Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-14192

Senders with DMARC p=reject are being quarantined on the SA mailing list

    Details

    • Type: Project
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Fix Version/s: Jun 2017
    • Component/s: Mailing Lists
    • Labels:
      None
    • Project:
      SpamAssassin

      Description

      Found this: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that

      Do we need to get that setting done on the SA list to allow senders with DMARC p=reject?

      Thanks,
      Dave

        Activity

        Hide
        cml Chris Lambertus added a comment -
        Quarantined how? Where? Anti-virus quarantining doesn't really match the pattern related to the issues with DMARC, so I'm not sure it relates. If you can point to specific quarantined messages and/or include the specifics of the quarantine notice, we can look into this further.
        Show
        cml Chris Lambertus added a comment - Quarantined how? Where? Anti-virus quarantining doesn't really match the pattern related to the issues with DMARC, so I'm not sure it relates. If you can point to specific quarantined messages and/or include the specifics of the quarantine notice, we can look into this further.
        Hide
        davej Dave Jones added a comment - Reporter
        To: [~cml]

        This was posted on the SpamAssassin mailling list:

        From: "Dianne Skoll" <dfs@roaringpenguin.com>
        To: users@spamassassin.apache.org
        Date: Friday 5/19/2017 1:30 PM US CDT

        Hi,

        Tons of list traffic keeps getting quarantined because of DMARC. For
        example, a recent message from David Jones <djones@ena.com>:

        DMARC policy for domain ena.com suggests Rejection as
        DMARC_POLICY_REJECT, but quarantined due to rule settings

        $ host -t txt _dmarc.ena.com
        _dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; rua=mailto:dmarc@ena.net\;"

        (In this instance, we've overridden the DMARC policy and converted it
        to quarantine instead of reject, so I was able to retrieve the email, but...)

        I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent
        of Mailman's "ALLOW_FROM_IS_LIST" feature?

        Regards,

        Dianne.

        I Googled a few things and found the article link in the original ticket description at the top that mentions DMARC filtering lists and a ezmlm patch that may need to be applied. Does the spamassassin.apache.org mailing list have that patch applied to it?

        https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that

        Thanks,
        Dave
        Show
        davej Dave Jones added a comment - Reporter To: [~cml] This was posted on the SpamAssassin mailling list: From: "Dianne Skoll" < dfs@roaringpenguin.com > To: users@spamassassin.apache.org Date: Friday 5/19/2017 1:30 PM US CDT Hi, Tons of list traffic keeps getting quarantined because of DMARC. For example, a recent message from David Jones < djones@ena.com >: DMARC policy for domain ena.com suggests Rejection as DMARC_POLICY_REJECT, but quarantined due to rule settings $ host -t txt _dmarc.ena.com _dmarc.ena.com descriptive text "v=DMARC1\; p=reject\; sp=reject\; rua=mailto: dmarc@ena.net \;" (In this instance, we've overridden the DMARC policy and converted it to quarantine instead of reject, so I was able to retrieve the email, but...) I'm pretty sure Mailman can do DMARC-munging. Can ezmlm do the equivalent of Mailman's "ALLOW_FROM_IS_LIST" feature? Regards, Dianne. I Googled a few things and found the article link in the original ticket description at the top that mentions DMARC filtering lists and a ezmlm patch that may need to be applied. Does the spamassassin.apache.org mailing list have that patch applied to it? https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that Thanks, Dave
        Hide
        cml Chris Lambertus added a comment -
        Some of the SA lists have the referenced dmarc munging enabled, and others do not. I am not sure why the project chose to do some and not others. We can try enabling it for users@ but I'm not sure it will solve this specific problem.
        Show
        cml Chris Lambertus added a comment - Some of the SA lists have the referenced dmarc munging enabled, and others do not. I am not sure why the project chose to do some and not others. We can try enabling it for users@ but I'm not sure it will solve this specific problem.
        Hide
        davej Dave Jones added a comment - Reporter
        What problem is the DMARC munging supposed to solve exactly? Sorry it's been so long since I open this ticket and have slept a few times. I think the issue was my work email address of djones@ena.com now has DMARC set to p=reject so the ezmlm list needed to be able to accept emails from my address even if DMARC failed. I have since figured out my issue with DKIM signing outbound (darn problem with Office 365) so DMARC is passing but this is a larger issue for many other senders that may have p=reject and they don't have DKIM signing with alignment.

        Honestly, we may be able to just close this ticket since so much time has passed.

        Thanks,
        Dave
        Show
        davej Dave Jones added a comment - Reporter What problem is the DMARC munging supposed to solve exactly? Sorry it's been so long since I open this ticket and have slept a few times. I think the issue was my work email address of djones@ena.com now has DMARC set to p=reject so the ezmlm list needed to be able to accept emails from my address even if DMARC failed. I have since figured out my issue with DKIM signing outbound (darn problem with Office 365) so DMARC is passing but this is a larger issue for many other senders that may have p=reject and they don't have DKIM signing with alignment. Honestly, we may be able to just close this ticket since so much time has passed. Thanks, Dave
        Hide
        cml Chris Lambertus added a comment -
        It's not really a larger issue, because invalid DMARC was rightfully invalid in this case. DMARC is not great, and it's broken in many circumstances, but this doesn't appear to be one of them. Glad you got your issue sorted. If it crops up as a problem again, please let us know.
        Show
        cml Chris Lambertus added a comment - It's not really a larger issue, because invalid DMARC was rightfully invalid in this case. DMARC is not great, and it's broken in many circumstances, but this doesn't appear to be one of them. Glad you got your issue sorted. If it crops up as a problem again, please let us know.

          People

          • Assignee:
            Unassigned
            Reporter:
            davej Dave Jones
            Request participants:
            None
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: