[BALUG-Admin] (forw) Bounce action notification

Rick Moen rick@linuxmafia.com
Sun Jul 31 01:01:22 UTC 2022 

Quoting Hoover Chan (hoover.chan@gmail.com):

> Rick, thanks for explaining what was happening and apologies to all who
> were affected by the way I had things set up for my ewind.com domain. 

No problem.  I've been tracking down and fixing BALUG delivery problems,
and was delighted to find and fix yours.

You should be in receipt of "invitation" e-mails (to quick-subscribe
hoover.chan@gmail.com) I caused Mailman to send for the balug-admin,
balug-talk, and balug-announce mailing lists -- the same three you've
until now had your ewind.com address subscribed to, and tried to forward
to GMail.

Yeah, it's really tempting to cover service inadequacies using SMTP
forwarding, but then you're highly likely to get bitten by SFP/DMARC
(primarily DMARC, as I will explain).  I got bit myself!

> Also, any pointers to documentation on current best practices for building
> network services (e-mail, Web, DNS)? Especially on cloud hosted platforms?
> (e.g. Nephosting (or equivalent), AWS, etc). Most of the "How Tos" that
> I've learned from in the past are now outdated.

I don't.  Maybe some day, I'll write one, but man, too many projects.

> Speaking of which, I also had to rebuild my collection of GNU Mailman
> mailing lists on cloud hosted services since my hardware disasters also
> swept those away. I'm guessing that the SPF/DMARC issues may be affecting
> these too. 

All Mailman releases starting (IIRC) 2.1.16 have included an excellent 
_but non-default_ set of DMARC-mitigation controls that can be set on a
per-list basis from the admin WebUI.

Go to page Privacy Options, Sender Filters.  In the middle of the page,
you'll find these options:

  Action to take when anyone posts to the list from a domain with a
  DMARC Reject/Quarantine Policy (dmarc_moderation_action)
   (o) Accept  ( ) Munge from  ( ) Wrap message  ( ) Reject  ( ) Discard


  Shall the above dmarc_moderation_action apply to messages From:
  domains with DMARC p=quarantine as well as p=reject? 
  (dmarc_quarantine_moderation_action) 
  (o) No  ( ) Yes


  Shall the above dmarc_moderation_action apply to messages From:
  domains with DMARC p=none as well as p=quarantine and p=reject?
  (Details for dmarc_none_moderation_action) 
  (o) No  ( ) Yes


Shown above are Mailman defaults, with _no_ DMARC mitigation.
To enable mitigation, change the first two:  Change
dmarc_moderation_action to "Munge from" and change
dmarc_quarantine_moderation_action to "Yes".  That's it.

The proximate effect of this mitigation is as follows:  _If_ a
subscriber's posting is from a domain that publishes a DMARC policy with
policy p=reject or p=quarantine, _then and only then_ "munge" the
"From:" header on all mailed-out subscriber copies to substitute the
mailing list's address for the subscribers.  In that case, append the
poster's real address to a "Reply-To:" header (or create such a header
if not already present).

The _end_-effect of this munging (targeted only to DMARC-afflicted
subscibers' posting, and leaving other people's postings alone) is
to do an end-run around DMARC damage.  Why?  Because the poster's 
domain's overly aggressive DMARC policies have been rendered irrelevant
by substitution of a different domain (balug.org) as sender.


You asked about SPF mitigation.  Not needed!  SPF, unlike DMARC, is not
mailing-list-hostile.

I do have Some Opinions on this subject.  That is why my domain's DNS
has:

:r! dig -t txt linuxmafia.com. +short
"v=spf1 ip4:96.95.217.99 -all"

:r! dig -t txt _dmarc.linuxmafia.com. +short
"DMARC: tragically misdesigned since 2012.  Check our SPF RR, instead."

You will note that my SPF record is bracingly simple and unequivocal.
It says please reject as forged any mail claiming to be from
linuxmafia.com unless it arrives from IPv4 address 96.95.217.99 with no
exceptions, uncertainty, or elaborations.  I am able to publish with 
confidence such a declaration _only_ because I never wish to permit 
any mail to convincingly claim to be from my domain unless it originates
directly from my IP.

SPF syntax is flexible and permits some elaborate and contingent
declarations.  I luckily don't need that flexibility.  So, SPF is 
a very good fit for my domain's use-case for sending out mail.

If you search around, you will find people who've been angry about, and
dislike, SPF for almost a quarter-century.  Quite logically, these tend
to be people who have enjoyed the ability to originate mail purporting
to be from their (and/or other people's) domains for a long time, and
who dislike any obstacle to doing so freely.  Or, to look at it
differently, they enjoy domain-forgery.  ;->



> Partly due to pricing and what reviews I was able to find at the
> time, I ended up going to "Mailmanlists.net". Is the BALUG universe also on
> a 3rd party hosted service which everyone is happy with? I'd be curious to
> learn more.

balug.org is self-hosted by Michael Paoli on one of his hosts at home.
Likewise, linuxmafia.com is self-hosted by me on one of my hosts at home.

More information about the BALUG-Admin mailing list