[asterisk-users] OT: Explain where mailing list bouncing comes from ?
dplatt at radagast.org
Fri Jun 16 12:34:05 CDT 2017
I'm not sure of the precise specifics of how Digium runs the
list, but this sort of problem has been a "known issue" with
mailing list distributions ever since SPF and similar technologies
showed up, almost a decade ago. DomainKeys and DMARC makes it more of
an issue, but the overall problem is not new.
I had to switch mailing-list packages (from Majordomo to GNU Mailman)
for the lists I run, and configure Mailman properly to avoid the
worst of the problem.
In my experience, the problems affect mailing lists where:
- The mailing list software retransmits an incoming message to
subscribers, using the same sender address (in the SMTP
transaction and/or message headers) that the original sender used.
- The sending domain has some sort of anti-forgery technology in
place - either SPF or DomainKeys can trigger the problem.
When such a message is retransmitted, one of several things can happen
when it hits a mail server that does anti-spoofing enforcement:
(1) "Hmmm. This message says it comes from joe at example.com, but the
example.com domain has an SPF record which says that only the
following five IP addresses are authorized mailers for this domain,
and suggests a policy of 'reject' for other IP addresses. This
message is coming from an IP address which isn't on that list.
(2) "Hmmm. This message says it comes from joe at example.com. It has
a DomainKeys signature from that domain, which covers the sender ID,
subject, and message body. The signature doesn't match" [sotto
voce, the Subject header was modified by the mailing list software
to include the group name] "and example.com suggests rejecting
messages which say they're from example.com but have bad signature.
There are almost certainly other, similar scenarios.
As a result, messages of this sort will tend to "bounce" from hosts
that implement forgery protection, and the mailing-list software will
often react to a flurry of such bounces by unsubscribing the intended
recipient from the list.
None of the workarounds for this are perfect - they all have side
[A] Recipients who are being unsubscribed because gmail (e.g.) is
bouncing such messages, can change their subscription to the
mailing list to "daily digest". Mailman (and I believe most other
mailing list packages) send out digests as new messages, with their
own domain as the return address, thus avoiding the problems.
[B] For SPF, the mailing list software can be configured to "take
ownership" of the message... rewriting the sender address into a new
form which doesn't break SPF rules. Examples for a message from
joe at example.com might be
Joe at example.com via Foobar mailing list <foobar at mailer.com>
Joe <joe-at-example-dot-com at rewritten.mailer.com>
and so forth.
GNU Mailman has the ability to do something along the lines of the
first example. It's the configuration I use on the small mailing
list I run. I believe it also adds a Reply-To: header to the
message to "point back to" the original sender.
It's possible to rewrite/substitute the message used in the SMTP
session, but leave the original sender's address intact in the
message headers. This will be acceptable to many (but not all)
systems that check SPF.
[C] For DomainKeys... well, if the mailing list software is going to
make any changes at all to the headers on messages it's relaying,
or change the message body at all, it should strip out any
DomainKeys signature that might exist on the message.
Or, it can send the whole inbound message (unmodified) as a MIME
attachment within a new message it originates. This leaves the
signature intact, but can be hard for many mail programs to handle
It would be up to Digium to do [B] and [C] for the mailing lists, if
they so choose.
Individual subscribers can do [A] to reduce the risk that they'll be
unsubscribed from the list whenever an SPF-protected message is sent
through the list.
More information about the asterisk-users