![](https://secure.gravatar.com/avatar/5712481f78ed35d4cdaabc85011e39c7.jpg?s=120&d=mm&r=g)
HI All, I have been trying to get the mailman web interface working with OpenBSD’s httpd. I found and used the information at https://www.quernus.co.uk/2015/09/28/running-mailman-on-openbsd/ <https://www.quernus.co.uk/2015/09/28/running-mailman-on-openbsd/> Strangely, I am still getting error 500. Internal Server Error. Has anyone gotten this pair working together? Any help would be appreciated.
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Software Info writes:
"Have you got this working" questions should probably be addressed to OpenBSD lists. Offhand, I can't recall anyone here mentioning installing on OpenBSD.
The Quernus page says this:
OpenBSD's https server tries to chroot itself to /var/www in order
to limit the potential damage an exploit could do. Alas, mailman
is quite tricky to get running in a chroot environment.
(I suspect this just means it's a PITA to install a whole Python under /var/www, but there may be other issues as well.)
As this whole VM will be exclusively running this mailman server
and nothing else, I decided to forego the chroot side of things
and get the httpd server to chroot to /
I can think of two possibilities based on that. (1) You didn't change the chroot from /var/www to /. In that case, Mailman's CGIs won't find Python, and you get a 500. (2) You're running an HTTPS-only server, and you either haven't configured Mailman's URLs to https, or didn't run .../mailman/bin/fixurl when you configured. I think that should probably give a 404 or maybe can't connect, but it might give you a 500 under some conditions.
I hope that helps, if not, more information about your configuration (it's best if you don't tell us about the configuration, and instead you send us the relevant files, redacting any information you consider sensitive such as passwords, account names, domain names, IP addresses, and so on. Please substitute a consistent identifier for each redacted item so that we can check that items that appear in multiple places are consistent.
Steve
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Stephen J. Turnbull writes:
I hope that helps, if not, more information about your configuration
Also check your logs for the httpd and for Mailman. With a 500, it's likely that Mailman isn't logging much, but it's worth checking. Typically there will be a traceback in the httpd log.
Steve
![](https://secure.gravatar.com/avatar/5712481f78ed35d4cdaabc85011e39c7.jpg?s=120&d=mm&r=g)
Thanks so much for the replies. I actually remembered to change the chroot and I don't have https configured. Posting my httpd.conf below. I run obhttpd on FreeBSD 13.1 and I used slowcgi as was suggested.
[obhttpd.conf] chroot "/" logdir "/var/log"
server "mailman.mydomain.net" { listen on * port 80 root "/usr/local/mailman/" log access "obhttpd-access.log" log error "obhttpd-error.log"
location "/Mailman/*" {
fastcgi socket "/var/www/run/slowcgi.sock"
root "/usr/local/mailman/cgi-bin/"
}
location "/icons/*" {
root "/usr/local/mailman/icons/"
}
location "/pipermail/*" {
root "/usr/local/mailman/archives/public/"
}
}
[/etc/rc.conf] obhttpd_enable="YES" slowcgi_enable="YES" slowcgi_flags="-p /"
On Sun, Jul 3, 2022 at 12:11 AM Stephen J. Turnbull <stephenjturnbull@gmail.com> wrote:
![](https://secure.gravatar.com/avatar/5712481f78ed35d4cdaabc85011e39c7.jpg?s=120&d=mm&r=g)
Just a little update. I just ran # obhttpd -d -vvv -f obhttpd.conf and # slowcgi -d -p / to see if I could get anything that made sense show up on the screen and the first error I saw was: slowcgi: execve /usr/local/mailman/cgi-bin/: Permission denied This is strange because slowcgi runs as www, obhttpd runs as www and www is the owner of the cgi-bin directory. Not sure what I am missing here.
