[OT] Re: configuration error in lists.isc.org

Heiko Richter email at heikorichter.name
Fri Aug 7 00:54:15 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 07.08.2015 um 02:03 schrieb Charles Swiger:
> On Aug 6, 2015, at 4:25 PM, Heiko Richter <email at heikorichter.name 
> <mailto:email at heikorichter.name>> wrote:
>> Whenever I post something to the list (I'm not using SMTP, I'm
>> using a usenet server to post to comp.protocols.dns.bind), my
>> postmaster address receives DMARC notifications from list members
>> that have employed this wonderful protocol on their servers,
>> telling me my message had been rejected for violating my SPF
>> policy.
>> 
>> My SPF record doesn't include lists.ist.org
>> <http://lists.ist.org/>, of course and it never will. Furthermore
>> it ends with "-all" so all my messages to the list are being
>> rejected by list members who have spf aware servers.
> 
> DMARC makes assumptions which do not play nicely with mailing
> lists-- in particular, a mailing list is always going to want to
> use a bounce address within it's own domain to notice failing
> delivery-- so SPF usually isn't going to match.
> 
> The choices I see are to either list the mailservers of the mailing
> lists you participate on in your SPF records, convince the folks
> receiving your mail to whitelist the ISC mailing servers from SPF /
> DMARC checks, and/or change your SPF policy from -all to something
> less strict.

Changing to ~all will indeed solve the problem at the mta-level. But
it will make filters like spamassassin create false-positives and
probably dump the mails into user's spam-folders. This will poisen the
bayes filter and - depending on what the users do with their spam -
you run the risk of getting reported to RBLs, so not a good idea.

> 
> Otherwise, accept that the choices you've made mean the messages
> you send will frequently bounce.
> 
>> So ISC: please fix your list servers, let them rewrite the From
>> headers!
> 
> How would this help?  Changing the From header breaks your domain's
> DKIM signing; are you asking them to take ownership of your
> messages and then DKIM sign them on behalf of isc.org
> <http://isc.org>?  That breaks normal email replies.

OK, didn't think about DKIM, changing the From header won't work either.

> 
> Even the DMARC FAQ is honest enough to note that every alternative
> has major cons:
> 
> 
> https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F
>
>  Regards, -- -Chuck
> 

Just found another solution, that will help with any DMARC-aware
server that knows Sender-ID. I just published:
heikorichter.name.      60      IN      TXT     "spf2.0/pra ?all"

This will force DMARC to check only the envelope sender, which is
changed by lists.isc.org as /dev/rob0 pointed out earlier....

Heiko
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJVxAG2AAoJECKEz6pWghImYnIP/2WHWKQEkRetRAl8uB92Dnqz
e/i0tCJcEI5o2JMvuPiykRNB6Mb04z+TPTyP2FmXFe33zCs8CWp9pV1dcn0A1nbp
voZ7zZ7p2nQr0vR9Tj5XDjHN3bucI97VMUYVWiRK+9Pw7+vjdhMKW5dn2M/qveJY
/95IJX2NKLu6ZUsL5eyZIdhQb+3wJ+EfkcwdGOGLlhZ9EihqozRe1qgplcVJDJUs
owo0hgRrbL+s/h7Dz3VOk1g0SYk4EYb/xcc2I558CKhu8VmcfXA8DIXIsGOuvTzV
5RJumYvp7JCwinPoNDcMiy3Db8AXw2mTbF1Q3oWxt1CmF7LITHV9ltVuU2nH22Lq
WGkk2ErMgHwaRONXybfUNlsA5s6njVOIx3RcNyb4qOEsgoOvWG7bxhnj7XOCP84p
ZwFyNHvamT/PVqQKBybDwec1Urdw+VWf11byzto+E/+wJt0ELH1yD4uqigxy3DXP
9qOzOjKFDNNt2WqRHdf+O9HPSCsQXAMjTEXReUg6OFWox19UEAbEYx4i3Vx+SeUP
RsG9a6kG2vWlf6A6i20XZYHiYLH+lI1OT5x706QyA3GY0vWlkvUgxCHPf3JiX77c
tFtrp0tyX/PRCvn2demNNr7fTteuGcRPjFuzhezaoZBVgKkuJ0E5kWwsDYgDMfMi
YIeqlm0uIYCOTn0Fs4p5
=/b+D
-----END PGP SIGNATURE-----

More information about the bind-users mailing list