It took me a moment to figure this out, because I was in a security talk at SCaLE 19x and was distracted.
Hoover Chan did something that many people think is a good idea, but is not: Hoover subscribed "hchan@mail.ewind.com" but set that mailbox to forward to his GMail mailbox, hoover.chan@gmail.com .
Hoover, sorry, in 2022 you can no longer do mail forwarding with wild abandon, because of increasing deployment of anti-forgery blocking technologies (SPF and DMARC).
In this case, my posting to balug-admin was processed by list.balug.org and re-mailed to all subscribers including your hchan@mail.ewind.com . Host nephoscale.ewind.com (IP 198.89.112.140) tried re-lobbing your subscriber copy to GMail, which rejected it because IP 198.89.112.140 is not a permitted originator for mail from domain balug.org, i.e., that IP as an SMTP source violates balug.org's SPF and DMARC declarations.
I am deleting your subscriptions of hchan@mail.ewind.com from balug-admin and from any other BALUG mailing list it might be on. (I haven't yet checked the other three.) I will also have Mailman send an "invitation" to quick-subscribe Hoover Chan hoover.chan@gmail.com , if you so wish.
Please review your subscriptions to any _other_ mailing lists, and stop relying on hchan@mail.ewind.com -> hoover.chan@gmail.com forwarding. You really cannot rely on that, any more. TY.
-- Rick Moen for the BALUG sysadmin team
----- Forwarded message from mailman@lists.balug.org -----
Date: Sat, 30 Jul 2022 20:35:00 +0000 From: mailman@lists.balug.org To: balug-admin-owner@lists.balug.org Subject: Bounce action notification X-Spam-Status: No, score=-2.6 required=4.0 tests=BAYES_00,MAILING_LIST_MULTI, NO_REAL_NAME,SPF_PASS,T_TVD_MIME_NO_HEADERS autolearn=ham version=3.3.1
This is a Mailman mailing list bounce action notice:
List: BALUG-Admin Member: hchan@mail.ewind.com Action: Subscription disabled. Reason: Excessive or fatal bounces.
The triggering bounce notice is attached below.
Questions? Contact the Mailman site administrator at mailman@lists.balug.org.
Received: from static-198.89.112.140.nephohosting.com ([198.89.112.140] helo=nephoscale.ewind.com) by balug-sf-lug-v2.balug.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) id 1oHtAp-00053A-No for balug-admin-bounces@lists.balug.org; Sat, 30 Jul 2022 20:34:59 +0000 Received: from localhost (localhost) by nephoscale.ewind.com (8.14.4/8.14.4) id 26UKUlVD005544; Sat, 30 Jul 2022 13:30:47 -0700 Date: Sat, 30 Jul 2022 13:30:47 -0700 From: Mail Delivery Subsystem MAILER-DAEMON@nephoscale.ewind.com Message-Id: 202207302030.26UKUlVD005544@nephoscale.ewind.com To: balug-admin-bounces@lists.balug.org MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="26UKUlVD005544.1659213047/nephoscale.ewind.com" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) Received-SPF: none client-ip=198.89.112.140; helo=nephoscale.ewind.com
The original message was received at Sat, 30 Jul 2022 13:30:41 -0700 from balug.org [96.86.170.229]
----- The following addresses had permanent fatal errors ----- hoover.chan@gmail.com (reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both) (expanded from: hchan@mail.ewind.com)
----- Transcript of session follows ----- ... while talking to gmail-smtp-in.l.google.com.:
DATA
<<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both <<< 550-5.7.26 do not pass). SPF check for [lists.balug.org] does not pass with ip: <<< 550-5.7.26 [198.89.112.140].To best protect our users from spam, the message <<< 550-5.7.26 has been blocked. Please visit <<< 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more <<< 550 5.7.26 information. f5-20020a62db05000000b0052c708707dbsi7062217pfg.121 - gsmtp 554 5.0.0 Service unavailable
Reporting-MTA: dns; nephoscale.ewind.com Received-From-MTA: DNS; balug.org Arrival-Date: Sat, 30 Jul 2022 13:30:41 -0700
