKIM, but there's no guarantee that a third party can see. The reason for this is that the DMARC authors are concerned about phishing, which basically works by sending a fake From. Therefore they want to ensure that only the real domain can send From that domain. May be not corrected by SRS, because of DMARC is more recent than SRS… They're completely unrelated. Or this is a yahoo challenging with a somewhat too strong configuration? Yahoo is following the DMARC standard. They don't believe it is too strong. See above. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Apr 15, 2014, at 2:11 PM, Jim Popovitch jim...@gmail.com wrote: On Tue, Apr 15, 2014 at 2:05 PM, Lindsay Haisley fmo...@fmp.com wrote: On Tue, 2014-04-15 at 12:38 -0400, Jim Popovitch wrote: Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Am I correct in this? You don't need to ban yahoo members, you just most likely don't want them posting. As of right now, today, you should prevent yahoo.com addrs from posting to your lists. Of course that could all change tomorrow if Hotmail published a dmarc p=reject record. However, given the yahoo fallout, I think it will be a while before we see anymore of this kinds of shenanigans. I'm still predicting that yahoo pulls their dmarc record (unless of course they are getting out of the end-user email biz) So it really doesn’t affect domain email hosted by Yahoo such as att.net, sbcglobal.net, ymail.com, etc? Yahoo has not added a dmarc p=reject record for email from these domains? -Conrad -- The truth shall make you free. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/15/2014 06:50 PM, Conrad G T Yoder wrote: So it really doesn’t affect domain email hosted by Yahoo such as att.net, sbcglobal.net, ymail.com, etc? Yahoo has not added a dmarc p=reject record for email from these domains? Short answer: That's correct. Long answer: mark@Notebook-09:~$ dig +short txt _dmarc.ymail.com v=DMARC1\; p=none\; pct=100\; rua=mailto:dmarc-yahoo-...@yahoo-inc.com\;; mark@Notebook-09:~$ dig +short txt _dmarc.sbcglobal.net mark@Notebook-09:~$ dig +short txt _dmarc.att.net mark@Notebook-09:~$ The above means that ymail.com publishes a DMARC p=none policy and sbcglobal.net and att.net publish no DMARC policy at all, so while those domains may honor the DMARC policy of the From: domain for incoming mail, mail From: those domains is currently unaffected. Note that ymail.com does request aggregate reports to be sent to dmarc-yahoo-...@yahoo-inc.com which means that failures will be reported even if they don't affect mail delivery. Note also, that sec 6 of the draft DMARC specification https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ says in part: Mail Receivers MAY choose to reject or quarantine email even if email passes the DMARC mechanism check. ... Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even if the Domain Owner has published a reject policy. so no one is REQUIRED to honor DMARC policy, and even domains which publish a DMARC policy are free to ignore the DMARC policy that should apply and accept, reject or quarantine any particular incoming message for other reasons. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Jim Popovitch writes: On Tue, Apr 15, 2014 at 12:13 AM, Stephen J. Turnbull step...@xemacs.org wrote: Jim Popovitch writes: Bingo! The dmarc folks (many of who are IETF participants) ignored and performed an end-run around the standards process. Not really. The basic protocols (SPF and DKIM) are RFCs, and that's really what the IETF process is for. Interoperatabiliy and functionality is what a standards body is for. But interoperability and functionality of *what*? The IETF's mission is to define the interpretation of what comes off the wire, so that parties who have never met can communicate reliably. It's not to tell you not to send advertisements by SMTP or NNTP. It's not to tell you who you can trust to make your accept/reject decisions on Internet messages. DMARC is a system that allows 1st parties to announce to 3rd parties what to do with something delivered by a 2nd party, all without any standards or feedback/care for the 2nd party. Well, yes, that's what transparent protocols like SMTP + DNS MX are all about. The MX doesn't need to know what the sender wants the recipient to do with the message, it just forwards it. If you don't want to be screwed as a second party, don't participate. And that's what your patch does. Right? Right! *Exactly* right! :-) But back to the MX example. xemacs.org is an oldish domain (registered in 1995, I think) with a *lot* of email addresses out in public on the web. So one of our secondary MXes backed out on us because most of the spam they were seeing was destined for us, and they didn't want anything that translated to their domain in our Received headers if it was going to go into a spam database somewhere. It was also getting to be a significant fraction of traffic to their MTA. I can't blame them! Given their situation, I think that was the right thing to do. We managed to get along. So IMHO the point of the RFC process is to make it easy for those who *want* to cooperate to do so. It's not to force anybody to cooperate with anybody else. It sits atop 2 standards that were never intended for the purpose (rfc5322.From blocking) they are being used for. So what? Who cares about *intention*? As Lindsay pointed out, you can always use it for something else (even if it's not broken!) The question is were DKIM and SPF designed to accomplish the purpose of authenticating From well? IMO, probably not -- they are sender, not author, authentication. Does it make sense to pay attention to DMARC reject? I think not -- so it's a damn good thing it's not an RFC! I really wouldn't want to be in the position of criticizing Google for RFC non-conformance if they decided to ignore Yahoo! rejects.[1] ;-) My point is not to defend what Yahoo! did, or the DMARC standard. Simply that *policies* about when to emit/respect DMARC reject and ruf are out of scope for specification by RFC. Footnotes: [1] Which I actually think might be a strategically good move for them. Don't break the world! Use Gmail and get your bank on the 'Gold Key' program! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Keith Bierman wrote: The obvious downside is that reply to poster stops working It doesn't in the From: Munging/Message wrapping feature in Mailman 2.1.16+. The poster's From: is merged into her possibly empty Reply-To:. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/14/2014 09:19 PM, Lindsay Haisley wrote: FWIW, here's a list of the DNs of subscriber addresses that got unsubscribed last week from one of FMP's lists, ostensibly as a result of the DMARC issue: yahoo.com hotmail.com comcast.net bellsouth.net att.net cityofgastonia.com fronteirnet.net sbcglobal.net Add to that list: aol.com compuserve.com msn.com netscape.net pacbell.net See https://mail.python.org/pipermail/mailman-users/2014-April/076403.html. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Seriously? AOL/MSN as well? My users are going to be pissed. Who’s going to blink first here? -Conrad -- Is there a suspect in your family? Contact the Ministry of Information. Ring 100 00 00. On Apr 15, 2014, at 9:04 AM, Mark Sapiro m...@msapiro.net wrote: On 04/14/2014 09:19 PM, Lindsay Haisley wrote: FWIW, here's a list of the DNs of subscriber addresses that got unsubscribed last week from one of FMP's lists, ostensibly as a result of the DMARC issue: yahoo.com hotmail.com comcast.net bellsouth.net att.net cityofgastonia.com fronteirnet.net sbcglobal.net Add to that list: aol.com compuserve.com msn.com netscape.net pacbell.net See https://mail.python.org/pipermail/mailman-users/2014-April/076403.html. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/cgtyoder%40alum.mit.edu -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 12:35 PM, Conrad G T Yoder cgtyo...@alum.mit.edu wrote: Seriously? AOL/MSN as well? My users are going to be pissed. Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Ok, thanks for the clarification. I thought Mark was saying that these had implemented the DMARC rules as well. -Conrad -- DO NOT FOLD, SPINDLE, MUTILATE On Apr 15, 2014, at 12:38 PM, Jim Popovitch jim...@gmail.com wrote: On Tue, Apr 15, 2014 at 12:35 PM, Conrad G T Yoder cgtyo...@alum.mit.edu wrote: Seriously? AOL/MSN as well? My users are going to be pissed. Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 12:43 PM, Conrad G T Yoder cgtyo...@alum.mit.edu wrote: Ok, thanks for the clarification. I thought Mark was saying that these had implemented the DMARC rules as well. Well, technically they have implemented the DMARC rules. Yahoo.com publishes a dmarc record (dig +short txt _dmarc.yahoo.com), all those others check it and respect it. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Yes, sorry for my sloppy language. I appreciate the clarification. -Conrad On April 15, 2014 9:49:55 AM PDT, Jim Popovitch jim...@gmail.com wrote: On Tue, Apr 15, 2014 at 12:43 PM, Conrad G T Yoder cgtyo...@alum.mit.edu wrote: Ok, thanks for the clarification. I thought Mark was saying that these had implemented the DMARC rules as well. Well, technically they have implemented the DMARC rules. Yahoo.com publishes a dmarc record (dig +short txt _dmarc.yahoo.com), all those others check it and respect it. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/cgtyoder%40alum.mit.edu -- Sent from a tiny keyboard and auto-corrected. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, 2014-04-15 at 12:38 -0400, Jim Popovitch wrote: Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Am I correct in this? -- Lindsay Haisley | UNIX is user-friendly, it just FMP Computer Services | chooses its friends. 512-259-1190 | -- Andreas Bogk http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 2:05 PM, Lindsay Haisley fmo...@fmp.com wrote: On Tue, 2014-04-15 at 12:38 -0400, Jim Popovitch wrote: Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Am I correct in this? You don't need to ban yahoo members, you just most likely don't want them posting. As of right now, today, you should prevent yahoo.com addrs from posting to your lists. Of course that could all change tomorrow if Hotmail published a dmarc p=reject record. However, given the yahoo fallout, I think it will be a while before we see anymore of this kinds of shenanigans. I'm still predicting that yahoo pulls their dmarc record (unless of course they are getting out of the end-user email biz) -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 2:05 PM, Lindsay Haisley fmo...@fmp.com wrote: So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. That's a bit bloodthirsty! I like that! :-) Seriously, if people want to read their list mail at Yahoo, that's not a technical problem. I would class banning subscriptions as harrassment. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. To be precise, almost certainly all of the services on Mark's list do publish advisory records; they just don't include the p=reject option. For privacy advocates, this means that they *may* get failure-to- authenticate reports, which *may* contain full mail text (remember, this is for spam-fighting). Jim Popovitch writes: However, given the yahoo fallout, I think it will be a while before we see anymore of this kinds of shenanigans. I'm still predicting that yahoo pulls their dmarc record I suspect they will, too. I already have four students who are switching away from yahoo because of this (they're not even on my mailing lists yet, I'm adding them now!) Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 16 Apr 2014, at 4:05 am, Lindsay Haisley fmo...@fmp.com wrote: So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Does yahoo allow people to use their own domain names with yahoo mail? Ie is it good enough to just look at the subscriber's email address? Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 4:17 PM, Peter Shute psh...@nuw.org.au wrote: On 16 Apr 2014, at 4:05 am, Lindsay Haisley fmo...@fmp.com wrote: So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Does yahoo allow people to use their own domain names with yahoo mail? Ie is it good enough to just look at the subscriber's email address? Yes. via Yahoo's small biz portal. That said, those domains would be responsible for publishing (or not) their own dmarc record. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 16 Apr 2014, at 6:23 am, Jim Popovitch jim...@gmail.com wrote: On Tue, Apr 15, 2014 at 4:17 PM, Peter Shute psh...@nuw.org.au wrote: On 16 Apr 2014, at 4:05 am, Lindsay Haisley fmo...@fmp.com wrote: So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Does yahoo allow people to use their own domain names with yahoo mail? Ie is it good enough to just look at the subscriber's email address? Yes. via Yahoo's small biz portal. That said, those domains would be responsible for publishing (or not) their own dmarc record. Although it doesn't contribute to the discussion, I'd like to say that I'm very relieved to hear that those addresses won't be affected. Peter Shute -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 9:50 PM, Conrad G T Yoder con...@yoders.org wrote: On Apr 15, 2014, at 2:11 PM, Jim Popovitch jim...@gmail.com wrote: On Tue, Apr 15, 2014 at 2:05 PM, Lindsay Haisley fmo...@fmp.com wrote: On Tue, 2014-04-15 at 12:38 -0400, Jim Popovitch wrote: Just to be clear, all those domains (other than yahoo.com) will bounce email to you if your list sends out an email from a yahoo.com subscriber. It's not the case that you need to prevent all those other domains (AOL/MSN/etc) from posting, just don't allow yahoo.com addresses to post to the list. So just to be clear, putting a damper on this at this point requires _only_ that posts from yahoo.com be blocked from posting to a list. Is this correct? This can be done by selectively unsubscribing (or moderating) current yahoo.com users and adding ^.*@yahoo\.com to the ban_list of addresses banned from membership going forward. Should some other ESP start publishing advisory DMARC records then said ESP would need to be added to the ban_list as well. Am I correct in this? You don't need to ban yahoo members, you just most likely don't want them posting. As of right now, today, you should prevent yahoo.com addrs from posting to your lists. Of course that could all change tomorrow if Hotmail published a dmarc p=reject record. However, given the yahoo fallout, I think it will be a while before we see anymore of this kinds of shenanigans. I'm still predicting that yahoo pulls their dmarc record (unless of course they are getting out of the end-user email biz) So it really doesn’t affect domain email hosted by Yahoo such as att.net, sbcglobal.net, ymail.com, etc? Yahoo has not added a dmarc p=reject record for email from these domains? Correct. But that could all change tomorrow if they do add dmarc records for those domains. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, 2014-04-15 at 21:58 -0400, Jim Popovitch wrote: Correct. But that could all change tomorrow if they do add dmarc records for those domains. This is a pretty big deal, and it's been a week or more since Yahoo pulled this stunt. What kind of blowback are they getting, and is there any indication that they're feeling the heat? -- Lindsay Haisley | SUPPORT NETWORK NEUTRALITY FMP Computer Services | -- 512-259-1190 | Boycott Yahoo, RoadRunner, AOL http://www.fmp.com| and Verison -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 10:04 PM, Lindsay Haisley fmo...@fmp.com wrote: On Tue, 2014-04-15 at 21:58 -0400, Jim Popovitch wrote: Correct. But that could all change tomorrow if they do add dmarc records for those domains. This is a pretty big deal, and it's been a week or more since Yahoo pulled this stunt. What kind of blowback are they getting, and is there any indication that they're feeling the heat? They initially tried to defend it, but since then silence. I suspect they are trying to ride it out for now. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
It finally occurred to me that this affects routine forwarding too. Even if you implement SRS on the envelope, the header From is left alone, as per RFC 5322. It also affects a message from any of our users who authenticates with our user and password but prefers to send with a yahoo.com From line. To sum it up, any message with a yahoo.com header From is poison unless you can deliver it locally to your own systems. This simplifies matters, since it means a milter should check for any outgoing message with /yahoo.com/ in the From. The simplest action to implement would be to bounce. I'm still pondering implementation. That some other domain might implement the same approach as yahoo is a good point. It is best to generalize a problem.* *unless you're selling updates to virus signatures! Joseph Brennan Manager, Email and Systems Applications Columbia University Information Technology -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/14/2014 06:46 AM, Joseph Brennan wrote: It finally occurred to me that this affects routine forwarding too. Even if you implement SRS on the envelope, the header From is left alone, as per RFC 5322. Not necessarily. If the message is actually from Yahoo, it will be DKIM signed with d=yahoo.com, and if the forward doesn't break that sig, the message will pass DMARC. It also affects a message from any of our users who authenticates with our user and password but prefers to send with a yahoo.com From line. Yes, This is exactly what DMARC is trying to prevent. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/13/2014 06:03 PM, Jim Popovitch wrote: On Sun, Apr 13, 2014 at 4:54 PM, Joseph Brennan bren...@columbia.edu wrote: Jim Popovitch jim...@gmail.com wrote: DMARC works off of SPF as well. Not really. DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. Nooo...If either one passes, DMARC passes. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. Even if that were the case, which it is not, SPF should pass - since typically the list is the envelope sender. -- Joe Sniderman joseph.snider...@thoroquel.org -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, Apr 14, 2014 at 2:33 PM, Joe Sniderman joseph.snider...@thoroquel.org wrote: On 04/13/2014 06:03 PM, Jim Popovitch wrote: On Sun, Apr 13, 2014 at 4:54 PM, Joseph Brennan bren...@columbia.edu wrote: Jim Popovitch jim...@gmail.com wrote: DMARC works off of SPF as well. Not really. DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. Nooo...If either one passes, DMARC passes. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. Even if that were the case, which it is not, SPF should pass - since typically the list is the envelope sender. Yes! (maybe start reading threads from the bottom up?) :-) -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, 2014-04-14 at 14:41 -0400, Jim Popovitch wrote: SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. Even if that were the case, which it is not, SPF should pass - since typically the list is the envelope sender. Yes! (maybe start reading threads from the bottom up?) :-) This is confusing. I have a list using the DN autoharp.org. the envelope sender is a VERP address with the recipient address embedded, but the DN is autoharp.org, which passes SPF based on the A record for it. The From header address is, of course, that of the author as per RFC. But we lost perhaps 10% of subscribers to the list based on DMARC rejection. So what is being said here? -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, Apr 14, 2014 at 3:16 PM, Lindsay Haisley fmo...@fmp.com wrote: So what is being said here? When a yahoo poster sends an email to your list, that email is reflected to the rest of the other subscribers. Those other subscribers may or may not check yahoo's dmarc policy before accepting your list email. If they do reject your list message, then that equals 1 mailman bounce. After a few posts from yahoo members, the bounce scores increase and the other subscribers are unsubscribed. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Apr 14, 2014, at 5:51 PM, Jim Popovitch jim...@gmail.com wrote: On Mon, Apr 14, 2014 at 3:16 PM, Lindsay Haisley fmo...@fmp.com wrote: So what is being said here? When a yahoo poster sends an email to your list, that email is reflected to the rest of the other subscribers. Those other subscribers may or may not check yahoo's dmarc policy before accepting your list email. If they do reject your list message, then that equals 1 mailman bounce. After a few posts from yahoo members, the bounce scores increase and the other subscribers are unsubscribed. I think most of us are clear on that point. Where I’m confused (and I’m thinking that’s what Lindsay is asking about) is where you said Yes! (maybe start reading threads from the bottom up?) :-) in response to On Mon, Apr 14, 2014 at 2:33 PM, Joe Sniderman joseph.snider...@thoroquel.org wrote: On 04/13/2014 06:03 PM, Jim Popovitch wrote: On Sun, Apr 13, 2014 at 4:54 PM, Joseph Brennan bren...@columbia.edu wrote: Jim Popovitch jim...@gmail.com wrote: DMARC works off of SPF as well. Not really. DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. Nooo...If either one passes, DMARC passes. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. Even if that were the case, which it is not, SPF should pass - since typically the list is the envelope sender. To what are you saying “Yes”? With what are you agreeing? — Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, Apr 14, 2014 at 7:28 PM, Larry Stone lston...@stonejongleux.com wrote: On Apr 14, 2014, at 5:51 PM, Jim Popovitch jim...@gmail.com wrote: On Mon, Apr 14, 2014 at 3:16 PM, Lindsay Haisley fmo...@fmp.com wrote: So what is being said here? When a yahoo poster sends an email to your list, that email is reflected to the rest of the other subscribers. Those other subscribers may or may not check yahoo's dmarc policy before accepting your list email. If they do reject your list message, then that equals 1 mailman bounce. After a few posts from yahoo members, the bounce scores increase and the other subscribers are unsubscribed. I think most of us are clear on that point. Where I’m confused (and I’m thinking that’s what Lindsay is asking about) is where you said Yes! (maybe start reading threads from the bottom up?) :-) Ahh, my Yes! post to Joe was because earlier in the day I had stated one thing about dmarc, and then Mark corrected me, and at that time I acknowledged Mark's correction. And then along comes Joe the next day, and he replied to my incorrect statement before he read my later post. In threaded message format, the bottom post would generally be the latest post, thus my comment. Back to DMARC, one thing that wasn't clearly stated earlier, wrt DKIM+SPF, Mailman breaking the DKIM because of header+body modifications. Whether or not a remote dmarc validation checks the SPF record (of the From: address) is dependent on the posters dmarc aspf setting (which *may* tell receivers to honor the poster's DKIM *and* SPF record). So even passing the DKIM signed portion, unfettered, may still fail dmarc checks at a receiver, resulting in bounces (and of interest to privacy advocates, the failed dmarc check will most likely send a copy of the post onward to various other organizations listed in the dmarc rua and ruf records). The only true ways to handle dmarc messages (imho) are to reject posts where the poster's domain clearly says to not forward (i.e. p=reject)... OR... totally wrap the poster's email as an attachment and change the From: to something under control of the mailinglist that is sending the email. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, Apr 14, 2014 at 5:54 PM, Jim Popovitch jim...@gmail.com wrote: The only true ways to handle dmarc messages (imho) are to reject posts where the poster's domain clearly says to not forward (i.e. p=reject)... OR... totally wrap the poster's email as an attachment and change the From: to something under control of the mailinglist that is sending the email. Well, my non-mail expert opinion for whatever it might be worth. While the process of revising the RFC should have been followed, it does seem that they are trying to solve a real problem. Mail should come from who it says it comes from, not make it trivial to pretend to be someone one isn't. So why not adopt a standard where the *sender* is always the list? The obvious downside is that reply to poster stops working, but do these security tools care if the reply-to is different from sender? if the list default is reply to poster set the reply to as the original sender, but correctly identify the message as coming from the mail server automation ... not the original sender. Other than noncompliance to the existing RFC(s), what am I missing? Keith Bierman khb...@gmail.com kbiermank AIM 303 997 2749 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, Apr 14, 2014 at 8:55 PM, Keith Bierman khb...