Hi to everyone,
I'm trying to build a few mailing list with mailman. I've got some trouble with spam/dkim (In the past it was working out-of-the-box ! -without dkim)
I'm running a Debian 7.9 server, with postfix.
When I'm sending email from a system user, I can see in mail header :
dkim=pass header.i=@example.xyz
I'm experiencing some difficulties to understand how mailman process outgoing mail with a valid DKIM header.
When a mailing list user send a mail through my list, sometimes header are filled with a X-Google-DKIM-Signature (depend on sender, gmail/google app domain...) but no sign of my original DKIM-Signature
I've tried using REMOVE_DKIM_HEADERS yes or no, with no success
Some opendkim issues can be found in mail.log: opendkim[1507]: 19D41278A1A5: no signing table match for 'kemkem42@gmail.com ' Whats this ? Is there a link to my problem ?
Can someone help me with this ?
My conf files below
main.cf
#mtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
# TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = example.xyz alias_database = hash:/etc/aliases alias_maps = hash:/var/lib/mailman/data/aliases myorigin = example.xyz mydestination = example.xyz, localhost.localdomain, localhost #mynetworks = 127.0.0.0/8 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all relay_domains = example.xyz, localhost.localdomain, localhost
#secu smtpd_helo_required = yes strict_rfc821_envelopes = yes
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, warn_if_reject reject_unverified_sender
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_invalid_hostname
smtpd_client_restrictions = reject_unknown_client, permit_mynetworks
milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 inet_protocols = all
master.cf
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
mm_cfg.py
"""This is the module which takes your site-specific settings.
From a raw distribution it should be copied to mm_cfg.py. If you already have an mm_cfg.py, be careful to add in only the new settings you want. The complete set of distributed defaults, with annotation, are in ./Defaults. In mm_cfg, override only those you want to change, after the
from Defaults import *
line (see below).
Note that these are just default settings - many can be overridden via the admin and user interfaces on a per-list or per-user basis.
Note also that some of the settings are resolved against the active list setting by using the value as a format string against the list-instance-object's dictionary - see the distributed value of DEFAULT_MSG_FOOTER for an example."""
####################################################### # Here's where we get the distributed defaults. #
from Defaults import *
############################################################## # Put YOUR site-specific configuration below, in mm_cfg.py . # # See Defaults.py for explanations of the values. #
#------------------------------------------------------------- # The name of the list Mailman uses to send password reminders # and similar. Don't change if you want mailman-owner to be # a valid local part. MAILMAN_SITE_LIST = 'mailman'
#------------------------------------------------------------- # If you change these, you have to configure your http server # accordingly (Alias and ScriptAlias directives in most httpds) DEFAULT_URL_PATTERN = 'http://%s/cgi-bin/mailman/' PRIVATE_ARCHIVE_URL = '/cgi-bin/mailman/private' IMAGE_LOGOS = '/images/mailman/'
#------------------------------------------------------------- # Default domain for email addresses of newly created MLs DEFAULT_EMAIL_HOST = 'endymion.xyz' #------------------------------------------------------------- # Default host for web interface of newly created MLs DEFAULT_URL_HOST = 'endymion.xyz' #------------------------------------------------------------- # Required when setting any of its arguments. add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
#------------------------------------------------------------- # The default language for this server. DEFAULT_SERVER_LANGUAGE = 'en'
#------------------------------------------------------------- # Iirc this was used in pre 2.1, leave it for now USE_ENVELOPE_SENDER = 0 # Still used?
#------------------------------------------------------------- # Unset send_reminders on newly created lists DEFAULT_SEND_REMINDERS = 0
#------------------------------------------------------------- # Uncomment this if you configured your MTA such that it # automatically recognizes newly created lists. # (see /usr/share/doc/mailman/README.Exim4.Debian or # /usr/share/mailman/postfix-to-mailman.py) # MTA=None # Misnomer, suppresses alias output on newlist
#------------------------------------------------------------- # Uncomment if you use Postfix virtual domains (but not # postfix-to-mailman.py), but be sure to see # /usr/share/doc/mailman/README.Debian first. # MTA='Postfix'
#------------------------------------------------------------- # Uncomment if you want to filter mail with SpamAssassin. For # more information please visit this website: # http://www.jamesh.id.au/articles/mailman-spamassassin/ # GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
# Note - if you're looking for something that is imported from mm_cfg, but you # didn't find it above, it's probably in /usr/lib/mailman/Mailman/Defaults.py.
REMOVE_DKIM_HEADERS = No
Thanks for reading
Marc @obscur_moirage <https://twitter.com/obscur_moirage> | marc-bourgeois.net | dev.kprod.net | g+ <https://plus.google.com/111579343717579702540>
Marc Bourgeois writes:
I'm trying to build a few mailing list with mailman. I've got some trouble with spam/dkim
It's not a Mailman problem as far as I can see. Mailman doesn't produce DKIM signatures ever: that's for the MTA to do.
It would help if you explain what the specific symptoms of "trouble" are.
I'm experiencing some difficulties to understand how mailman process outgoing mail with a valid DKIM header.
