On Wed, Apr 16, 2025 at 4:17 PM Philip Bondi <pjbondi@systemdatabase.com> wrote:

Hello to all:

mailman3 is phenomenal upgrade from mailman2. Very nice. Thank you to the team.

In our family, we use mailman to provide redundancy on important financial emails. In this manner, emails from banks, government, ecommerce or other important providers are distributed to multiple family members. And we can ask family members if they paid the credit card bill, received their delivery, saw their tax liability or refund notification, etc. Does anyone else use mailman for such a purpose?

Do you struggle with "message rejected. AUP#CDRBL" while using mailman with your ISP email relay?

AUP == Acceptable Use Policy. I am sure you signed some dotted lines about that, or clicked Accept/Yes somewhere and so something that is happening is violation the AUP. CDRBL sounds like the IP of your ISP relay server is in some blacklists. You could use https://mxtoolbox.com/ to lookup the IP/Hostname that you use for relay.

For example, when receiving email from a Bank or the Government of Canada

on a mailman2 list, sometimes my ISP would not relay the email and I would get message rejected. AUP#CDRBL

And what does your ISP Tech Support say is the problem? I also think the problem is referenced somewhere in your MTA logs. While, this is most likely going OT, I will try and narrow down on the mailman bits. Assuming: purpose of receiving the emails from the senders in (1) above,

1. That the sender address of the Bank or the Government of Canada is _allowed_ to send emails to some_mailman_list_address
2. That your family are all subscribed to to the mailing list for the

It should be easy to configure the mailing list to send out the posts by rewriting the sender to be the list address.

You can do the same with Mailman3 under List settings -> DMARC Mitigations

On mailman2, I mitigated by stripping headers, wrapping message and DKIM

signing. Here is a mailman2 message that is stripped, wrapped and signed.

https://freeimage.host/i/30O5EXe

Do you have this problem with your ISP with certain senders? What are your mitigation strategies on mailman3?

In my case, I don't, because of List settings -> DMARC Mitigations -> DMARC mitigation action = Replace From: with list address. Below that is the option DMARC Mitigate unconditionally, which I have also enabled.

Curiously: If you DKIM sign your emails, does your ISP also co-sign them? Is your ISP relay server published in your domain's SPF records as an allowed sender for your domain?

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]

Philip Bondi writes:

[E]mails from banks, government, ecommerce or other important providers are distributed to multiple family members.

This an interesting application, but very likely to have delivery issues because most financial institutions participate in the DMARC protocol to control use of their domains in email. I would guess that government and ecommerce do as well, but my personal experience them is using the web or bespoke apps. Since you're stripping the From header field, you shouldn't have DMARC issues, but many providers are more aggressive than the DMARC standard recommends.

Do you struggle with "message rejected. AUP#CDRBL" while using mailman with your ISP email relay?

The code "AUP#CDRBL" is specific to your ISP. USers of other sites won't know what that means. You should check the rejection or the ISP's pages for a page explaining the code. Also, there are numerical codes like "503" and "5.7.1" (it will probably start with 5 because that's the code for "this message cannot be delivered"). The standardized codes are not at all specific about why the ISP doesn't like your mail, but some ISPs also add more specific reasons in a comment field immediately after the numerical code.

"AUP" very likely stands for "Acceptable Use Policy", which is standard terminology for your side of the agreement with the ISP. I don't know what "CDRBL" means. "RBL" is a common acronym for "realtime block list" which is a system where the source domain or IP is looked up and checked against a list of spam or phishing sources. That seems unlikely, though, because normally these are based on the IP address of the most recent connection---which would be yours.

On mailman2, I mitigated by stripping headers, wrapping message and DKIM signing. Here is a mailman2 message that is stripped, wrapped and signed.

If that works, all of those features are at least as well supported by Mailman 3 as by Mailman 2. I don't see why you'd have more problems with Mailman 3 than Mailman 2 if you use them same settings,

The only additional possibility that you haven't mentioned (but may already be using) is to set the list to anonymous.

https://freeimage.host/i/30O5EXe

This is almost useless, it just confirms what you said in the text. If that's not working, we will need to see the raw email to help you, including the entire header and maybe the body. If you're not comfortable sending to the list (and for this data, maybe you should be uncomfortable), you can send to me and Mark at our personal addresses.

Steve