On Tue, Jul 5, 2022 at 2:58 PM Software Info <softwareinfojam@gmail.com> wrote:
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Software Info writes:
What are the permissions on the cgi-bin directory? Specifically, you need "x" on that directory. I don't know specifically about OpenBSD, but on macOS "Big Sur" and on a recent missing "x" means you can't search the directory. In that case open(2) fails with
[EACCES] Search permission is denied for a component of
the path prefix.
and you'd get a 500 from the httpd. The other possibility might be that the cgi itself is setuid, and its owner and group don't have permission to search. (I don't know if that can actually happen, just a WAG to cover all bases I can think of.)
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 7/7/22 11:12 AM, Software Info wrote:
The permissions are a 755: drwxr-xr-x www mailman cgi-bin
This may be a smrsh like issue. See item 4 at https://wiki.list.org/x/4030723, although that only affects mail access, but there may be something similar affecting web access.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/0465a7726f20f908f64ab66a2ccecaf8.jpg?s=120&d=mm&r=g)
This may well be a Dream Host administrative issue rather than a GNU Mailman issue. That said I'm wondering if:
a) There is anything I can do from the administrative interface, or b) Anything I can ask Dream Host to do as they have admin rights on the server
CONCERN: Gmail has started sticking a yellow warning box on every GNU Mailman email to Gmail users this week stating to "Be careful with this message" and that they can't verify that it actually came from clinicians-exchange@lists.clinicians-exchange.org. They then provide buttons to report it as spam or phishing.
Gmail is also indicating: SPF: NEUTRAL with IP 64.90.62.202 DKIM: 'FAIL' with domain gmail.com
This is freaking out a few of my users. I'm attaching a screenshot of the message and source code for the same message. Hopefully this list allows attachments...
I already tried using filters in Gmail (as an end user) to try and mark the messages safe, but this does not work. I have a support message in with Dream Host as well.
Thanks Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
![](https://secure.gravatar.com/avatar/83fb59224c964bd6abb937fa3a225be7.jpg?s=120&d=mm&r=g)
See https://support.google.com/a/answer/174124?hl=en
This is probably not specific to Mailman. There is lots of advice (such as the link I just found, but not just that) about how to set up DKIM and SPF, and it sounds like these might solve your problem. DMARC is also mentioned, but that is not necessary.
I don't know what Dream Host allows you to do.
On 08/02/22 14:43, Michael Reeder LCPC -- Hygeia Regular wrote:
-- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
![](https://secure.gravatar.com/avatar/dbf97c196d6ec08d02e175372aecc411.jpg?s=120&d=mm&r=g)
On 2022-08-02 1:43 PM, Michael Reeder LCPC -- Hygeia Regular wrote: ...
Tell them you need a DKIM DNS record for clinicians-exchange.org. Hopefully that gets to someone who knows what it means and is able to work with you.
Dima
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 8/2/22 11:43, Michael Reeder LCPC -- Hygeia Regular wrote:
Dreamhost should be DKIM signing the outgoing list mail with the list's domain. If they aren't you can ask them to do it, and they can come here for help if they need it.
It may not be an issue, but you should also enable DMARC mitigations. For Mailman >= 2.1.18, in Privacy options... -> Sender filters, set dmarc_moderation_action to Munge From and dmarc_quarantine_moderation_action) to Yes. Older versions 2.1.16 and 2.1.17 you can set General Options from_is list to Munge From, but this requires setting ALLOW_FROM_IS_LIST to Yes in mm_cfg.py. This is also available in 2.1.18+, and will apply mitigations to all messages, not just ones publishing DMARC polocy reject or quarantine,
Not images, only attached messages, text and pgp ang pkcs7 signatures.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Thank you all!
Dream Host added an SPF DNS record:
/"They're [Google] looking for a DNS record called SPF that defines what mail servers are allowed for lists.clinicians-exchange.org. I have added one as a courtesy."// / *For now -- problem solved!** * I will take a look at Mark's DMARC mitigations below also.
Thanks, Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
On 8/2/2022 4:50 PM, Mark Sapiro wrote:
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Michael Reeder -- Hygeia MS writes:
*For now -- problem solved!**
Good news!
I will take a look at Mark's DMARC mitigations below also.