@gmail.com wrote: While the process of revising the RFC should have been followed, it does seem that they are trying to solve a real problem. Bingo! The dmarc folks (many of who are IETF participants) ignored and performed an end-run around the standards process. Mail should come from who it says it comes from, not make it trivial to pretend to be someone one isn't. It is. I am sending you this email via the list. It contains my words, and no way conveys the responsibility, nor does it delegate the ownership, to the list. So why not adopt a standard where the *sender* is always the list? The obvious downside is that reply to poster stops working, but do these security tools care if the reply-to is different from sender? if the list default is reply to poster set the reply to as the original sender, but correctly identify the message as coming from the mail server automation ... not the original sender. Reply-to is more of a client initiated setting. Mailman works off of Return-Path, and then there is also a formal RFC defined Sender header. Dmarc designers choose to ignore these well defined RFC email headers and, independently of any standards process, choose to focus solely on the From header. After all, RFC 5322 is only 8 years old, not the decades that the dmarc folks would like people to think. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/14/2014 12:16 PM, Lindsay Haisley wrote: This is confusing. I have a list using the DN autoharp.org. the envelope sender is a VERP address with the recipient address embedded, but the DN is autoharp.org, which passes SPF based on the A record for it. The From header address is, of course, that of the author as per RFC. But we lost perhaps 10% of subscribers to the list based on DMARC rejection. Yes, your SPF is valid, but the domain of the envelope sender (autoharp.org) which is what the SPF deals with does not 'align with' (DMARC standard words) the domain of the From: (yahoo.com). Thus your SPF says your server is allowed to send mail with envelope from autoharp.org, not yahoo.com, so it doesn't count for DMARC validation of mail From: yahoo.com. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 4/14/14, 8:55 PM, Keith Bierman wrote: On Mon, Apr 14, 2014 at 5:54 PM, Jim Popovitch jim...@gmail.com wrote: The only true ways to handle dmarc messages (imho) are to reject posts where the poster's domain clearly says to not forward (i.e. p=reject)... OR... totally wrap the poster's email as an attachment and change the From: to something under control of the mailinglist that is sending the email. Well, my non-mail expert opinion for whatever it might be worth. While the process of revising the RFC should have been followed, it does seem that they are trying to solve a real problem. Mail should come from who it says it comes from, not make it trivial to pretend to be someone one isn't. So why not adopt a standard where the *sender* is always the list? The obvious downside is that reply to poster stops working, but do these security tools care if the reply-to is different from sender? if the list default is reply to poster set the reply to as the original sender, but correctly identify the message as coming from the mail server automation ... not the original sender. Other than noncompliance to the existing RFC(s), what am I missing? Keith Bierman khb...@gmail.com kbiermank AIM 303 997 2749 Actually, if you look in the header to a message from the list, it does say that the sender is the list (that is the contents of the Sender: header). The Email RFC's define what the various headers are supposed to mean. From: is the person who ORIGINATED the message (that is not the list). Sender: is who put the email into the mail stream (which is the list). Yes, there is a fundamental problem in identity confirmation with the internet, which is especially a problem with email. One partial solution is users should be using email programs that show them things like the Sender field, and some of these can be more easily checked. Yes, the way things are setup, there is no way to say that a message isn't From a given person, as the system has no way built in to say that, but it can let you know that it was sent via some other 3rd party, and let you decide if it make sense. It makes sense for some companies (like banks) to say that all email from them will ALWAYS come via a specific set of paths. It doesn't make sense for a email provider for the public to say the same thing, especially AFTER the fact. It would be another thing if Yahoo, when it started, touted that it was offering an identity protection service where people could know your emails come from you, with the provision that you had to send all your email via their system and couldn't post to mailing list with that account. -- Richard Damon -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Keith Bierman writes: While the process of revising the RFC should have been followed, No revision of the RFC was made, and Yahoo! followed the RFC in updating its own DMARC policy. That's where DMARC sucks[tm]. it does seem that they are trying to solve a real problem. Perhaps. Mail should come from who it says it comes from, not make it trivial to pretend to be someone one isn't. Well, maybe. But DMARC doesn't solve that problem. It's still trivial to pretend to be someone you aren't. Just get an address at Yahoo! I suppose what you mean is phishing, ie, pretending to be a specific other someone. Well, if you want to be sure of identity, insist that your correspondents digitally sign their mail. Effective checks must be done in the MUAs because it's still very easy to spoof somebody (use Chase Bank chase-b...@0xdeadbeef.my, for example) even with DKIM or SPF. What needs to be done to make this user-friendly is for the MUAs to provide a simple way to configure trusted partners such as your bank and your psychotherapist. The bank would probably be very easy (it uses DKIM so the MUA can check it). Web-based MUAs can do this for you (Google's Gold Key program). The personal relationship problem is harder, but basically you need a convenient way to distribute PGP public keys and add them to specific correspondent records. For licensed professionals, governments could maintain third-party authorization mechanisms a la OpenAuth. So why not adopt a standard where the *sender* is always the list? Because Internet mail makes a specific distinction between *sender* and *author*. we already *have* a way to identify the *sender*, and we already *do* identify the list as the sender IIRC (Resent-* headers), and in most cases we do make it clear that the list is a list (RFC 2369 headers). However, in their bottomless contempt for the average user, the DMARC authors chose to insist on authenticating the *author* with the *sender's* credentials because that's the best that can be done without cooperation from the recipient and her MUA. The obvious downside is that reply to poster stops working, but do these security tools care if the reply-to is different from sender? if the list default is reply to poster set the reply to as the original sender, but correctly identify the message as coming from the mail server automation ... not the original sender. Other than noncompliance to the existing RFC(s), what am I missing? Nonconformance to RFCs means that you break all conforming implementations. Reply-To Munging Considered Harmful is just the start. Internet governance is based on the RFC process. If you allow large companies to disregard RFCs for their convenience, they *will* break things badly. (Small companies will break things, too, but not so badly.) Note that Yahoo! has initiated a denial of service attack on millions of innocent list subscribers. *This is not a one-time problem.* This will happen again every time a new domain changes its policy to reject, because even if we break *future* Mailman to conform to Yahoo!'s Brave New World, *past* Mailman installations will continue to exist and many of them will have taken stopgap measures (eg, moderating all Yahoo! subscribers). We have to take a stand against this kind of behavior. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, 2014-04-15 at 12:33 +0900, Stephen J. Turnbull wrote: Note that Yahoo! has initiated a denial of service attack on millions of innocent list subscribers. *This is not a one-time problem.* This will happen again every time a new domain changes its policy to reject, because even if we break *future* Mailman to conform to Yahoo!'s Brave New World, *past* Mailman installations will continue to exist and many of them will have taken stopgap measures (eg, moderating all Yahoo! subscribers). We have to take a stand against this kind of behavior. Well said, Stephen! Having a presence in a number of different worlds, including the entertainment business, I frequently have had the opportunity to address the question on FB and elsewhere, what is the Internet? My answer is always that the Internet, at a fundamental level, is a collection of agreements on how things are going to work (coupled with some absolutely brilliant and foresighted CS technology). This agreement spanned government, corporate (large and small) and educational entities, and everyone realized that the whole could be greater than the sum of its parts, and behaved accordingly. If history teaches us anything, it's that such social mindsets have a lifespan, and that the lifespan appears to be inversely proportional to the success of model in which it flourished. In the long run, I think Murphy's Law and its 1st corollary offer a note of wisdom. Law: If you play with anything long enough, it's gonna break. Corollary: True, but there's always still something you can do with it. -- Lindsay Haisley| The only unchanging Autoharpist, musical entertainer |certainty is the http://www.lindsayhaisley.com | certainty of change 512-259-1190 | Ancient wisdom - all cultures -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Jim Popovitch writes: Bingo! The dmarc folks (many of who are IETF participants) ignored and performed an end-run around the standards process. Not really. The basic protocols (SPF and DKIM) are RFCs, and that's really what the IETF process is for. What people (including bloated corporate people) choose to do with those protocols is really outside of the RFC process, just as use of SMTP to spam (under your own From, spoofing does violate the RFC :-) is outside of the RFC process. That doesn't make what Yahoo! did right, but as much as I disagree with DMARC's basic philosophy, I don't really think DMARC is a subject for the RFC process. I just think it's a problem from the point of view of maintaining the integrity of the Internet. Dmarc designers choose to ignore these well defined RFC email headers and, independently of any standards process, choose to focus solely on the From header. They do have a point. Some users are extremely susceptible to fraud. Believe it or not, in Japan there's a species of fraud where criminals call more or less random phone numbers, identify themselves as the victim's child or spouse with It's me. It's me! and continue by requesting money to get themselves out of some kind of jam. The victim takes cash to the specified meeting place, only to find that the jam got worse and so a friend was sent to pick up the money. This actually works to the tune of 15,000 victims and $200 million in a bad year. That's the model that DMARC has of Internet users, so it's natural that they would focus on From. After all, RFC 5322 is only 8 years old, not the decades that the dmarc folks would like people to think. I haven't got that impression. I think they know what they're doing and have been quite forthright about it. They just are willing to hurt lots of people, break working mechanisms, and in the process undermine Internet governance, to reduce spam and phishing (which also hurt lots of people and break working mechanisms). I'm not sure what the top people at Yahoo! are thinking, though. Conspiracy theories may well be in order there. I suspect they're thinking the same kind of thoughts that caused Microsoft to think that breaking backward compatibility with Office '97 or so was a good idea. I hope they pay a similar price. Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Mon, 2014-04-14 at 18:51 -0400, Jim Popovitch wrote: On Mon, Apr 14, 2014 at 3:16 PM, Lindsay Haisley fmo...