On Fri, November 7, 2014 12:10, Bob Marcan wrote:
Hi. Your mails to centos mailing list are constantly marked as spam by gmail.com. Marking it nospam is annoying and had no effect on gmail filtering. I can filter it into the proper folder, but this will only fix my problem. Can you do anything in that matter?
Best regards, Bob
I do not think that I have any influence over this issue, other than to change email providers and that, for various security reasons, is not going to happen. Nor, for similar reasons, is it feasible for me to have a second email address just for the Centos mailing list since I would be unable to use it from my workplace. I do understand your frustration and I am appreciative of the effort that you took to contact me about it. I wish I had some solution for you that was available to me.
The reason that my emails from the CentOS list are marked as spam by Google is that our domain employs DKIM and SPF for outgoing SMTP traffic. The CentOS mailing list manager is the stock Mailman package provided with CentOS. That version mangles the originator's mail headers and body, thus invalidating the DKIM signature. It then sends the message out as originating under the original sender's domain but from an unauthorised SMTP server address, thus triggering the SPF failure.
The reasons that this has become an issue is that Google, Yahoo, AOL and I believe Microsoft, began enforcing DMARC to varying degrees beginning last April. Google at least forwards my messages on with a warning. I believe that Yahoo simply blocks all my CentOS list traffic.
We have set SPF to a policy of ~all, which is a soft failure. That permits delivery, providing the recipient MX agrees as is the case with Google. It is not permissible for us to authorise an alien IP address as a legitimate source of our SMTP traffic so we cannot eliminate the SPF failure. We can do nothing about the DKIM invalidation since it is Mailman that is changing the headers and appending text to the body after it is signed by our servers.
There is a patch for Mailman to resolve the SPF issue and the DKIM issue with respect to headers, but it has not made it into the RedHat distribution. The body mangling issue is in the hands of the mailing list owner.
I have raised an issue on this:
https://bugzilla.redhat.com/show_bug.cgi?id=1095359
I also tried building the new Mailman package for CentOS-6. The problem is that the Mailman project does not follow the FHS. Restructuring the source files to properly package on CentOS is simply beyond my limited skills and time. I suspect that the effort involved is why the issue has not made much progress inside RH either.
I am replying to the list as well so that anyone else having the same problem with my traffic is apprised of the cause.
With regrets,
On Fri, 2014-11-07 at 13:01 -0500, James B. Byrne wrote:
The reason that my emails from the CentOS list are marked as spam by Google is that our domain employs DKIM and SPF for outgoing SMTP traffic. The CentOS mailing list manager is the stock Mailman package provided with CentOS. That version mangles the originator's mail headers and body, thus invalidating the DKIM signature. It then sends the message out as originating under the original sender's domain but from an unauthorised SMTP server address, thus triggering the SPF failure.
If I understand the problem correctly your emails sent out by the Centos mailing list (using Mailman) are considered by Google et al to be spam. The fundamental reason you believe is be your site's usage of DKIM.
Why can't your site get a cheap VPS anywhere in the world and route outgoing emails, without DKIM, through the VPS ? Cost in EU is less than GBP 80 per annum (circa EUR 96 p.a.) It is easy to achieve using Exim.
On Sat, November 8, 2014 4:02 pm, Always Learning wrote:
On Fri, 2014-11-07 at 13:01 -0500, James B. Byrne wrote:
The reason that my emails from the CentOS list are marked as spam by Google is that our domain employs DKIM and SPF for outgoing SMTP traffic. The CentOS mailing list manager is the stock Mailman package provided with CentOS. That version mangles the originator's mail headers and body, thus invalidating the DKIM signature. It then sends the message out as originating under the original sender's domain but from an unauthorised SMTP server address, thus triggering the SPF failure.
If I understand the problem correctly your emails sent out by the Centos mailing list (using Mailman) are considered by Google et al to be spam. The fundamental reason you believe is be your site's usage of DKIM.
Why can't your site get a cheap VPS anywhere in the world and route outgoing emails, without DKIM, through the VPS ? Cost in EU is less than GBP 80 per annum (circa EUR 96 p.a.) It is easy to achieve using Exim.
But logically that will defeat the whole reason of using DKIM, won't it?
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Sat, Nov 8, 2014 at 5:42 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Why can't your site get a cheap VPS anywhere in the world and route outgoing emails, without DKIM, through the VPS ? Cost in EU is less than GBP 80 per annum (circa EUR 96 p.a.) It is easy to achieve using Exim.
But logically that will defeat the whole reason of using DKIM, won't it?
Yes, but when the purpose of DKIM is to break lists that forward on your behalf, that is a good thing. But an even easier solution is to use a free email service like gmail/yahoo/hotmail for your mail list activity.