You may also want to ask Dreamhost if they can enable the ARC protocol for your host. This protocol allows your host to testify which authentication tests passed on the way in, in particular DMARC's "From alignment". This means that the host takes responsibility for the changes in the message (such as adding a list name tag in Subject or a footer explaining how to access list resources, which break DKIM signatures).
The difference between using ARC and the DMARC mitigations Mark mentions are
ARC allows your list to leave From as is, while the Munge_From options change From to point to your list, instead. "Munge From" may confuse some subscribers (or their filtering and sorting software), although that's usually not a problem.
ARC requires that the final recipient participate in the protocol. Most of the largest freemail sites support it. On the other hand, "Munge From" allows your site to authenticate itself, since it DKIM signs and From is the same domain as the signature.
Which is better depends on the tradeoff between some inconvenience for subscribers who want to reply to author only when From is munged, and the risk of having sites that don't participate in ARC bouncing your traffic.
If you aren't getting DMARC bounces already, I would suppose ARC would be good insurance against some (but not all) DMARC bounces in the future. If you are, you might want to go straight to Munge From rather than try ARC and hope it fixes them for all current and future recipient hosts.
Steve
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Steve,
The list already uses the General "Munge_From" feature and I like having reply to list be the default. Will keep ARC in mind.
I don't think I am getting DMARC bounces...
FYI -- This the DNS entry that seems to have done the job fixing the problem I think: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
-- Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
On 8/3/2022 7:55 AM, Stephen J. Turnbull wrote:
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Mark,
This is the DNS record entry that seems to have fixed the problem: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
Dream Host runs GNU Mailman version 2.1.39 (but I SWEAR it was 2.1.23 earlier this morning!).
I already had General Options set to "Munge From" all along (including when I as getting Gmail yellow box).
Under Privacy options... -> Sender filters, I have: dmarc_moderation_action = Accept dmarc_quarantine_moderation_action = Yes
Possibly stupid question -- Does it make any sense to also change dmarc_moderation_action to Munge From under Privacy options --> Sender Filters?
Thanks, Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com*
On 8/2/2022 4:50 PM, Mark Sapiro wrote:
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On August 3, 2022 10:26:57 AM PDT, Michael Reeder -- Hygeia MS <michael@securemail.hygeiacounseling.com> wrote:
General Options from_is_list = Munge From trumps dmarc_moderation_action and applies to all senders.
-- Mark Sapiro <mark@msapiro.net> Sent from my Not_an_iThing with standards compliant, open source software.
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
In the unlikely event that there is anyone else on the list with a GNU Mailman list on Dream Host servers, here is the DNS Record entry that you apparently have to enter yourself for your domain unless you seek out Dream Host staff assistance (and they are happy to help).
NAME: lists TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
Dream Host also recommends enabling Munge From in the administrative interface of the list. * Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
![](https://secure.gravatar.com/avatar/a98252642aa09bb31da2520fff997583.jpg?s=120&d=mm&r=g)
I've noticed this issue popping up recently on a few domains I host, not mailman necessarily. Gmail has changed something on their end. I've told those affected to have the gmail users complain about these notices.
On 8/5/2022 10:07 AM, Michael Reeder -- Hygeia MS wrote:
![](https://secure.gravatar.com/avatar/83fb59224c964bd6abb937fa3a225be7.jpg?s=120&d=mm&r=g)
On 08/05/22 10:26, Paul Moore wrote:
FWIT, I have 1624 list members on gmail.com, with absolutely no problems. I use spf AND dkim, but not Munge From or dmark. I think dkim (which Google has recommended for a while) may be helpful.
I'm on Linode, but they did not need to do any of this. (They did need to help with ipv6. Long story.)
To see the spf, enter sjdm.org here: https://www.kitterman.com/spf/validate.html
To set up dkim, I installed opendkim and followed the instructions.
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Software Info writes:
"Have you got this working" questions should probably be addressed to OpenBSD lists. Offhand, I can't recall anyone here mentioning installing on OpenBSD.