@fmp.com wrote: So what is being said here? When a yahoo poster sends an email to your list, that email is reflected to the rest of the other subscribers. Those other subscribers may or may not check yahoo's dmarc policy before accepting your list email. If they do reject your list message, then that equals 1 mailman bounce. After a few posts from yahoo members, the bounce scores increase and the other subscribers are unsubscribed. FWIW, here's a list of the DNs of subscriber addresses that got unsubscribed last week from one of FMP's lists, ostensibly as a result of the DMARC issue: yahoo.com hotmail.com comcast.net bellsouth.net att.net cityofgastonia.com fronteirnet.net sbcglobal.net There were about 76 addresses, most of which were yahoo.com or comcast.net addresses, with bellsouth.net coming in 3rd. -- Lindsay Haisley | Everything works if you let it FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com| -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Tue, Apr 15, 2014 at 12:13 AM, Stephen J. Turnbull step...@xemacs.org wrote: Jim Popovitch writes: Bingo! The dmarc folks (many of who are IETF participants) ignored and performed an end-run around the standards process. Not really. The basic protocols (SPF and DKIM) are RFCs, and that's really what the IETF process is for. Interoperatabiliy and functionality is what a standards body is for. DMARC is a system that allows 1st parties to announce to 3rd parties what to do with something delivered by a 2nd party, all without any standards or feedback/care for the 2nd party. It sits atop 2 standards that were never intended for the purpose (rfc5322.From blocking) they are being used for. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
[Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Hi - Starting this week, I've discovered that emails sent from yahoo members on my mailing lists, are not getting delivered to other yahoo addresses on my mailing list, including the person who sent the message. My SMTP logs show that the message is getting rejected (see below). I'm positive that the reason this is happening, is because I have my mailing list configured to preserve the original email address, in the From: line, while putting the mailing list address in the Reply-To: If I specify that the mailing list address should also be in the From: address, the messages get delivered. I'm almost positive that Yahoo thinks that the message is spam, and rejecting it. This is based on the fact that the same yahoo posts, when sent to Gmail members, are getting delivered to the Gmail user's Spam folder. Gmail displays that the reason it's doing this, is that it can't verify that post is actually coming from yahoo. This is a bit absurd, IMHO. But at least the message is getting delivered! In the case of yahoo, they simply reject the message! Apr 13 15:30:05 mail1 sendmail[6367]: s3DJU4jS006361: to=xxx...@yahoo.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=208395, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable I would like to know if anyone else is seeing this behavior. I've tried 2 different mailing list servers, and I see the same behavior. Thanks. - Mark -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Sun, Apr 13, 2014 at 3:48 PM, Mark London m...@psfc.mit.edu wrote: Hi - Starting this week, I've discovered that emails sent from yahoo members on my mailing lists, are not getting delivered to other yahoo addresses on my mailing list, including the person who sent the message. My SMTP logs show that the message is getting rejected (see below). I'm positive that the reason this is happening, is because I have my mailing list configured to preserve the original email address, in the From: line, while putting the mailing list address in the Reply-To: If I specify that the mailing list address should also be in the From: address, the messages get delivered. I'm almost positive that Yahoo thinks that the message is spam, and rejecting it. This is based on the fact that the same yahoo posts, when sent to Gmail members, are getting delivered to the Gmail user's Spam folder. Gmail displays that the reason it's doing this, is that it can't verify that post is actually coming from yahoo. This is a bit absurd, IMHO. But at least the message is getting delivered! In the case of yahoo, they simply reject the message! Apr 13 15:30:05 mail1 sendmail[6367]: s3DJU4jS006361: to=xxx...@yahoo.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=208395, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable I would like to know if anyone else is seeing this behavior. I've tried 2 different mailing list servers, and I see the same behavior. Thanks. - Mark LOL, do you live under a rock? :-) The whole Internet is in a rage this week about this: https://www.google.com/#q=yahoo+dmarc -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 4/13/14, 3:48 PM, Mark London wrote: Hi - Starting this week, I've discovered that emails sent from yahoo members on my mailing lists, are not getting delivered to other yahoo addresses on my mailing list, including the person who sent the message. My SMTP logs show that the message is getting rejected (see below). I'm positive that the reason this is happening, is because I have my mailing list configured to preserve the original email address, in the From: line, while putting the mailing list address in the Reply-To: If I specify that the mailing list address should also be in the From: address, the messages get delivered. I'm almost positive that Yahoo thinks that the message is spam, and rejecting it. This is based on the fact that the same yahoo posts, when sent to Gmail members, are getting delivered to the Gmail user's Spam folder. Gmail displays that the reason it's doing this, is that it can't verify that post is actually coming from yahoo. This is a bit absurd, IMHO. But at least the message is getting delivered! In the case of yahoo, they simply reject the message! Apr 13 15:30:05 mail1 sendmail[6367]: s3DJU4jS006361: to=xxx...