I recently switched my mailman host to a new provider. One of my users is now encountering problems that he hasn't had before. When he sends a message to a list an error message is generated that is in the following form:
From: Mail Delivery System Mailer-Daemon@cloud1.emwd.com To: announce-bounces@usml.net Cc: Date: Thu, 14 Apr 2016 13:09:24 -0400 Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
[subscriber's email address appeared here and I deleted it] host mxa-00149702.gslb.pphosted.com [67.231.156.216] SMTP error from remote mail server after end of data: 550 5.7.0 You are not authorized to use our domain as a sender address.
Action: failed Final-Recipient: rfc822; [subscriber's email address appeared here and I deleted it] Status: 5.0.0 Remote-MTA: dns; mxa-00149702.gslb.pphosted.com Diagnostic-Code: smtp; 550 5.7.0 You are not authorized to use our domain as a sender address.
When I asked my host about this I was told that this is an SPF configuration issue and that the sender needs to adjust relevant DNS records.
The subscriber spoke to his IT person who said that this appears to him to be a blacklist issue and that the host needs to make an adjustment.
Meanwhile, mailman has now removed the subscriber from the mailing list and I had to put him back on, but I assume he will be deleted soon.
I'm not really sure what to do.
Any advice on how to proceed?
On 04/19/2016 05:28 PM, Richard Robbins wrote:
I recently switched my mailman host to a new provider. One of my users is now encountering problems that he hasn't had before. When he sends a message to a list an error message is generated that is in the following form:
From: Mail Delivery System Mailer-Daemon@cloud1.emwd.com To: announce-bounces@usml.net Cc: Date: Thu, 14 Apr 2016 13:09:24 -0400 Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
...
When I asked my host about this I was told that this is an SPF configuration issue and that the sender needs to adjust relevant DNS records.
The subscriber spoke to his IT person who said that this appears to him to be a blacklist issue and that the host needs to make an adjustment.
Meanwhile, mailman has now removed the subscriber from the mailing list and I had to put him back on, but I assume he will be deleted soon.
There are two separate issues here. He cannot send to Mailman and Mailman can't send to him. The first causes him to get the rejections as above and the other causes Mailman's bounce processing to unsubscribe him.
As to what you can do, the first question is whether this is your Mailman installation on say a hosted VPS or similar or Mailman provided by the host.
If the latter, there's little if anything you can directly do. You can go to the list's web admin UI and on the Bounce processing page, make sure that both bounce_notify_owner_on_bounce_increment and bounce_notify_owner_on_disable are set to Yes. Then every time the user's bounce score is incremented and when it reaches threshold, the owner will be sent a notice which includes the reason the mail wasn't delivered. This may be similar to or different from the notice the user gets when he sends to the list.
This will at least give you some more information. If as I suspect you do not control Mailman or the MTA on the host machine, there's probably nothing you can do to fix this and since the host and the user's support are pointing fingers at each other, there's not much hope for resolution there either.
Probably the user should just give up and get a gmail or other freemail (but not Yahoo or AOL or anyone else that publishes DMARC p=reject) account to use with the list.
Mark Sapiro wrote:
There are two separate issues here. He cannot send to Mailman and Mailman can't send to him. The first causes him to get the rejections as above and the other causes Mailman's bounce processing to unsubscribe him.
I partially misinterpreted the situation. I have received an off-list message from the proprietor of the subject Mailman hosting service with whom we have an excellent relationship (and he has now posted to the list).
He has clarified a few things. The only messages that are bouncing are the problem user's posts from the list back to him. He receives other user's posts OK, and his posts are delivered to all the list members and only the list post to him is bounced.
It appears to me from what I now know and see that this is a pseudo DMARC issue. The user's ISP, pphosted.com is saying that mail which has a From: header domain which is "our domain" and To: a user in "our domain" must come from our servers to be accepted. I.e., they don't publish a DMARC policy, but when checking incoming mail on their own servers they pretend they publish p=reject.
This is not SPF per se. SPF deals only with the domain of the envelope sender, not the From: header.
