AOL rejecting connections from mailman servers for DMARC Munging.
Hey all,
Recently my mailman server was flagged by AOL and my messages were rejected with this error.
SMTP DATA-2 protocol error: 521 5.2.1 : AOL will not accept delivery of this message.
When I queried the AOL Postmaster about this issue this was my response.
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the result.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Is there a recommended policy regarding this issue?
Ted Hatfield
On 08/23/2016 03:55 PM, Ted Hatfield wrote:
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
Don't munge Reply-To: ;)
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the result.
No. Based on AOL's reply above, this has nothing to do with DMARC. If you set reply_goes_to_list to This list (note that Poster is the /strongly/ recommended setting) both the To: and Reply-To: headers of outgoing messages will contain the list address.
However, it seems that this means AOL will not accept mail from any list with reply_goes_to_list = This list, and since this is a common, although not recommended, configuration, if this is the case, it seems there should be much more reports of this issue, and I haven't seen that.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Even if this is a DMARC issue, Wrap message won't change it because the headers in the wrapper will be the same as those in a Munge from message.
Is there a recommended policy regarding this issue?
Set reply_goes_to_list to Poster
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At Wed, 24 Aug 2016 10:32:06 -0700 Mark Sapiro <mark@msapiro.net> wrote:
On 08/23/2016 03:55 PM, Ted Hatfield wrote:
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
Don't munge Reply-To: ;)
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the result.
No. Based on AOL's reply above, this has nothing to do with DMARC. If you set reply_goes_to_list to This list (note that Poster is the /strongly/ recommended setting) both the To: and Reply-To: headers of outgoing messages will contain the list address.
And if reply_goes_to_list is set to Poster and the poster sent to himself and CC's to the list, the To: and Reply-To: headers the outgoing message will contain the poster's address :-(. (This legal, but generally is going to require interesting finagling by the E-Mail client.) Note that this assumes that AOL really means the To: header. It *could* mean the union of the To: and Cc: headers. Eg if the address in the From: is also in the To: OR Cc: headers, AOL might reject the E-Mail. (This would be seriously dumb and effectively make AOL an impossible E-Mail destination to deliver any E-Mail to.)
It does relate to DMARC, in that in order for a Mailman list to allow Yahoo, et. al. users to post, you have to have Mailman munge the From: field and then to allow "reply to sender", Mailman needs to be configured to put the poster's address in a Reply-To: header.
However, it seems that this means AOL will not accept mail from any list with reply_goes_to_list = This list, and since this is a common, although not recommended, configuration, if this is the case, it seems there should be much more reports of this issue, and I haven't seen that.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Even if this is a DMARC issue, Wrap message won't change it because the headers in the wrapper will be the same as those in a Munge from message.
Is there a recommended policy regarding this issue?
Set reply_goes_to_list to Poster
+1
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
Robert Heller writes:
Cc: headers. Eg if the address in the From: is also in the To: OR Cc: headers, AOL might reject the E-Mail. (This would be seriously dumb and effectively make AOL an impossible E-Mail destination to deliver any E-Mail to.)
Bcc....
But yes, I agree. The solution is to be a friend, and friends don't let friends use AOL. ;-) Yes, I know, you have to pry their AOL from their cold dead fingers and all that. The thing is, that with AOL it's just one thing after another. While it's definitely possible to deliver some email to AOL, any given email might be refused for reasons that you can't predict. We can't protect our users from their own service providers. :-(
BTW, the OP already said that his setting for reply-to is Poster, so something we haven't figured out yet seems to be happening here. :-(
Steve
On Wed, 24 Aug 2016, Mark Sapiro wrote:
On 08/23/2016 03:55 PM, Ted Hatfield wrote:
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
Don't munge Reply-To: ;)
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the result.
No. Based on AOL's reply above, this has nothing to do with DMARC. If you set reply_goes_to_list to This list (note that Poster is the /strongly/ recommended setting) both the To: and Reply-To: headers of outgoing messages will contain the list address.
However, it seems that this means AOL will not accept mail from any list with reply_goes_to_list = This list, and since this is a common, although not recommended, configuration, if this is the case, it seems there should be much more reports of this issue, and I haven't seen that.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Even if this is a DMARC issue, Wrap message won't change it because the headers in the wrapper will be the same as those in a Munge from message.