On Sat, 2014-11-08 at 17:42 -0600, Valeri Galtsev wrote:
On Sat, November 8, 2014 4:02 pm, Always Learning wrote:
On Fri, 2014-11-07 at 13:01 -0500, James B. Byrne wrote:
The reason that my emails from the CentOS list are marked as spam by Google is that our domain employs DKIM and SPF for outgoing SMTP traffic. The CentOS mailing list manager is the stock Mailman package provided with CentOS. That version mangles the originator's mail headers and body, thus invalidating the DKIM signature. It then sends the message out as originating under the original sender's domain but from an unauthorised SMTP server address, thus triggering the SPF failure.
If I understand the problem correctly your emails sent out by the Centos mailing list (using Mailman) are considered by Google et al to be spam. The fundamental reason you believe is be your site's usage of DKIM.
Why can't your site get a cheap VPS anywhere in the world and route outgoing emails, without DKIM, through the VPS ? Cost in EU is less than GBP 80 per annum (circa EUR 96 p.a.) It is easy to achieve using Exim.
But logically that will defeat the whole reason of using DKIM, won't it?
But .... is not his problem that when he sends an email to this mailing list, Google - when it gets its metaphorical hands on the output from this mailing list, whilst delivering it to some recipients - declares his email as spam ?
Everyone knows that when dealing with large organisations (especially North American ones and their global imitators), one can waste enormous amounts to time pleading with them to do simple and reasonable things properly.
He needs a solution. I proposed what I thought was a relatively quick and cheap solution.
Another solution is for the mailing list to delete all previous headers on receipt of incoming emails - perhaps that might work ?
On 2014-11-08, Always Learning centos@u62.u22.net wrote:
If I understand the problem correctly your emails sent out by the Centos mailing list (using Mailman) are considered by Google et al to be spam. The fundamental reason you believe is be your site's usage of DKIM.
The fundamental reason is because Mailman is rewriting the headers in an incompatible way. It is not his site's usage of DKIM. This is a known issue with Mailman. (I used to have a good link explaining the issue, but can't find it now; if I find it later I'll post it.)
Why can't your site get a cheap VPS anywhere in the world and route outgoing emails, without DKIM, through the VPS ?
It'd be a lot easier just to drop DKIM, but that's a bit pointless.
--keith
On Sat, Nov 08, 2014 at 05:58:53PM -0800, Keith Keller wrote:
The fundamental reason is because Mailman is rewriting the headers in an incompatible way. It is not his site's usage of DKIM. This is a known issue with Mailman. (I used to have a good link explaining the issue, but can't find it now; if I find it later I'll post it.)
So we have a 20-year old piece of technology ("mailman") and a modern proposal ("DKIM")... and somehow it's mailman's fault. Uh huh.
Note; it's not just mailman that has problems, it's _any_ mail forwarder. Going back 27 years to my first Unix account, I could create a file called ".forward" that would forward my mail to another address. This is BROKEN by DKIM.
Basically DKIM is incompatible with how internet email works.
But here's the thing... I think DKIM has a potential future; we need to _change_ how the internet works. So mailman will need to be rewritten; mail forwarders will need to change. And so on.
I use DKIM on my domain but I specifically set it to "fail safe" (deliver it anyway) because I _know_ the internet, today, isn't compatible. I get email reports so I can see if spammers _are_ sending as me.
The problem is with domains like yahoo.com who have a "fail deny" policy. Any yahoo.com sender gets so much mail rejected that many mail lists auto-block yahoo senders these days.
The problem, ultimately, is with senders with a "reject" policy published. DKIM is not compatible with internet email today, and so mail from those senders _will_ be rejected.
On Sat, November 8, 2014 8:35 pm, Stephen Harris wrote:
On Sat, Nov 08, 2014 at 05:58:53PM -0800, Keith Keller wrote:
The fundamental reason is because Mailman is rewriting the headers in an incompatible way. It is not his site's usage of DKIM. This is a known issue with Mailman. (I used to have a good link explaining the issue, but can't find it now; if I find it later I'll post it.)
So we have a 20-year old piece of technology ("mailman") and a modern proposal ("DKIM")... and somehow it's mailman's fault. Uh huh.
Note; it's not just mailman that has problems, it's _any_ mail forwarder. Going back 27 years to my first Unix account, I could create a file called ".forward" that would forward my mail to another address. This is BROKEN by DKIM.
Any constructive suggestion how to deal with e-mail of people who moved on? Forwarding is a a solution. What is suggested instead (in the realm of DKIM)?