The Quernus page says this:
OpenBSD's https server tries to chroot itself to /var/www in order
to limit the potential damage an exploit could do. Alas, mailman
is quite tricky to get running in a chroot environment.
(I suspect this just means it's a PITA to install a whole Python under /var/www, but there may be other issues as well.)
As this whole VM will be exclusively running this mailman server
and nothing else, I decided to forego the chroot side of things
and get the httpd server to chroot to /
I can think of two possibilities based on that. (1) You didn't change the chroot from /var/www to /. In that case, Mailman's CGIs won't find Python, and you get a 500. (2) You're running an HTTPS-only server, and you either haven't configured Mailman's URLs to https, or didn't run .../mailman/bin/fixurl when you configured. I think that should probably give a 404 or maybe can't connect, but it might give you a 500 under some conditions.
I hope that helps, if not, more information about your configuration (it's best if you don't tell us about the configuration, and instead you send us the relevant files, redacting any information you consider sensitive such as passwords, account names, domain names, IP addresses, and so on. Please substitute a consistent identifier for each redacted item so that we can check that items that appear in multiple places are consistent.
Steve
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Stephen J. Turnbull writes:
I hope that helps, if not, more information about your configuration
Also check your logs for the httpd and for Mailman. With a 500, it's likely that Mailman isn't logging much, but it's worth checking. Typically there will be a traceback in the httpd log.
Steve
![](https://secure.gravatar.com/avatar/5712481f78ed35d4cdaabc85011e39c7.jpg?s=120&d=mm&r=g)
Thanks so much for the replies. I actually remembered to change the chroot and I don't have https configured. Posting my httpd.conf below. I run obhttpd on FreeBSD 13.1 and I used slowcgi as was suggested.
[obhttpd.conf] chroot "/" logdir "/var/log"
server "mailman.mydomain.net" { listen on * port 80 root "/usr/local/mailman/" log access "obhttpd-access.log" log error "obhttpd-error.log"
location "/Mailman/*" {
fastcgi socket "/var/www/run/slowcgi.sock"
root "/usr/local/mailman/cgi-bin/"
}
location "/icons/*" {
root "/usr/local/mailman/icons/"
}
location "/pipermail/*" {
root "/usr/local/mailman/archives/public/"
}
}
[/etc/rc.conf] obhttpd_enable="YES" slowcgi_enable="YES" slowcgi_flags="-p /"
On Sun, Jul 3, 2022 at 12:11 AM Stephen J. Turnbull <stephenjturnbull@gmail.com> wrote:
![](https://secure.gravatar.com/avatar/5712481f78ed35d4cdaabc85011e39c7.jpg?s=120&d=mm&r=g)
Just a little update. I just ran # obhttpd -d -vvv -f obhttpd.conf and # slowcgi -d -p / to see if I could get anything that made sense show up on the screen and the first error I saw was: slowcgi: execve /usr/local/mailman/cgi-bin/: Permission denied This is strange because slowcgi runs as www, obhttpd runs as www and www is the owner of the cgi-bin directory. Not sure what I am missing here.
On Tue, Jul 5, 2022 at 2:58 PM Software Info <softwareinfojam@gmail.com> wrote:
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Software Info writes:
What are the permissions on the cgi-bin directory? Specifically, you need "x" on that directory. I don't know specifically about OpenBSD, but on macOS "Big Sur" and on a recent missing "x" means you can't search the directory. In that case open(2) fails with
[EACCES] Search permission is denied for a component of
the path prefix.
and you'd get a 500 from the httpd. The other possibility might be that the cgi itself is setuid, and its owner and group don't have permission to search. (I don't know if that can actually happen, just a WAG to cover all bases I can think of.)