Since pphosted.com doesn't publish a DMARC policy, you can't work around this by setting dmarc_moderation_action. You can set from_is_list to Munge From or Wrap Message and I'm sure that will allow these posts to go through, but that is a heavy hammer which affects all list posts.
Perhaps with this info, the user can talk again to pphosted and get an intelligent response. This does not appear in any way to be an issue with emwd.com's configuration.
Thanks. You've all given me much appreciated assistance.
On Wednesday, April 20, 2016, Mark Sapiro mark@msapiro.net wrote:
Mark Sapiro wrote:
There are two separate issues here. He cannot send to Mailman and Mailman can't send to him. The first causes him to get the rejections as above and the other causes Mailman's bounce processing to unsubscribe
him.
I partially misinterpreted the situation. I have received an off-list message from the proprietor of the subject Mailman hosting service with whom we have an excellent relationship (and he has now posted to the list).
He has clarified a few things. The only messages that are bouncing are the problem user's posts from the list back to him. He receives other user's posts OK, and his posts are delivered to all the list members and only the list post to him is bounced.
It appears to me from what I now know and see that this is a pseudo DMARC issue. The user's ISP, pphosted.com is saying that mail which has a From: header domain which is "our domain" and To: a user in "our domain" must come from our servers to be accepted. I.e., they don't publish a DMARC policy, but when checking incoming mail on their own servers they pretend they publish p=reject.
This is not SPF per se. SPF deals only with the domain of the envelope sender, not the From: header.
Since pphosted.com doesn't publish a DMARC policy, you can't work around this by setting dmarc_moderation_action. You can set from_is_list to Munge From or Wrap Message and I'm sure that will allow these posts to go through, but that is a heavy hammer which affects all list posts.
Perhaps with this info, the user can talk again to pphosted and get an intelligent response. This does not appear in any way to be an issue with emwd.com's configuration.
-- Mark Sapiro <mark@msapiro.net javascript:;> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org javascript:; https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/rerobbins%40itinker.ne...
On 04/21/2016 03:42 AM, Richard Robbins wrote:
Thanks. You've all given me much appreciated assistance.
One further thought.
If the only concern is the user's being unsubscribed, you/he can set his "Receive your own posts to the list?" option (not metoo in the web admin Membership List) to No, and if he want's some confirmation that his posts are received, set "Receive acknowledgement mail when you send mail to the list?" (ack in the web admin Membership List) to Yes.
This should solve the problem of his being unsubscribed.
That makes great sense. I will give it a shot.
I'm still trying to figure our why this particular problem only cropped up when I changed mailman hosts but I don't have access to the old host details to see if there are differences between how I set up the program then as opposed to now.
On Thu, Apr 21, 2016 at 8:32 AM, Mark Sapiro mark@msapiro.net wrote:
On 04/21/2016 03:42 AM, Richard Robbins wrote:
Thanks. You've all given me much appreciated assistance.
One further thought.
If the only concern is the user's being unsubscribed, you/he can set his "Receive your own posts to the list?" option (not metoo in the web admin Membership List) to No, and if he want's some confirmation that his posts are received, set "Receive acknowledgement mail when you send mail to the list?" (ack in the web admin Membership List) to Yes.
This should solve the problem of his being unsubscribed.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mark,
Your suggestion seems to be just what the doctor ordered. I have a happy subscriber who isn't in the mood to lock horns with the less than responsive IT team at his company.
Thank you and everyone else who chimed in.
-- Rich
On Thu, Apr 21, 2016 at 9:15 AM, Richard Robbins rerobbins@itinker.net wrote:
That makes great sense. I will give it a shot.
I'm still trying to figure our why this particular problem only cropped up when I changed mailman hosts but I don't have access to the old host details to see if there are differences between how I set up the program then as opposed to now.
On Thu, Apr 21, 2016 at 8:32 AM, Mark Sapiro mark@msapiro.net wrote:
On 04/21/2016 03:42 AM, Richard Robbins wrote:
Thanks. You've all given me much appreciated assistance.
One further thought.
If the only concern is the user's being unsubscribed, you/he can set his "Receive your own posts to the list?" option (not metoo in the web admin Membership List) to No, and if he want's some confirmation that his posts are received, set "Receive acknowledgement mail when you send mail to the list?" (ack in the web admin Membership List) to Yes.
This should solve the problem of his being unsubscribed.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Richard Robbins writes:
I recently switched my mailman host to a new provider. One of my users is now encountering problems that he hasn't had before.
Are you sure your list configuration is the same as before?
When he sends a message to a list an error message is generated that is in the following form:
This doesn't look like a problem Mailman itself can help solve, but you don't provide the information needed to decide.
From: Mail Delivery System Mailer-Daemon@cloud1.emwd.com To: announce-bounces@usml.net
announce@usml.net is your mailing list?
emwd.com is your new host? (No direct experience, but they have been a good citizen on our lists, which gives me some confidence in his statements.)
This is a permanent error. The following address(es) failed:
[subscriber's email address appeared here and I deleted it]
The subscriber's address is at pphosted.com (from the name, most likely a virtual domain served by pphosted.com)? Subscriber == sender? Do you get a pile of these for various senders, or only for subscriber == sender?
host mxa-00149702.gslb.pphosted.com [67.231.156.216] SMTP error from remote mail server after end of data: 550 5.7.0 You are not authorized to use our domain as a sender address.
As your staff says, this could be an SPF issue, but why "mxa-00149702" believes your host is claiming to be a domain hosted by pphosted.com, I don't know. Was your domain ("usml.net"?) formerly, or now partially, hosted at pphosted.com?
If your list hosting domain has never had any relation to pphosted.com, I would assume that this isn't based on SPF, but rather that the sender is the subscriber, and this is a policy rejection based on that fact (ie, the subscriber's host believes the mail is from a spammer pretending to be the subscriber).
Action: failed Final-Recipient: rfc822; [subscriber's email address appeared here and I deleted it] Status: 5.0.0 Remote-MTA: dns; mxa-00149702.gslb.pphosted.com Diagnostic-Code: smtp; 550 5.7.0 You are not authorized to use our domain as a sender address.
When I asked my host about this I was told that this is an SPF configuration issue and that the sender needs to adjust relevant DNS records.
Could be, I guess. I would guess a misconfiguration of the receiving MTA (mail server). I don't understand how a DNS misconfiguration of SPF would result in that status message, unless the receiver is also broken.
But SPF DNS reconfiguration shouldn't help Mailman mailing lists, because mailing lists are expected to fail in SPF. Configuration of the receiving MTA would be more likely to help.
The subscriber spoke to his IT person who said that this appears to him to be a blacklist issue and that the host needs to make an adjustment.
Sounds to me like the IT person just doesn't want to be bothered. I see no evidence of a blacklist in what you've posted, rather, pretty clearly the subscriber's host made the reject decision all by itself. If there was a blacklist, it's the subscriber's host that consulted it, and the IT person should be a lot more helpful about what the problem is.
Meanwhile, mailman has now removed the subscriber from the mailing list and I had to put him back on, but I assume he will be deleted soon.
I'm not really sure what to do.
Any advice on how to proceed?
Using one of the DMARC mitigation options (most popular is Privacy | Sender Filters | DMARC Moderation Action, set to "Munge From") may help. I'd bet against it, but it's mostly harmless (list traffic will continue to be delivered to everybody, some people may complain about the awkward From header field from some posters), and easily reversed if you do get any complaints.
If the answers to the initial questions are all "yes" (except the last two, which I expect to be "no, only for this sender==subscriber", and "no, usml.net has no relation whatsoever to pphosted.com"), I strongly suspect that there is a problem at the subscriber's host (quite possibly in the IT person's head). If the subscriber wants reliable mail service it's easiest to get another address (Gmail is easy; AOL and Yahoo! are deprecated because of their DMARC policies).
Steve
-----Original Message----- From: Mailman-Users [mailto:mailman-users- bounces+brian=emwd.com@python.org] On Behalf Of Stephen J. Turnbull Sent: Wednesday, April 20, 2016 10:03 PM To: Richard Robbins rerobbins@itinker.net Cc: mailman-users@python.org Subject: [Mailman-Users] Bounce Processing
Richard Robbins writes:
I recently switched my mailman host to a new provider. One of my users is now encountering problems that he hasn't had before.
