[Mailman-Users] Mailman and Mimecast

Hirayama, Pat phirayam at fredhutch.org
Fri Nov 18 12:42:41 EST 2016 

Greetings,

I am having issues with some addresses on a couple of the few thousand lists that I am hosting in mailman.  The addresses in question are using Mimecast for their email protection.  So, I'm asking all of you for your opinion/advice.  

Problem 1:  One list gets their email rejected with a 550 Rejected by header based Anti-Spoofing policy: ... https://community.mimecast.com/docs/DOC-1369#550

If I am reading the referenced (https://community.mimecast.com/docs/DOC-1419-anti-spoofing-policies) page correctly, the problem is that the sender of the list is at domain A, the recipients of the lists are at domain A, but the listserv itself is in domain B, and from Mimecast's POV, there shouldn't be mail from A to A being relayed by B.  And then it goes on to say that you should reconfigure your Mimecast to put in a bypass policy for this server. 

What the mail folks at domain A would prefer is that I (domain B) fix this.  I'm thinking that I could fix this by using either anonymous_list or changing the setting of from_is_list.  But, what isn't clear to me is if this is really the correct step to take (my initial inclination is that they should follow Mimecast's direction of putting in a bypass policy).  

Problem 2:  Another list I have -- they actually accept the mail, and then send it back.  So, I see status=sent in my postfix logs, but the members don't get it.  Apparently, it is running into a problem because the HELO greeting from my mail gateways (MX) doesn't match the FQDN of the mailman server.  

So, the mailman server is smarthosted to my MX servers, which do some scanning of the message before sending it out.  Apparently, what these Mimecast users want me to do is to rewrite the envelope so that instead of the mailman server's FQDN, I replace it with either the FQDN of the MX server, or just my domain.  

In the /etc/aliases file on my MX servers, I have the 'post' address listed, so mail sent to listname at domain gets routed to the mailman server.  I haven't listed any of the other 9 mailman addresses (i.e. -admin, -bounces, -confirm, -join, -leave, -owner, -request, -subscribe, -unsubscribe).  So, my thinking is that if I do the rewrite, so the message comes from listname-bounces at domain, instead of listname-bounces at lists.domain, I will need to add this and the other addresses on my MX server so that mail routing will work. Since I have 3000+ lists, that's like 27k more lines in /etc/aliases to add/manage.  

Again, I'm thinking that they should put in some exception in their Mimecast configuration. 

Am I just being obstinate here for no reason?  Should I just assume the pain and change the behavior of my mailman server?  Thoughts?

Thanks!

				-p
--
Pat Hirayama
Systems Engineer / 206.667.4856 / phirayam at fredhutch.org / Fred Hutch / Cures Start Here 
CIT | Advancing IT and Data Services to Accelerate the Elimination of Disease

More information about the Mailman-Users mailing list