Valeri
Basically DKIM is incompatible with how internet email works.
But here's the thing... I think DKIM has a potential future; we need to _change_ how the internet works. So mailman will need to be rewritten; mail forwarders will need to change. And so on.
I use DKIM on my domain but I specifically set it to "fail safe" (deliver it anyway) because I _know_ the internet, today, isn't compatible. I get email reports so I can see if spammers _are_ sending as me.
The problem is with domains like yahoo.com who have a "fail deny" policy. Any yahoo.com sender gets so much mail rejected that many mail lists auto-block yahoo senders these days.
The problem, ultimately, is with senders with a "reject" policy published. DKIM is not compatible with internet email today, and so mail from those senders _will_ be rejected.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2014-11-09, Stephen Harris lists@spuddy.org wrote:
On Sat, Nov 08, 2014 at 05:58:53PM -0800, Keith Keller wrote:
The fundamental reason is because Mailman is rewriting the headers in an incompatible way. It is not his site's usage of DKIM. This is a known issue with Mailman. (I used to have a good link explaining the issue, but can't find it now; if I find it later I'll post it.)
So we have a 20-year old piece of technology ("mailman") and a modern proposal ("DKIM")... and somehow it's mailman's fault. Uh huh.
Mailman is by my reckoning only about 15 years old, and DKIM has been around for about a decade. So I'm not really convinced by your argument here.
Plus, it's not like the Mailman folks themselves are blaming DKIM. Here's a page they wrote up.
http://wiki.list.org/display/DEV/DKIM
"Make no mistake though, DKIM cannot be ignored"
I haven't looked very hard, but I haven't found anything authoritative on Mailman vs. DKIM more recent than 2012 (which itself means they've been thinking about it for a long time; the wiki doc talks about another document written in 2009).
The problem, ultimately, is with senders with a "reject" policy published. DKIM is not compatible with internet email today, and so mail from those senders _will_ be rejected.
Well, someone's gotta be first, because there's no way we'll get everyone agree to switch over on a given date. If Yahoo and Google are doing it they're forcing the issue sooner rather than later. I'm not sure that's a bad thing.
--keith
On Sat, Nov 8, 2014 at 11:59 PM, Keith Keller kkeller@wombat.san-francisco.ca.us wrote:
On 2014-11-09, Stephen Harris lists@spuddy.org wrote:
On Sat, Nov 08, 2014 at 05:58:53PM -0800, Keith Keller wrote:
The fundamental reason is because Mailman is rewriting the headers in an incompatible way. It is not his site's usage of DKIM. This is a known issue with Mailman. (I used to have a good link explaining the issue, but can't find it now; if I find it later I'll post it.)
So we have a 20-year old piece of technology ("mailman") and a modern proposal ("DKIM")... and somehow it's mailman's fault. Uh huh.
Mailman is by my reckoning only about 15 years old, and DKIM has been around for about a decade. So I'm not really convinced by your argument here.
Isn't this a philosophical question about who the author really is? That is, does it belong to the original sender or is is something made up by the list that deserves to be signed as though they made it up?
On Fri, Nov 7, 2014 at 1:01 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
On Fri, November 7, 2014 12:10, Bob Marcan wrote:
Hi. Your mails to centos mailing list are constantly marked as spam by gmail.com. Marking it nospam is annoying and had no effect on gmail filtering. I can filter it into the proper folder, but this will only fix my
problem.
Can you do anything in that matter?
Best regards, Bob
If Bob already has a Gmail filter set up to tag CentOS list mail, it's simple to modify that filter to "do not mark as spam".
That's a workaround that Bob can control and use to alleviate the situation until the "fixed" Mailman packages reach maturity.
On Mon, Nov 10, 2014 at 12:39 PM, SilverTip257 silvertip257@gmail.com wrote:
On Fri, Nov 7, 2014 at 1:01 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
On Fri, November 7, 2014 12:10, Bob Marcan wrote:
Hi. Your mails to centos mailing list are constantly marked as spam by gmail.com. Marking it nospam is annoying and had no effect on gmail filtering. I can filter it into the proper folder, but this will only fix my
problem.
Can you do anything in that matter?
Best regards, Bob
If Bob already has a Gmail filter set up to tag CentOS list mail, it's simple to modify that filter to "do not mark as spam".
That's a workaround that Bob can control and use to alleviate the situation until the "fixed" Mailman packages reach maturity.
At least in theory, if you add a sender to your gmail contacts list it is supposed to try to avoid marking subsequent messages from that sender as spam.
-
Always Learning -
James B. Byrne -
Keith Keller -
Les Mikesell -
SilverTip257 -
Stephen Harris -
Valeri Galtsev