Are you sure your list configuration is the same as before?
When he sends a message to a list an error message is generated that is in the following form:
This doesn't look like a problem Mailman itself can help solve, but you don't provide the information needed to decide.
From: Mail Delivery System Mailer-Daemon@cloud1.emwd.com To: announce-bounces@usml.net
announce@usml.net is your mailing list?
emwd.com is your new host? (No direct experience, but they have been a good citizen on our lists, which gives me some confidence in his statements.)
This is a permanent error. The following address(es) failed:
[subscriber's email address appeared here and I deleted it]
The subscriber's address is at pphosted.com (from the name, most likely a virtual domain served by pphosted.com)? Subscriber == sender? Do you get a pile of these for various senders, or only for subscriber == sender?
host mxa-00149702.gslb.pphosted.com [67.231.156.216] SMTP error from remote mail server after end of data: 550 5.7.0 You are not authorized to use our domain as a sender
address.
As your staff says, this could be an SPF issue, but why "mxa-00149702" believes your host is claiming to be a domain hosted by pphosted.com, I don't know. Was your domain ("usml.net"?) formerly, or now partially, hosted at pphosted.com?
If your list hosting domain has never had any relation to pphosted.com, I would assume that this isn't based on SPF, but rather that the sender is the subscriber, and this is a policy rejection based on that fact (ie, the subscriber's host believes the mail is from a spammer pretending to be the subscriber).
Action: failed Final-Recipient: rfc822; [subscriber's email address appeared here and
I
deleted it] Status: 5.0.0 Remote-MTA: dns; mxa-00149702.gslb.pphosted.com Diagnostic-Code: smtp; 550 5.7.0 You are not authorized to use our
domain
as a sender address.
When I asked my host about this I was told that this is an SPF configuration issue and that the sender needs to adjust relevant DNS records.
Could be, I guess. I would guess a misconfiguration of the receiving MTA (mail server). I don't understand how a DNS misconfiguration of SPF would result in that status message, unless the receiver is also broken.
But SPF DNS reconfiguration shouldn't help Mailman mailing lists, because mailing lists are expected to fail in SPF. Configuration of the receiving MTA would be more likely to help.
The subscriber spoke to his IT person who said that this appears to him to be a blacklist issue and that the host needs to make an adjustment.
Sounds to me like the IT person just doesn't want to be bothered. I see no evidence of a blacklist in what you've posted, rather, pretty clearly the subscriber's host made the reject decision all by itself. If there was a blacklist, it's the subscriber's host that consulted it, and the IT person should be a lot more helpful about what the problem is.
Meanwhile, mailman has now removed the subscriber from the mailing list
and
I had to put him back on, but I assume he will be deleted soon.
I'm not really sure what to do.
Any advice on how to proceed?
Using one of the DMARC mitigation options (most popular is Privacy | Sender Filters | DMARC Moderation Action, set to "Munge From") may help. I'd bet against it, but it's mostly harmless (list traffic will continue to be delivered to everybody, some people may complain about the awkward From header field from some posters), and easily reversed if you do get any complaints.
If the answers to the initial questions are all "yes" (except the last two, which I expect to be "no, only for this sender==subscriber", and "no, usml.net has no relation whatsoever to pphosted.com"), I strongly suspect that there is a problem at the subscriber's host (quite possibly in the IT person's head). If the subscriber wants reliable mail service it's easiest to get another address (Gmail is easy; AOL and Yahoo! are deprecated because of their DMARC policies).
Steve
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman- users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman- users/brian%40emwd.com
It does look like it is a SPF issue. The email address that is bouncing is only bouncing messages that comes from itself. All other messages coming from other list members are delivered successfully. So every time this list member posts, he is being sent a copy of his own post and his own posts bounces when mailman tries to deliver his own post to his own email account. The domain name in question does have a SPF record. The IP address of this user's mail server is not listed in their SPF record.
Brian
participants (4)
-
Brian Carpenter -
Mark Sapiro -
Richard Robbins -
Stephen J. Turnbull