Final-Recipient: RFC822; hchan@mail.ewind.com X-Actual-Recipient: RFC822; hoover.chan@gmail.com Action: failed Status: 5.7.26 Remote-MTA: DNS; gmail-smtp-in.l.google.com Diagnostic-Code: SMTP; 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both Last-Attempt-Date: Sat, 30 Jul 2022 13:30:42 -0700
Return-Path: balug-admin-bounces@lists.balug.org Received: from balug-sf-lug-v2.balug.org (balug.org [96.86.170.229]) by nephoscale.ewind.com (8.14.4/8.14.4) with ESMTP id 26UKUfVD005543 for hchan@mail.ewind.com; Sat, 30 Jul 2022 13:30:41 -0700 Received: from localhost ([127.0.0.1] helo=balug.org) by balug-sf-lug-v2.balug.org with esmtp (Exim 4.92) (envelope-from balug-admin-bounces@lists.balug.org) id 1oHtAc-00052G-8o; Sat, 30 Jul 2022 20:34:46 +0000 Received: from linuxmafia.com ([96.95.217.99]) by balug-sf-lug-v2.balug.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from rick@linuxmafia.com) id 1oHtAZ-000526-W5 for balug-admin@lists.balug.org; Sat, 30 Jul 2022 20:34:44 +0000 Received: from rick by linuxmafia.com with local (Exim 4.72) (envelope-from rick@linuxmafia.com) id 1oHtAX-0001P2-QB for balug-admin@lists.balug.org; Sat, 30 Jul 2022 13:34:41 -0700 Date: Sat, 30 Jul 2022 13:34:41 -0700 From: Rick Moen rick@linuxmafia.com To: balug-admin@lists.balug.org Message-ID: 20220730203441.GI13985@linuxmafia.com References: 20220726022507.GV13985@linuxmafia.com MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: 20220726022507.GV13985@linuxmafia.com Organization: If you lived here, you'd be $HOME already. X-Mas: Bah humbug. X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mutt/1.5.20 (2009-06-14) X-SA-Exim-Connect-IP: <locally generated> X-SA-Exim-Mail-From: rick@linuxmafia.com X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false Received-SPF: pass client-ip=96.95.217.99; envelope-from=rick@linuxmafia.com; helo=linuxmafia.com Subject: Re: [BALUG-Admin] Spamtraps and http://www.uceprotect.net/en/rblcheck.php?ipr=96.86.170.229 X-BeenThere: balug-admin@lists.balug.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion among those who make BALUG work <balug-admin.lists.balug.org> List-Unsubscribe: https://lists.balug.org/cgi-bin/mailman/options/balug-admin, mailto:balug-admin-request@lists.balug.org?subject=unsubscribe List-Archive: https://lists.balug.org/pipermail/balug-admin/ List-Post: mailto:balug-admin@lists.balug.org List-Help: mailto:balug-admin-request@lists.balug.org?subject=help List-Subscribe: https://lists.balug.org/cgi-bin/mailman/listinfo/balug-admin, mailto:balug-admin-request@lists.balug.org?subject=subscribe Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: balug-admin-bounces@lists.balug.org Sender: "BALUG-Admin" balug-admin-bounces@lists.balug.org
----- End forwarded message -----
Rick, thanks for explaining what was happening and apologies to all who were affected by the way I had things set up for my ewind.com domain. A little bit of backstory. I had to quickly set up workarounds when I lost several servers due to hardware failures and had to rebuild on existing cloud based systems (anybody else using Nephohosting or have heard good or bad about them?) and where gaps in coverage appeared, tried to cover them with forwarding.
That being said, I'd like to keep my BALUG mailing lists presence based on my hoover.chan@gmail.com address.
Also, any pointers to documentation on current best practices for building network services (e-mail, Web, DNS)? Especially on cloud hosted platforms? (e.g. Nephosting (or equivalent), AWS, etc). Most of the "How Tos" that I've learned from in the past are now outdated.
Speaking of which, I also had to rebuild my collection of GNU Mailman mailing lists on cloud hosted services since my hardware disasters also swept those away. I'm guessing that the SPF/DMARC issues may be affecting these too. Partly due to pricing and what reviews I was able to find at the time, I ended up going to "Mailmanlists.net". Is the BALUG universe also on a 3rd party hosted service which everyone is happy with? I'd be curious to learn more.