@yahoo.com, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=208395, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable I would like to know if anyone else is seeing this behavior. I've tried 2 different mailing list servers, and I see the same behavior. Thanks. - Mark You obviously haven't been reading much about mailinglists recently. (Browse that last week of the archives) Short version: Yahoo changed their DMARC settings to ask servers that receive a message with a yahoo.com email address in the from line to reject it if it isn't properly signed by yahoo, which all messages they send will be. If you list modifies the message, in particularly either the subject line or body, then the signature won't match and the message is supposed to not be delivered. Basically, Yahoo has said that it users are not supposed to use any mailinglist configured in the manner that they are often configured in. Read the archives for a list of possible options. -- Richard Damon -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Sun, Apr 13, 2014 at 4:01 PM, Richard Damon rich...@damon-family.org wrote: If you list modifies the message, in particularly either the subject line or body, then the signature won't match and the message is supposed to not be delivered. It's worse than just modification of the message/headers. DMARC works off of SPF as well. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
Jim Popovitch jim...@gmail.com wrote: DMARC works off of SPF as well. Not really. SPF does not check the From: header line, and that's where the troubles begin with DMARC. Joseph Brennan Columbia University IT -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Sun, Apr 13, 2014 at 4:54 PM, Joseph Brennan bren...@columbia.edu wrote: Jim Popovitch jim...@gmail.com wrote: DMARC works off of SPF as well. Not really. DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/13/2014 03:03 PM, Jim Popovitch wrote: DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. I'm not sure that's correct. I've been testing this so many ways, I'm not sure what I'm seeing, but I think a reject requires BOTH DKIM and SPF to be absent or fail. If either passes, no DMARC reject occurs. There are weird issues though. It seems I can't post from my gmail address to my yahoo group. I get a non-delivery notice from gmail. I'm not sure why. The yahoo group exists and my gmail address is a member with posting privileges. I'll follow up more after dinner break. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 4/13/14, 6:17 PM, Mark Sapiro wrote: On 04/13/2014 03:03 PM, Jim Popovitch wrote: DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. I'm not sure that's correct. I've been testing this so many ways, I'm not sure what I'm seeing, but I think a reject requires BOTH DKIM and SPF to be absent or fail. If either passes, no DMARC reject occurs. There are weird issues though. It seems I can't post from my gmail address to my yahoo group. I get a non-delivery notice from gmail. I'm not sure why. The yahoo group exists and my gmail address is a member with posting privileges. I'll follow up more after dinner break. When they first added the DKIM, adding SPF to my domain fixed the warnings that people got in GMail. When Yahoo upped to reject, this doesn't seem to help. I don't know if there is supposed to be a difference here, or if Yahoo changed something else in the DMARC record they changed to that would cause the SPF match on Envelope to no longer override the DKIM error. -- Richard Damon -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/13/2014 03:17 PM, Mark Sapiro wrote: There are weird issues though. It seems I can't post from my gmail address to my yahoo group. I get a non-delivery notice from gmail. I'm not sure why. The yahoo group exists and my gmail address is a member with posting privileges. My bad. I have multiple gmail accounts and I was posting from the wrong one. Another round of testing begins ... -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On 04/13/2014 03:17 PM, Mark Sapiro wrote: On 04/13/2014 03:03 PM, Jim Popovitch wrote: DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. I'm not sure that's correct. I've been testing this so many ways, I'm not sure what I'm seeing, but I think a reject requires BOTH DKIM and SPF to be absent or fail. If either passes, no DMARC reject occurs. My reading of Sec 10.2 of the current draft DMARC standard https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ says that either a valid DKIM signature or a valid SPF test is sufficient, but only if the domains are aligned which means the DKIM signing domain or the SPF envelope sender domain must match (in strict or relaxed mode) that of the From: address. If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. In particular, one's own SPF won't do because the domains won't align. I think I've got a good set of test results, but I'm tired and will save that summary for tomorrow. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, Service Unavailable.
On Sun, Apr 13, 2014 at 10:47 PM, Mark Sapiro m...@msapiro.net wrote: On 04/13/2014 03:17 PM, Mark Sapiro wrote: On 04/13/2014 03:03 PM, Jim Popovitch wrote: DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails. SPF does not check the From: header line, and that's where the troubles begin with DMARC. SPF checks sending IPs (of which your IPs won't match Yahoo's, thus breaking DMARC) Either an SPF failure or a DKIM failure will cause a DMARC rejection if p=reject. I'm not sure that's correct. I've been testing this so many ways, I'm not sure what I'm seeing, but I think a reject requires BOTH DKIM and SPF to be absent or fail. If either passes, no DMARC reject occurs. My reading of Sec 10.2 of the current draft DMARC standard https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ says that either a valid DKIM signature or a valid SPF test is sufficient, but only if the domains are aligned which means the DKIM signing domain or the SPF envelope sender domain must match (in strict or relaxed mode) that of the From: address. If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. In particular, one's own SPF won't do because the domains won't align. I (now) agree with that, it's either not both that passes a dmarc check. Mailman always breaks dkim, so I never really considered what happens if dkim passes but spf doesn't. -Jim P. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org