Is there a recommended policy regarding this issue?
Set reply_goes_to_list to Poster
--
I'm running mailman version 2.1.22.
reply_goes_to_list is set to poster
from_is_list is set to "Munge From".
Documentation describes "Munge From" to be
"This action replaces the poster's address in the From: header with the list's posting address and adds the poster's address to the addresses in the original Reply-To: header."
This means that messages with a munged From: header should pass dmarc checks but the senders address will be added to the reply-to header. Does this not mean that the Reply-To: and the To: address will be the same for some users?
Ted Hatfield
On 08/24/2016 12:24 PM, Ted Hatfield wrote:
I'm running mailman version 2.1.22.
reply_goes_to_list is set to poster
from_is_list is set to "Munge From".
Documentation describes "Munge From" to be
"This action replaces the poster's address in the From: header with the list's posting address and adds the poster's address to the addresses in the original Reply-To: header."
This means that messages with a munged From: header should pass dmarc checks but the senders address will be added to the reply-to header. Does this not mean that the Reply-To: and the To: address will be the same for some users?
Well, depending on how the user crafts the post, many things are possible, but with from_is_list = Munge from[1] and the usual situation, the post is
From: Joe Sender <sender@example.net> To: A list <list@example.com>
and after munging the delivered post is
From: Joe Sender on behalf of a A list <list@example.com> Reply-To: Joe Sender <sender@example.net> To: A list <list@example.com>
Reply-To: is the sender's address <sender@example.net> and To: is the list address <list@example.com>. These are not the same.
[1] It is recommended to set from_is_list to No and dmarc_moderation_action to Munge from. The resultant munging will be the same but will only be applied to messages From: a domain publishing a DMARC policy of reject (or quarantine if dmarc_quarantine_moderation_action is Yes).
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
At Wed, 24 Aug 2016 14:24:32 -0500 (CDT) Ted Hatfield <ted@io-tx.com> wrote:
On Wed, 24 Aug 2016, Mark Sapiro wrote:
On 08/23/2016 03:55 PM, Ted Hatfield wrote:
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
Don't munge Reply-To: ;)
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the result.
No. Based on AOL's reply above, this has nothing to do with DMARC. If you set reply_goes_to_list to This list (note that Poster is the /strongly/ recommended setting) both the To: and Reply-To: headers of outgoing messages will contain the list address.
However, it seems that this means AOL will not accept mail from any list with reply_goes_to_list = This list, and since this is a common, although not recommended, configuration, if this is the case, it seems there should be much more reports of this issue, and I haven't seen that.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Even if this is a DMARC issue, Wrap message won't change it because the headers in the wrapper will be the same as those in a Munge from message.
Is there a recommended policy regarding this issue?
Set reply_goes_to_list to Poster
--
I'm running mailman version 2.1.22.
reply_goes_to_list is set to poster
from_is_list is set to "Munge From".
Documentation describes "Munge From" to be
"This action replaces the poster's address in the From: header with the list's posting address and adds the poster's address to the addresses in the original Reply-To: header."
This means that messages with a munged From: header should pass dmarc checks but the senders address will be added to the reply-to header. Does this not mean that the Reply-To: and the To: address will be the same for some users?
The Reply-To: and To: would be the same if those users send the post to themselves and CC it to the list. This is *probably* unlikely, but possible I guess. *Normally* a user posts *To* the list (To: list address), and CC's to themselves (Cc: the poster). Mailman sets the Reply-To: field to the poster's address and replaces the From: header to be from the list:
To: list Reply-To: poster Cc: poster From: list
Ted Hatfield
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/heller%40deepsoft.com
-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller@deepsoft.com -- Webhosting Services
I recently have been fighting AOL over this exact same thing. To solve it I contacted AOL via their postmaster page and opened a ticket. They got back to me and said they "made some changes to their handling of mail from my IP address."
I had been using mailman to send to AOL users for over a decade, so I didn't change anything in mailman. After about 2-3 weeks AOL has now stopped rejecting mailman emails.