Thanks all for your patience.
- Hoover Chan (hoover.chan@gmail.com)
On Sat, Jul 30, 2022 at 2:58 PM Rick Moen rick@linuxmafia.com wrote:
It took me a moment to figure this out, because I was in a security talk at SCaLE 19x and was distracted.
Hoover Chan did something that many people think is a good idea, but is not: Hoover subscribed "hchan@mail.ewind.com" but set that mailbox to forward to his GMail mailbox, hoover.chan@gmail.com .
Hoover, sorry, in 2022 you can no longer do mail forwarding with wild abandon, because of increasing deployment of anti-forgery blocking technologies (SPF and DMARC).
In this case, my posting to balug-admin was processed by list.balug.org and re-mailed to all subscribers including your hchan@mail.ewind.com . Host nephoscale.ewind.com (IP 198.89.112.140) tried re-lobbing your subscriber copy to GMail, which rejected it because IP 198.89.112.140 is not a permitted originator for mail from domain balug.org, i.e., that IP as an SMTP source violates balug.org's SPF and DMARC declarations.
I am deleting your subscriptions of hchan@mail.ewind.com from balug-admin and from any other BALUG mailing list it might be on. (I haven't yet checked the other three.) I will also have Mailman send an "invitation" to quick-subscribe Hoover Chan hoover.chan@gmail.com , if you so wish.
Please review your subscriptions to any _other_ mailing lists, and stop relying on hchan@mail.ewind.com -> hoover.chan@gmail.com forwarding. You really cannot rely on that, any more. TY.
-- Rick Moen for the BALUG sysadmin team
----- Forwarded message from mailman@lists.balug.org -----
Date: Sat, 30 Jul 2022 20:35:00 +0000 From: mailman@lists.balug.org To: balug-admin-owner@lists.balug.org Subject: Bounce action notification X-Spam-Status: No, score=-2.6 required=4.0 tests=BAYES_00,MAILING_LIST_MULTI, NO_REAL_NAME,SPF_PASS,T_TVD_MIME_NO_HEADERS autolearn=ham version=3.3.1
This is a Mailman mailing list bounce action notice:
List: BALUG-Admin Member: hchan@mail.ewind.com Action: Subscription disabled. Reason: Excessive or fatal bounces.The triggering bounce notice is attached below.
Questions? Contact the Mailman site administrator at mailman@lists.balug.org.
Received: from static-198.89.112.140.nephohosting.com ([198.89.112.140] helo=nephoscale.ewind.com) by balug-sf-lug-v2.balug.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) id 1oHtAp-00053A-No for balug-admin-bounces@lists.balug.org; Sat, 30 Jul 2022 20:34:59 +0000 Received: from localhost (localhost) by nephoscale.ewind.com (8.14.4/8.14.4) id 26UKUlVD005544; Sat, 30 Jul 2022 13:30:47 -0700 Date: Sat, 30 Jul 2022 13:30:47 -0700 From: Mail Delivery Subsystem MAILER-DAEMON@nephoscale.ewind.com Message-Id: 202207302030.26UKUlVD005544@nephoscale.ewind.com To: balug-admin-bounces@lists.balug.org MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="26UKUlVD005544.1659213047/nephoscale.ewind.com" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) Received-SPF: none client-ip=198.89.112.140; helo=nephoscale.ewind.com
The original message was received at Sat, 30 Jul 2022 13:30:41 -0700 from balug.org [96.86.170.229]
----- The following addresses had permanent fatal errors ----- hoover.chan@gmail.com (reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both) (expanded from: hchan@mail.ewind.com)
----- Transcript of session follows ----- ... while talking to gmail-smtp-in.l.google.com.:
DATA
<<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both <<< 550-5.7.26 do not pass). SPF check for [lists.balug.org] does not pass with ip: <<< 550-5.7.26 [198.89.112.140].To best protect our users from spam, the message <<< 550-5.7.26 has been blocked. Please visit <<< 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more <<< 550 5.7.26 information. f5-20020a62db05000000b0052c708707dbsi7062217pfg.121 - gsmtp 554 5.0.0 Service unavailable