It does (almost) nothing. If incoming mail contains a DKIM-Signature field, it unfolds a multiline header into one line (this is done for all header fields), and then if REMOVE_DKIM_HEADERS is yes, it removes the field entirely. On the way back out it simply folds it again (I believe this should result in exactly the same header field as received). Mailman-generated messages do not have a DKIM signature; that is the job of the MTA.
When a mailing list user send a mail through my list, sometimes header are filled with a X-Google-DKIM-Signature (depend on sender, gmail/google app domain...)
Something other than Mailman (possibly your local MTA or MUA) is doing that.
but no sign of my original DKIM-Signature
What system and mail user agent are you looking at this mail that you expect to contain a DKIM-Signature field? What original DKIM-Signature are you talking about? Ie, why do you expect there to be an "original" signature by you?
opendkim[1507]: 19D41278A1A5: no signing table match for 'kemkem42@gmail.com'
I guess that is a DKIM authentication failure. This is happening in the MTA (Postfix), not in Mailman.
Can someone help me with this ?
The Postfix lists are your best resource.
You may have luck with somebody here knowing about Postfix, too, but that's not me. Sorry. :-(
Steve
Thanks for replying
I'm trying to build a few mailing list with mailman. I've got some trouble with spam/dkim
It's not a Mailman problem as far as I can see. Mailman doesn't produce DKIM signatures ever: that's for the MTA to do.
got it :)
It would help if you explain what the specific symptoms of "trouble" are.
When someone write to the list, the relayed mail to other users is considered as spam in their mailboxes (gmail for instance)
It seems that directly sent mails from mailman, signed with dkim, pass spam filters
I'm experiencing some difficulties to understand how mailman process outgoing mail with a valid DKIM header.
It does (almost) nothing. If incoming mail contains a DKIM-Signature field, it unfolds a multiline header into one line (this is done for all header fields), and then if REMOVE_DKIM_HEADERS is yes, it removes the field entirely. On the way back out it simply folds it again (I believe this should result in exactly the same header field as received). Mailman-generated messages do not have a DKIM signature; that is the job of the MTA.
Ok, got it.
I was trying to sign with dkim outgoing relayed mail to avoid spam filters. Apparently this is not a solution
When a mailing list user send a mail through my list, sometimes header are filled with a X-Google-DKIM-Signature (depend on sender, gmail/google app domain...)
Something other than Mailman (possibly your local MTA or MUA) is doing that.
but no sign of my original DKIM-Signature
What system and mail user agent are you looking at this mail that you expect to contain a DKIM-Signature field? What original DKIM-Signature are you talking about? Ie, why do you expect there to be an "original" signature by you?
opendkim[1507]: 19D41278A1A5: no signing table match for ' kemkem42@gmail.com'
I guess that is a DKIM authentication failure. This is happening in the MTA (Postfix), not in Mailman.
Can someone help me with this ?
The Postfix lists are your best resource.
You may have luck with somebody here knowing about Postfix, too, but that's not me. Sorry. :-(
Thanks !
Steve
On 10/19/2015 02:24 AM, Marc Bourgeois wrote:
When someone write to the list, the relayed mail to other users is considered as spam in their mailboxes (gmail for instance)
It seems that directly sent mails from mailman, signed with dkim, pass spam filters
And DKIM signing your outbound Mailman mail may help too, but a lot depends on why the mail is considered spam by the recipient ISPs.
See the FAQ article at <http://wiki.list.org/x/4030690> for some more on this.
Also, DMARC may be involved. See <http://wiki.list.org/DEV/DMARC> and <http://wiki.list.org/x/17891458>.
I was trying to sign with dkim outgoing relayed mail to avoid spam filters. Apparently this is not a solution
And are your outbound posts from Mailman actually being DKIM signed by your outgoing MTA?
If so, and this doesn't help, there are other possibilities.
If the incoming mail is DKIM signed by the sender's MTA, that signature normally gets broken by list transformations such as subject prefixing, addition of msg_footer and content filtering. A broken (invalid) DKIM signature is *supposed* to be treated by a recipient the same as no signature, but it may not be. Mailman has the ability to remove incoming DKIM sigs. This shouldn't help, but it may. See the documentation in Defaults.py for REMOVE_DKIM_HEADERS and consider setting 'REMOVE_DKIM_HEADERS = 2' (for current Mailman) in mm_cfg.py.
This could also be a DMARC issue in which case neither removing incoming DKIM sigs nor DKIM signing outbound mail will help. See the above referenced wiki pages.
opendkim[1507]: 19D41278A1A5: no signing table match for ' kemkem42@gmail.com'
opendkim has a signing table (usually /etc/opendkim/SigningTable) that tells it what keys to sign with for what senders. To sign outgoing list mail, you want something like
SenderHeaders List-Post,Sender,From
in opendkim.conf so that if the message has a List-Post: header, opendkim will consider that address as the sender and sign with the list's key rather than the From: or other address's key.
Other things I have are
SigningTable refile:/etc/opendkim/SigningTable
in opendkim.conf and
*@mailman.list.domain KeyTable_entry_name
in /etc/opendkim/SigningTable.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Marc Bourgeois -
Mark Sapiro -
Stephen J. Turnbull