I just got this
On 9 Feb 2019, at 00:00, dovecot-request@dovecot.org wrote:
Your membership in the mailing list dovecot has been disabled due to excessive bounces The last bounce received from you was dated 02-Feb-2019. You will not get any more messages from this list until you re-enable your membership. You will receive 1 more reminders like this before your membership in the list is deleted.
To re-enable your membership, you can simply respond to this message (leaving the Subject: line intact), or visit the confirmation page at
When clicking the link I get "Bad confirmation sting" and something about maybe the link expired.
I see no connection attempts from dovecot.org over the last few days other than this message.
-- If at first you don't succeed, destroy all evidence that you tried.
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
For some reason mailman failed to "munge from" for senders with dmarc policy ;(
It's now configured to always munge to avoid this again.
I'd say, let Mailman throw all people off the list that have enabled DMARC checking without using exceptions for the lists they are on. It's a known fact that DMARC does not cope well with mailing lists. Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants.
Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible.
And everyone using p=reject should think about it as well - as I said, DMARC does not play well with mailing lists, so setting p=reject on a domain used to participate on mailing lists is not wise, to say the least. You should not follow Yahoo and AOL - you know, why they did it, don't you?
And Aki, please go back to "munge only if needed" - munging all messages leads to a really bad "user experience".
Thanks.
Back to lurking, Juri
On 09/02/2019 19:56, Aki Tuomi via dovecot wrote:
On 09 February 2019 at 20:48 Juri Haberland via dovecot < dovecot@dovecot.org mailto:dovecot@dovecot.org> wrote:
Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible.
Wonder how many would do this though?
Yeah, unfortunately not enough...
And everyone using p=reject should think about it as well - as I said, DMARC does not play well with mailing lists, so setting p=reject on a domain used to participate on mailing lists is not wise, to say the least. You should not follow Yahoo and AOL - you know, why they did it, don't you?
Unfortunately this is usually required by many common providers such as microsoft and google, otherwise they refuse your mail.
That is definitely not true. They might require you to have DKIM and/or SPF and maybe even a DMARC policy, but they definitely don't require p=reject! Most of my domains have p=none and our mails are accepted by all major providers...
Hope you understand .
Understood. Had to write that mail anyway ;-)
Juri
Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
I'll review the settings when we manage to upgrade to mailman3
Hello Aki,
before updating to mailman3 consider an simpler update to latest mailman2.
you're using 2.1.15, current mailman2 is 2.1.29 Your missing an /significant amount/ of DMARC fixes!
and: more off-topic: while my messages *to* the dovecot list are sent using STARTTLS, messages *from* wursti.dovecot.fi are sent without encryption. any reason to stay on unencrypted SMTP?
Andreas
A. Schulze via dovecot skrev den 2019-02-09 23:28:
Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
I'll review the settings when we manage to upgrade to mailman3
before updating to mailman3 consider an simpler update to latest mailman2.
will any of this implement openarc sealing ? :=)
you're using 2.1.15, current mailman2 is 2.1.29 Your missing an /significant amount/ of DMARC fixes!
we all missing the point of missing opendmarc that can test for openarc sealing and be done with all the mess :(
or add a wiki to opendkim to make it autodetect maillists just like cpan Mail::Milter::Authenticated does it
if it cant be done in opendkim lua we loose all
and: more off-topic: while my messages *to* the dovecot list are sent using STARTTLS, messages *from* wursti.dovecot.fi are sent without encryption. any reason to stay on unencrypted SMTP?
maybe same reason dovecot have a mx record ? :=)
but good catch if in ip is same as out ip
On 10 February 2019 at 00:28 "A. Schulze via dovecot" dovecot@dovecot.org wrote:
Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot:
I'll review the settings when we manage to upgrade to mailman3
Hello Aki,
before updating to mailman3 consider an simpler update to latest mailman2.
you're using 2.1.15, current mailman2 is 2.1.29 Your missing an /significant amount/ of DMARC fixes!
and: more off-topic: while my messages *to* the dovecot list are sent using STARTTLS, messages *from* wursti.dovecot.fi are sent without encryption. any reason to stay on unencrypted SMTP?
Andreas
Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159]) by mail.dovecot.fi (Postfix) with ESMTPS id 7EE3B2B3C9C; Sun, 10 Feb 2019 00:29:15 +0200 (EET)
ESMTPS indicates that TLS was used. Also I took the trouble to check the maillogs from talvi to verify that your mail was delivered using TLS.
Aki
On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote:
For some reason mailman failed to "munge from" for senders with dmarc policy ;(
It's now configured to always munge to avoid this again.
I'd say, let Mailman throw all people off the list that have enabled DMARC checking without using exceptions for the lists they are on. It's a known fact that DMARC does not cope well with mailing lists. Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants.
Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible.
can you please let me know where to find those patches?
I ran DMARC in testing on one domain and had to disable it because over 95% of the reports were false positives from mailing lists, and the few that were genuine spoofed would have easily been caught by spam/malware filters anyway.
However a project I am working on, DMARC is highly desired. Designing a white-list for known mailing lists is something I want to do.
Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I only use Exim for submission) that tried to sniff Mailman and not enforce it but it looks like it would be very time consuming.
On 2/9/19 11:13 AM, Michael A. Peters via dovecot wrote:
On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: *snip*
Honestly I was sort of tempted to try and create my own DMARC validator (I was thinking one daemon that does both DKIM and DMARC - for postfix, Exim has DKIM native but I only use Exim for submission) that tried to sniff Mailman and not enforce it but it looks like it would be very time consuming.
What I wanted to do, was sniff mailman in headers and if it was sent by mail, reject if reverse DNS didn't match HELO/EHLO and white list from OpenDMARC enforcement if it did. That would prevent most spoofed that tried to look like Mailman since spoofed mail rarely has reverseDNS properly set up but Mailman admins tend to.
On 09/02/2019 20:13, Michael A. Peters via dovecot wrote:
On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote:
Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible.
can you please let me know where to find those patches?
https://sourceforge.net/p/opendmarc/tickets/180/
Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/.
I have an Ubuntu-PPA where you can get a package with all of the above patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc).
Cheers, Juri
- Juri Haberland via dovecot:
Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants.
Can you judge if DMARC is enabled "blindly"? No, I thought not. Also, the issue was not on the receiving end, but the reject policy for the originating domain.
Personally, I choose to treat "reject" as if it was "quarantine", i.e. affected mail is rerouted to a specific folder.
And Aki, please go back to "munge only if needed" - munging all messages leads to a really bad "user experience".
Only speak for yourself please.
-Ralph
On 10/02/2019 07:38, Ralph Seichter via dovecot wrote:
- Juri Haberland via dovecot:
Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants.
Can you judge if DMARC is enabled "blindly"? No, I thought not. Also, the issue was not on the receiving end, but the reject policy for the originating domain.
Personally, I choose to treat "reject" as if it was "quarantine", i.e. affected mail is rerouted to a specific folder.
And Aki, please go back to "munge only if needed" - munging all messages leads to a really bad "user experience".
Only speak for yourself please.
-Ralph
+1 (for entire post)
... and surely he does not expect those with a million plus users sit here and whitelist the million plus mailing lists that exist around the world, heh, like thats going to happen :)
-- Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privilegedinformation, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents
Links:
[1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Noel Butler via dovecot skrev den 2019-02-10 01:51:
... and surely he does not expect those with a million plus users sit here and whitelist the million plus mailing lists that exist around the world, heh, like thats going to happen :)
fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, even if openarc comes or not, in cpan Mail::Milter::Authenticated its solved, but who use it other then fastmail.fm ? :=)
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:
fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution,
A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. there is no quick and easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one that gets narky at lists, and despite all the spf haters dreams, I've never had a problem with spf and lists, and we were an early beta adopter of spf)
-- Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privilegedinformation, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents
Links:
[1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:
fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution,
A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass.
However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote:
On 2/10/19 3:42 PM, Noel Butler via dovecot wrote:
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:
fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution,
A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass.
However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
Also, DMARC isn't really anti-spam technology, it's anti-spoof technology.
Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier.
On 11/02/2019 09:48, Michael A. Peters via dovecot wrote:
On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote:
fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution,
A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass.
However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
Also, DMARC isn't really anti-spam technology, it's anti-spoof technology.
Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier.
I know your just nit picking but what the hell, I've got a few minutes before my meeting....
anti spoofing is also anti spam, most legit emailers dont spoof, bad guys love to, so anything that reduces noise in email can be considered "anti spam"
postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim, whatever ... they all work to reduce noise and thats all the end users care about.
-- Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privilegedinformation, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents
Links:
[1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
On 11/02/2019 09:46, Michael A. Peters via dovecot wrote:
However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header >and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
A hell of a lot do, though (this is pretty average percentages here)
Accepted 70.07% Rejected 29.93%
Total 100.00%
5xx Reject relay denied 4.27% 5xx Reject unknown user 7.93% 5xx Reject sender address 7.32% 5xx Reject unknown client host 52.44% 5xx Reject RBL 3.66% 5xx Reject milter 24.39%
Total 5xx Rejects 100.00%
unknown client host was high as 95% up till about 10 years ago, so they are slowly learning.
-- Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents
participants (8)
-
@lbutlr
-
A. Schulze
-
Aki Tuomi
-
Benny Pedersen
-
Juri Haberland
-
Michael A. Peters
-
Noel Butler
-
Ralph Seichter