Opened 8 years ago
Closed 7 years ago
#49787 closed defect (fixed)
Mailing list messages not delivered, subscriptions disabled due to Yahoo Mail now requiring DMARC
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | admin@… |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | server/hosting | Version: | |
| Keywords: | Cc: | portmgr@…, raimue (Rainer Müller), bgilbert (Benjamin Gilbert) | |
| Port: |
Description
At 2:29 PM Central time today we received 42 mailing list subscription disabled bounces. They said things like:
552 l8Eq1r00M0drVCp018ErwH Message fails DMARC verification.
554 5.7.9 Message not accepted for policy reasons. See https://help.yahoo.com/kb/postmaster/SLN7253.html
550 5.7.1 The messages violates the DMARC policy of yahoo.com (d8c59a45-921e-11e5-a822-db253d9e0b64)
550 5.2.0 l8Eq1r05C0bG8YH018Er6K Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001
550 5.7.0 (COL004-MC6F14) Unfortunately, messages from (17.151.62.25) on behalf of (yahoo.com) could not be delivered due to domain owner policy restrictions.
It sounds like Yahoo's mail server now requires messages to be sent in compliance with DMARC, and our mailing lists do not do this.
The effect is that when a Yahoo Mail user who has subscribed to one of our lists sends a message to the list, it gets sent by our list to the other subscribers. For those subscribers using a mail service that checks DMARC, their mail servers reject the message because the DMARC verification fails because the message was actually sent by our server not by a Yahoo Mail server. This causes the subscriber's mail server to send a bounce back to our mailing list server, and after a few of those, our mailing list server disables the subscriber's subscription.
Yahoo's own page on this problem suggests we "Follow industry standards" and:
change your sending behavior by adding the mailing lists’ address to the "From:" line, rather than the sender’s address. Also, enter the actual user/sender address into the "Reply-To:" line."
I do not believe we should do this, because this contradicts RFC2822 which states:
When the "Reply-To:" field is present, it indicates the mailbox(es) to which the author of the message suggests that replies be sent.
Our mailing list is not the author of the message, so our mailing list may not change the Reply-To line. See also “Reply-To” Munging Still Considered Harmful. Really.
The DMARC FAQ has an entry about what list operators should do, but there are several choices and I don't know which, if any, are appropriate.
Change History (11)
comment:1 Changed 8 years ago by jmroot (Joshua Root)
comment:2 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)
Our mailing lists are powered by mailman 2.1.12. According to the mailman DMARC page, we need to upgrade to mailman 2.1.16 to get the from_is_list feature, but it is not recommended. If we upgrade to mailman 2.1.18, we get a better option. The current version is 2.1.20. Better options are planned for mailman 3 which is not yet available.
comment:3 Changed 8 years ago by jmroot (Joshua Root)
Looks like we may be able to avoid the problem by not inserting anything into the subject or message body, too.
comment:4 Changed 8 years ago by neverpanic (Clemens Lang)
I agree, that's what I would have done as well. We can still add the List header to allow people to filter the mails.
The message body may actually be modified, depending on which fields the DMARC signature covers.
comment:7 Changed 8 years ago by jmroot (Joshua Root)
Can we just turn off subject line tagging and footers for now?
comment:8 Changed 8 years ago by raimue (Rainer Müller)
Subject lines are only changed for macports-mgr, which would be low-priority anyway. Turning off footers for macports-users and macports-dev should be harmless and immediately fix the problem for subscribers with a strict DMARC policy.
For longterm, the Mailman 2.1.16 proposal to edit the From header with a "via the list" string and adding a Reply-To header does not seem very nice to me, but I trust the Mailman developers that there is no better solution than that.
comment:9 Changed 7 years ago by ryandesign (Ryan Carsten Schmidt)
| Owner: | changed from admin@… to admin@… |
|---|---|
| Status: | new → assigned |
This will be solved by moving the lists to our new list server, which runs a newer version of mailman, which has support for DMARC.
comment:10 Changed 7 years ago by raimue (Rainer Müller)
Hopefully resolved by switching to lists.macports.org, new mailman version and appropriate configuration.
https://lists.macports.org/pipermail/macports-users/2016-November/041912.html
Please let us know if the problem still exists.
comment:11 Changed 7 years ago by raimue (Rainer Müller)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
This should be fixed after the switch to lists.macports.org now.
Haven't read it all but https://tools.ietf.org/html/rfc6377 covers this topic.