Reporting-MTA: dns; nephoscale.ewind.com Received-From-MTA: DNS; balug.org Arrival-Date: Sat, 30 Jul 2022 13:30:41 -0700
Final-Recipient: RFC822; hchan@mail.ewind.com X-Actual-Recipient: RFC822; hoover.chan@gmail.com Action: failed Status: 5.7.26 Remote-MTA: DNS; gmail-smtp-in.l.google.com Diagnostic-Code: SMTP; 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both Last-Attempt-Date: Sat, 30 Jul 2022 13:30:42 -0700
Return-Path: balug-admin-bounces@lists.balug.org Received: from balug-sf-lug-v2.balug.org (balug.org [96.86.170.229]) by nephoscale.ewind.com (8.14.4/8.14.4) with ESMTP id 26UKUfVD005543 for hchan@mail.ewind.com; Sat, 30 Jul 2022 13:30:41 -0700 Received: from localhost ([127.0.0.1] helo=balug.org) by balug-sf-lug-v2.balug.org with esmtp (Exim 4.92) (envelope-from balug-admin-bounces@lists.balug.org) id 1oHtAc-00052G-8o; Sat, 30 Jul 2022 20:34:46 +0000 Received: from linuxmafia.com ([96.95.217.99]) by balug-sf-lug-v2.balug.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from rick@linuxmafia.com) id 1oHtAZ-000526-W5 for balug-admin@lists.balug.org; Sat, 30 Jul 2022 20:34:44 +0000 Received: from rick by linuxmafia.com with local (Exim 4.72) (envelope-from rick@linuxmafia.com) id 1oHtAX-0001P2-QB for balug-admin@lists.balug.org; Sat, 30 Jul 2022 13:34:41 -0700 Date: Sat, 30 Jul 2022 13:34:41 -0700 From: Rick Moen rick@linuxmafia.com To: balug-admin@lists.balug.org Message-ID: 20220730203441.GI13985@linuxmafia.com References: 20220726022507.GV13985@linuxmafia.com MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: 20220726022507.GV13985@linuxmafia.com Organization: If you lived here, you'd be $HOME already. X-Mas: Bah humbug. X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mutt/1.5.20 (2009-06-14) X-SA-Exim-Connect-IP: <locally generated> X-SA-Exim-Mail-From: rick@linuxmafia.com X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false Received-SPF: pass client-ip=96.95.217.99; envelope-from= rick@linuxmafia.com; helo=linuxmafia.com Subject: Re: [BALUG-Admin] Spamtraps and http://www.uceprotect.net/en/rblcheck.php?ipr=96.86.170.229 X-BeenThere: balug-admin@lists.balug.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion among those who make BALUG work <balug-admin.lists.balug.org> List-Unsubscribe: < https://lists.balug.org/cgi-bin/mailman/options/balug-admin%3E, mailto:balug-admin-request@lists.balug.org?subject=unsubscribe List-Archive: https://lists.balug.org/pipermail/balug-admin/ List-Post: mailto:balug-admin@lists.balug.org List-Help: mailto:balug-admin-request@lists.balug.org?subject=help List-Subscribe: < https://lists.balug.org/cgi-bin/mailman/listinfo/balug-admin%3E, mailto:balug-admin-request@lists.balug.org?subject=subscribe Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: balug-admin-bounces@lists.balug.org Sender: "BALUG-Admin" balug-admin-bounces@lists.balug.org
----- End forwarded message -----
[image: width=] http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free.www.avg.com http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Quoting Hoover Chan (hoover.chan@gmail.com):
Rick, thanks for explaining what was happening and apologies to all who were affected by the way I had things set up for my ewind.com domain.
No problem. I've been tracking down and fixing BALUG delivery problems, and was delighted to find and fix yours.
You should be in receipt of "invitation" e-mails (to quick-subscribe hoover.chan@gmail.com) I caused Mailman to send for the balug-admin, balug-talk, and balug-announce mailing lists -- the same three you've until now had your ewind.com address subscribed to, and tried to forward to GMail.
