[Mailman-Users] Message.UserNotification vs Message.OwnerNotification in Handlers/Hold.py

Jim Popovitch jimpop at gmail.com
Thu Oct 20 05:10:22 EDT 2016

On Wed, Oct 19, 2016 at 8:59 PM, Mark Sapiro <mark at msapiro.net> wrote:
> On 10/11/2016 09:11 AM, Mark Sapiro wrote:
>> On 10/11/2016 08:37 AM, Jim Popovitch wrote:
>>> The emails fail DMARC because the From: is the virtual list domain,
>>> but the Sender is set to the site-list (often a neutral domain used
>>> for the MTA that hosts the virtual lists).   OpenDKIM signs based on
>>> the Sender (see: "MAILING LISTS" at
>>> http://www.opendkim.org/opendkim-README), so the sig is NOT aligned
>>> with From, thus failing DMARC...and getting notification emails
>>> de-prioritized or worse.
>> I haven't yet looked at your suggested changes, and I will.
> I haven't forgotten. I still have only briefly looked at your changes,
> but I'm concerned about your rev 1381 in light of the two comment lines
> that precede the change.

Hi Mark, I'll be the first to say that a lot of these changes still
aren't clearly vetted and/or necessary.   That said, my process has
been simple.   I set a DMARC quarantine on a virtual mailinglist, and
then started to look at the mod/owner/password/bounce messages that
failed DMARC.  One by one I dug into the code to try and figure out
where/how the sitelist hostname was being used.   Rev 1380 and 1381
deal with "Bounce action notification" messages... and to be honest
I'm not 100% sure those changes are all that complete.  :-)

Note: this also assumes that one is following the point #3 under
"MAILING LISTS" advice on http://www.opendkim.org/opendkim-README
which says:

             In opendkim.conf(5), configure the option SenderHeaders
to "Sender,From".

The above statement makes sense for mailinglist traffic, BUT no so
much for mailinglist notifications.... but if DKIM is configure as
stated, then Mailman list notifications (owner/bounces/passwords/etc)
need to set Sender: headers that align with the virtual domain not the
sitelist domain.  That looked be the default intention of using

> The issue is if owner notifications come from the list-bounces rather
> than the site email bounces. Then if an owner notice bounces, the owner
> is sent a notice of the bounce and it bounces again and so on in a
> bounce loop.

But that would be a general MTA/config issue, whereas clearly mixing
From:list-owner at virtual with Sender:mailman-bounces at site is going to
break DMARC.

> I don't understand why you are making this change as the sender
> originally is Utils.get_site_email(mlist.host_name, 'bounces'), so it
> already has the list's domain.

The change baffled me too.  It wasn't visually necessary by looking at
the code, but in practice it needed to be changed.   I verified list
settings to make sure mlist.host_name was the virtual, I dug into
Utils.get_site_email(), and everything seemed to be coded correctly.
But it was only after I removed the call to Utils.get_site_email(...)
and replaced it with mlist.getListAddress('bounces') that the "Bounce
action notification" emails started to be delivered as
From:list-bounces at virtal, Sender:list-bounces at virtual,
To:list-owner at virtual.

I'm not in over my head on this, I'm literally floating on the bottom :-)

-Jim P.

More information about the Mailman-Users mailing list