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 7/7/22 11:12 AM, Software Info wrote:
The permissions are a 755: drwxr-xr-x www mailman cgi-bin
This may be a smrsh like issue. See item 4 at https://wiki.list.org/x/4030723, although that only affects mail access, but there may be something similar affecting web access.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/0465a7726f20f908f64ab66a2ccecaf8.jpg?s=120&d=mm&r=g)
This may well be a Dream Host administrative issue rather than a GNU Mailman issue. That said I'm wondering if:
a) There is anything I can do from the administrative interface, or b) Anything I can ask Dream Host to do as they have admin rights on the server
CONCERN: Gmail has started sticking a yellow warning box on every GNU Mailman email to Gmail users this week stating to "Be careful with this message" and that they can't verify that it actually came from clinicians-exchange@lists.clinicians-exchange.org. They then provide buttons to report it as spam or phishing.
Gmail is also indicating: SPF: NEUTRAL with IP 64.90.62.202 DKIM: 'FAIL' with domain gmail.com
This is freaking out a few of my users. I'm attaching a screenshot of the message and source code for the same message. Hopefully this list allows attachments...
I already tried using filters in Gmail (as an end user) to try and mark the messages safe, but this does not work. I have a support message in with Dream Host as well.
Thanks Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
![](https://secure.gravatar.com/avatar/83fb59224c964bd6abb937fa3a225be7.jpg?s=120&d=mm&r=g)
See https://support.google.com/a/answer/174124?hl=en
This is probably not specific to Mailman. There is lots of advice (such as the link I just found, but not just that) about how to set up DKIM and SPF, and it sounds like these might solve your problem. DMARC is also mentioned, but that is not necessary.
I don't know what Dream Host allows you to do.
On 08/02/22 14:43, Michael Reeder LCPC -- Hygeia Regular wrote:
-- Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
![](https://secure.gravatar.com/avatar/dbf97c196d6ec08d02e175372aecc411.jpg?s=120&d=mm&r=g)
On 2022-08-02 1:43 PM, Michael Reeder LCPC -- Hygeia Regular wrote: ...
Tell them you need a DKIM DNS record for clinicians-exchange.org. Hopefully that gets to someone who knows what it means and is able to work with you.
Dima
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 8/2/22 11:43, Michael Reeder LCPC -- Hygeia Regular wrote:
Dreamhost should be DKIM signing the outgoing list mail with the list's domain. If they aren't you can ask them to do it, and they can come here for help if they need it.
It may not be an issue, but you should also enable DMARC mitigations. For Mailman >= 2.1.18, in Privacy options... -> Sender filters, set dmarc_moderation_action to Munge From and dmarc_quarantine_moderation_action) to Yes. Older versions 2.1.16 and 2.1.17 you can set General Options from_is list to Munge From, but this requires setting ALLOW_FROM_IS_LIST to Yes in mm_cfg.py. This is also available in 2.1.18+, and will apply mitigations to all messages, not just ones publishing DMARC polocy reject or quarantine,
Not images, only attached messages, text and pgp ang pkcs7 signatures.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Thank you all!
Dream Host added an SPF DNS record:
/"They're [Google] looking for a DNS record called SPF that defines what mail servers are allowed for lists.clinicians-exchange.org. I have added one as a courtesy."// / *For now -- problem solved!** * I will take a look at Mark's DMARC mitigations below also.
Thanks, Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
On 8/2/2022 4:50 PM, Mark Sapiro wrote:
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Michael Reeder -- Hygeia MS writes:
*For now -- problem solved!**
Good news!
I will take a look at Mark's DMARC mitigations below also.
You may also want to ask Dreamhost if they can enable the ARC protocol for your host. This protocol allows your host to testify which authentication tests passed on the way in, in particular DMARC's "From alignment". This means that the host takes responsibility for the changes in the message (such as adding a list name tag in Subject or a footer explaining how to access list resources, which break DKIM signatures).
The difference between using ARC and the DMARC mitigations Mark mentions are
ARC allows your list to leave From as is, while the Munge_From options change From to point to your list, instead. "Munge From" may confuse some subscribers (or their filtering and sorting software), although that's usually not a problem.
ARC requires that the final recipient participate in the protocol. Most of the largest freemail sites support it. On the other hand, "Munge From" allows your site to authenticate itself, since it DKIM signs and From is the same domain as the signature.
Which is better depends on the tradeoff between some inconvenience for subscribers who want to reply to author only when From is munged, and the risk of having sites that don't participate in ARC bouncing your traffic.
If you aren't getting DMARC bounces already, I would suppose ARC would be good insurance against some (but not all) DMARC bounces in the future. If you are, you might want to go straight to Munge From rather than try ARC and hope it fixes them for all current and future recipient hosts.
Steve
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Steve,
The list already uses the General "Munge_From" feature and I like having reply to list be the default. Will keep ARC in mind.
I don't think I am getting DMARC bounces...
FYI -- This the DNS entry that seems to have done the job fixing the problem I think: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
-- Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
On 8/3/2022 7:55 AM, Stephen J. Turnbull wrote:
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
Mark,
This is the DNS record entry that seems to have fixed the problem: NAME: @ TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
Dream Host runs GNU Mailman version 2.1.39 (but I SWEAR it was 2.1.23 earlier this morning!).
I already had General Options set to "Munge From" all along (including when I as getting Gmail yellow box).
Under Privacy options... -> Sender filters, I have: dmarc_moderation_action = Accept dmarc_quarantine_moderation_action = Yes
Possibly stupid question -- Does it make any sense to also change dmarc_moderation_action to Munge From under Privacy options --> Sender Filters?
Thanks, Michael
*Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com*
On 8/2/2022 4:50 PM, Mark Sapiro wrote:
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On August 3, 2022 10:26:57 AM PDT, Michael Reeder -- Hygeia MS <michael@securemail.hygeiacounseling.com> wrote:
General Options from_is_list = Munge From trumps dmarc_moderation_action and applies to all senders.
-- Mark Sapiro <mark@msapiro.net> Sent from my Not_an_iThing with standards compliant, open source software.
![](https://secure.gravatar.com/avatar/5ba36fe59f305508d6fa09d158f9d457.jpg?s=120&d=mm&r=g)
In the unlikely event that there is anyone else on the list with a GNU Mailman list on Dream Host servers, here is the DNS Record entry that you apparently have to enter yourself for your domain unless you seek out Dream Host staff assistance (and they are happy to help).
NAME: lists TYPE: TXT VALUE: v=spf1 mx include:netblocks.dreamhost.com include:relay.mailchannels.net -all
Dream Host also recommends enabling Munge From in the administrative interface of the list. * Michael Reeder, LCPC * *Hygeia Counseling Services : Baltimore / Mt. Washington Village location* *410-871-TALK / michael(at)hygeiacounseling.com* *http://www.hygeiacounseling.com - main website. *
![](https://secure.gravatar.com/avatar/a98252642aa09bb31da2520fff997583.jpg?s=120&d=mm&r=g)
I've noticed this issue popping up recently on a few domains I host, not mailman necessarily. Gmail has changed something on their end. I've told those affected to have the gmail users complain about these notices.
On 8/5/2022 10:07 AM, Michael Reeder -- Hygeia MS wrote:
![](https://secure.gravatar.com/avatar/83fb59224c964bd6abb937fa3a225be7.jpg?s=120&d=mm&r=g)
On 08/05/22 10:26, Paul Moore wrote:
FWIT, I have 1624 list members on gmail.com, with absolutely no problems. I use spf AND dkim, but not Munge From or dmark. I think dkim (which Google has recommended for a while) may be helpful.
I'm on Linode, but they did not need to do any of this. (They did need to help with ipv6. Long story.)
To see the spf, enter sjdm.org here: https://www.kitterman.com/spf/validate.html
To set up dkim, I installed opendkim and followed the instructions.
Jon
Jonathan Baron, Professor of Psychology, University of Pennsylvania Home page: https://www.sas.upenn.edu/~baron Founding Editor: Judgment and Decision Making (http://journal.sjdm.org)
participants (8)
-
dmitri maziuk
-
Jon Baron
-
Mark Sapiro
-
Michael Reeder -- Hygeia MS
-
Michael Reeder LCPC -- Hygeia Regular
-
Paul Moore
-
Software Info
-
Stephen J. Turnbull