Yeah, it's really tempting to cover service inadequacies using SMTP forwarding, but then you're highly likely to get bitten by SFP/DMARC (primarily DMARC, as I will explain). I got bit myself!
Also, any pointers to documentation on current best practices for building network services (e-mail, Web, DNS)? Especially on cloud hosted platforms? (e.g. Nephosting (or equivalent), AWS, etc). Most of the "How Tos" that I've learned from in the past are now outdated.
I don't. Maybe some day, I'll write one, but man, too many projects.
Speaking of which, I also had to rebuild my collection of GNU Mailman mailing lists on cloud hosted services since my hardware disasters also swept those away. I'm guessing that the SPF/DMARC issues may be affecting these too.
All Mailman releases starting (IIRC) 2.1.16 have included an excellent _but non-default_ set of DMARC-mitigation controls that can be set on a per-list basis from the admin WebUI.
Go to page Privacy Options, Sender Filters. In the middle of the page, you'll find these options:
Action to take when anyone posts to the list from a domain with a DMARC Reject/Quarantine Policy (dmarc_moderation_action) (o) Accept ( ) Munge from ( ) Wrap message ( ) Reject ( ) Discard
Shall the above dmarc_moderation_action apply to messages From: domains with DMARC p=quarantine as well as p=reject? (dmarc_quarantine_moderation_action) (o) No ( ) Yes
Shall the above dmarc_moderation_action apply to messages From: domains with DMARC p=none as well as p=quarantine and p=reject? (Details for dmarc_none_moderation_action) (o) No ( ) Yes
Shown above are Mailman defaults, with _no_ DMARC mitigation. To enable mitigation, change the first two: Change dmarc_moderation_action to "Munge from" and change dmarc_quarantine_moderation_action to "Yes". That's it.
The proximate effect of this mitigation is as follows: _If_ a subscriber's posting is from a domain that publishes a DMARC policy with policy p=reject or p=quarantine, _then and only then_ "munge" the "From:" header on all mailed-out subscriber copies to substitute the mailing list's address for the subscribers. In that case, append the poster's real address to a "Reply-To:" header (or create such a header if not already present).
The _end_-effect of this munging (targeted only to DMARC-afflicted subscibers' posting, and leaving other people's postings alone) is to do an end-run around DMARC damage. Why? Because the poster's domain's overly aggressive DMARC policies have been rendered irrelevant by substitution of a different domain (balug.org) as sender.
You asked about SPF mitigation. Not needed! SPF, unlike DMARC, is not mailing-list-hostile.
I do have Some Opinions on this subject. That is why my domain's DNS has:
:r! dig -t txt linuxmafia.com. +short "v=spf1 ip4:96.95.217.99 -all"
:r! dig -t txt _dmarc.linuxmafia.com. +short "DMARC: tragically misdesigned since 2012. Check our SPF RR, instead."
You will note that my SPF record is bracingly simple and unequivocal. It says please reject as forged any mail claiming to be from linuxmafia.com unless it arrives from IPv4 address 96.95.217.99 with no exceptions, uncertainty, or elaborations. I am able to publish with confidence such a declaration _only_ because I never wish to permit any mail to convincingly claim to be from my domain unless it originates directly from my IP.
SPF syntax is flexible and permits some elaborate and contingent declarations. I luckily don't need that flexibility. So, SPF is a very good fit for my domain's use-case for sending out mail.
If you search around, you will find people who've been angry about, and dislike, SPF for almost a quarter-century. Quite logically, these tend to be people who have enjoyed the ability to originate mail purporting to be from their (and/or other people's) domains for a long time, and who dislike any obstacle to doing so freely. Or, to look at it differently, they enjoy domain-forgery. ;->
Partly due to pricing and what reviews I was able to find at the time, I ended up going to "Mailmanlists.net". Is the BALUG universe also on a 3rd party hosted service which everyone is happy with? I'd be curious to learn more.
balug.org is self-hosted by Michael Paoli on one of his hosts at home. Likewise, linuxmafia.com is self-hosted by me on one of my hosts at home.