In the interim, I used Mark Sapiro's script to reset the moderation bits on all AOL users, encased in a little shell script I wrote:
#!/bin/bash
# This script resets the bounce bits for certain users in ALL lists. # # Run this script as ROOT for listname in $(ls /var/lib/mailman/lists/); do echo Resetting bounce bits in list $listname # Reset bounce bits for only AOL.COM members. /usr/lib/mailman/bin/withlist -r reset_bounce $listname -d aol.com done;
Hope this is helpful.
Steve Wehr Tunedin Web Design 845-246-9643
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+steve=tunedinweb.com@python.org] On Behalf Of Ted Hatfield Sent: Tuesday, August 23, 2016 6:56 PM To: mailman-users@python.org Subject: [Mailman-Users] AOL rejecting connections from mailman servers for DMARC Munging.
Hey all,
Recently my mailman server was flagged by AOL and my messages were rejected with this error.
SMTP DATA-2 protocol error: 521 5.2.1 : AOL will not accept delivery of this message.
When I queried the AOL Postmaster about this issue this was my response.
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the
result.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Is there a recommended policy regarding this issue?
Ted Hatfield
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/steve%40tunedinweb.com
On 08/25/2016 06:01 AM, Steve Wehr wrote:
In the interim, I used Mark Sapiro's script to reset the moderation bits on all AOL users, encased in a little shell script I wrote:
#!/bin/bash
# This script resets the bounce bits for certain users in ALL lists. # # Run this script as ROOT for listname in $(ls /var/lib/mailman/lists/);
A more robust way to do this is
for listname in $(/usr/lib/mailman/bin/list_lists -b);
because there may be files or non-list directories in /var/lib/mailman/lists/
do echo Resetting bounce bits in list $listname # Reset bounce bits for only AOL.COM members. /usr/lib/mailman/bin/withlist -r reset_bounce $listname -d aol.com done;
Hope this is helpful.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Thu, 25 Aug 2016, Steve Wehr wrote:
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+steve=tunedinweb.com@python.org] On Behalf Of Ted Hatfield Sent: Tuesday, August 23, 2016 6:56 PM To: mailman-users@python.org Subject: [Mailman-Users] AOL rejecting connections from mailman servers for DMARC Munging.
Hey all,
Recently my mailman server was flagged by AOL and my messages were rejected with this error.
SMTP DATA-2 protocol error: 521 5.2.1 : AOL will not accept delivery of this message.
When I queried the AOL Postmaster about this issue this was my response.
Few mails from IP xxx.xxx.xxx.xx were getting rejected from one of filters as Reply-to address is same as the TO address. This is caused as one of our filters triggered these emails as spam. I have added protection for your IP. As a good mailing practice, please use a different email address for your reply-to address.
It seems to me that since dmarc munging adds the senders address to the reply-to header, if a user receives a copy of their own postings this is the
result.
Can anyone else confirm that this has happened to them and if so what else can someone do except to wrap the message from senders that implement dmarc rejection as in dmarc_moderation_action?
Is there a recommended policy regarding this issue?
Ted Hatfield
I recently have been fighting AOL over this exact same thing. To solve it I contacted AOL via their postmaster page and opened a ticket. They got back to me and said they "made some changes to their handling of mail from my IP address."
I had been using mailman to send to AOL users for over a decade, so I didn't change anything in mailman. After about 2-3 weeks AOL has now stopped rejecting mailman emails.
In the interim, I used Mark Sapiro's script to reset the moderation bits on all AOL users, encased in a little shell script I wrote:
#!/bin/bash
# This script resets the bounce bits for certain users in ALL lists. # # Run this script as ROOT for listname in $(ls /var/lib/mailman/lists/); do echo Resetting bounce bits in list $listname # Reset bounce bits for only AOL.COM members. /usr/lib/mailman/bin/withlist -r reset_bounce $listname -d aol.com done;
Hope this is helpful.
Steve Wehr Tunedin Web Design 845-246-9643
Steve,
Glad to see I'm not the only one. This was also my solution. I just wanted to see if there was a better way to handle the issue but I don't see any recommended advice that would solve the issue in a technical way.
I'm considering setting dmarc_moderation_action to "Wrap Message" and setting from_is_list back to "No"
This will at least only affect the users who use email that enforces DMARC p=quarantine and p=reject.
Ted Hatfield
participants (5)
-
Mark Sapiro -
Robert Heller -
Stephen J. Turnbull -
Steve Wehr -
Ted Hatfield