I have set up Postfix to DKIM sign outgoing mails from GNU Mailman 3.2.0a1 which validates nicely ("dkim=pass (signature was verified)"), but DMARC fails ("dmarc=fail action=none") on the recipient end, probably because the "header.from=gmail.com;" (or similar) which means that DKIM d= will not match.
According to dmarc.org*) "Mailing lists usually do not take authorship of the emails they relay" so I should "consider to apply specific rules for emails coming from mailing lists". Also according to dmarc.org*) Mailman (Mailman 2 that is, and I presume Mailman 3 does too) "include features to interoperate with DMARC senders".
I assume that the dmarc mitigations list settings in Mailman is for incoming messages, but how do I set Mailman to cope with this on outgoing messages?
Note: I have more than one list domain in Mailman 3.
*) https://dmarc.org/wiki/FAQ#Is_there_special_handling_required_to_receive_DMA...
/Henrik
On 04/10/2018 02:18 AM, Henrik Rasmussen wrote:
I have set up Postfix to DKIM sign outgoing mails from GNU Mailman 3.2.0a1 which validates nicely ("dkim=pass (signature was verified)"), but DMARC fails ("dmarc=fail action=none") on the recipient end, probably because the "header.from=gmail.com;" (or similar) which means that DKIM d= will not match.
Right. DMARC deals with the From: domain. For DMARC to pass, either a valid DKIM sig or SPF with domain 'aligned' with the From: domain must be true. I.e., your DKIM sig and/or SPF won't do if the From: domain is not your domain.
According to dmarc.org*) "Mailing lists usually do not take authorship of the emails they relay" so I should "consider to apply specific rules for emails coming from mailing lists". Also according to dmarc.org*) Mailman (Mailman 2 that is, and I presume Mailman 3 does too) "include features to interoperate with DMARC senders".
I assume that the dmarc mitigations list settings in Mailman is for incoming messages, but how do I set Mailman to cope with this on outgoing messages?
I'm not sure I understand what you are saying. Mailman's (both 2 and 3) DMARC mitigations allow modifying the outgoing message in some or all cases so the From: domain is the list's domain so the message won't be dealt with by the recipient MTA according to the original From: domain's DMARC policy.
See <https://wiki.list.org/DEV/DMARC>. Also, <https://wiki.list.org/x/17891458> may be of interest.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 04/10/2018 06:53 PM, Mark Sapiro wrote:
I'm not sure I understand what you are saying. Mailman's (both 2 and 3) DMARC mitigations allow modifying the outgoing message in some or all cases so the From: domain is the list's domain so the message won't be dealt with by the recipient MTA according to the original From: domain's DMARC policy.
See <https://wiki.list.org/DEV/DMARC>;. Also, <https://wiki.list.org/x/17891458> may be of interest.
Thanks you for the links. According to https://wiki.list.org/DEV/DMARC the MM3 list setting "DMARC mitigation action" (which actually say "Replace From: with list address" in Postorius) should change the From: header. This doesn't seem to work if I don't also set "DMARC Mitigate unconditionally" to Yes, but does if I do.
Where do I change defaults for all lists, instead of a per list change in settings/dmarc_mitigations ?
Henrik Rasmussen
On 04/19/2018 03:22 AM, Henrik Rasmussen wrote:
Thanks you for the links. According to https://wiki.list.org/DEV/DMARC the MM3 list setting "DMARC mitigation action" (which actually say "Replace From: with list address" in Postorius) should change the From: header. This doesn't seem to work if I don't also set "DMARC Mitigate unconditionally" to Yes, but does if I do.
If DMARC Mitigate unconditionally is No, DMARC mitigation action will only be applied if the original From: domain publishes a DMARC policy of quarantine or reject. If the action is not being applied in this case, there is some issue in looking up the DMARC policy for the domain. Possibly, dnspython is not available or there is some other issue with this. In any case, errors should be logged in Mailman's log.
Where do I change defaults for all lists, instead of a per list change in settings/dmarc_mitigations ?
You need to do this with list styles. See <http://mailman.readthedocs.io/en/latest/src/mailman/styles/docs/styles.html>. At present, Postorius doesn't allow specifying a style when creating a list, so you may need to modify mailman/src/mailman/styles/base.py.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (2)
-
Henrik Rasmussen -
Mark Sapiro