Opened 6 weeks ago

Last modified 7 days ago

#14184 assigned Bug/Something is broken

Improve email deliverability and control for listserv (lists.portside.org)

Reported by: https://id.mayfirst.org/wolcen Owned by: https://id.mayfirst.org/jamie
Priority: Medium Component: Tech
Keywords: Cc:
Sensitive: no

Description (last modified by https://id.mayfirst.org/wolcen)

Hi,

I'm hoping to just get confirmation here before committing to any action, so as to not break any of the things :D Part of the issue is that I'm not quite sure how to determine the exact sources of email. i.e. how can I be certain that all outbound mail goes through the mayfirst MTA's. See report at end from SenderScore.org. Certainly some of these are anticipated to be spoofed.

There are actually a number of tasks to complete in regards to this.

  1. SPF
  2. DKIM
  3. DMARC
  4. Reverse routing of email back to ListServ from Postfix (for automatic cleaning of mail lists via return route). Moved to #14277

#1 SPF: ListServ itself is using localhost to deliver mail. My understanding is that postfix is then forwarding all email (by destination) to the various outbound email MFPL servers. In this case, I presume that I want the typical SPF record, only applied at the subdomain level, rather than at the top-level, per https://support.mayfirst.org/wiki/faq/email/add-spf-record. e.g.: lists.portside.org TXT v=spf1 a:spf.mayfirst.org ~all Now, there is one hesitation I have here, and perhaps just adding mumia.mayfirst.org is all that is needed. I'm not sure how these particular messages would be being sourced, but according to a domain report from https://www.senderscore.org, mumia is a source of email from the domain. For portside.org itself, only the mayfirst outbound email servers are referenced, so perhaps a wildcard SPF would be suitable instead?

#2 DKIM: The best documentation I have found here is from ListServ. Being an email dunce, I am not sure however if the DKIM should be applied at the level of ListServ, or postfix. My gut would be that if the only originator for outbound email is the listserv itself, then it makes sense to put it there. This instance has mailman as well however, so...? http://www.lsoft.com/manuals/dkim/LISTSERV-DKIM-config.html#configuration

#3 DMARC: So far so good here, in that we've set up two emails for receiving reports and can adjust once SPF/DKIM are working properly. Let us know if DMARC reports will be useful to complete this task.

GitLab tickets: https://gitlab.com/agaric/sites/portside/issues/69 (gmail) https://gitlab.com/agaric/sites/portside/issues/70 (gmail) https://gitlab.com/agaric/sites/portside/issues/26 (yahoo deliverability)

SenderScore.org "sending IPs" for lists.portside.org:

IP Address    	Hostname 	Volume    	Sender Score   
108.166.43.128 	gate.forward.smtp.ord1c.emailsrvr.com 	Very High 	81
108.60.195.213 	cx-a.mxthunder.net 	Very High 	99
128.103.109.33 	postmail-s01.cadm.harvard.edu 	Very High 	98
128.103.229.181 	postmail-s03.cadm.harvard.edu 	Very High 	97
146.20.112.67 	nat.iad.rs.oxcs.net 	Very High 	99
146.20.86.8 	gate.forward.smtp.iad3b.emailsrvr.com 	Very High 	83
161.47.34.7 	gate.forward.smtp.ord1d.emailsrvr.com 	Very High 	82
162.247.75.110 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.111 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.112 	cleveland.smtp.mayfirst.org 	Very High 	89
162.247.75.113 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.185 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.186 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.187 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.208 	cleveland.smtp.mayfirst.org 	Very High 	97
192.252.151.19 	server343.com 	High 	99
204.232.172.40 	gate.forward.smtp.iad3a.emailsrvr.com 	Very High 	82
207.69.195.101 	smarth-marmette.atl.sa.earthlink.net 	Very High 	82
207.69.195.102 	smarth-petite.atl.sa.earthlink.net 	Very High 	95
207.69.195.67 	smarth-minnow.atl.sa.earthlink.net 	Very High 	85
207.69.195.97 	smarth-shelduck.atl.sa.earthlink.net 	Very High 	97
208.53.48.218 	c7-b.mxthunder.net 	Very High 	99
209.51.163.12 	mumia.mayfirst.org 	Moderate 	99
209.51.163.203 	rustin.smtp.mayfirst.org 	Very High 	97
209.85.160.197 	mail-qt1-f197.google.com 	Very High 	44
209.85.160.198 	mail-qt1-f198.google.com 	Very High 	43
209.85.160.199 	mail-qt1-f199.google.com 	Very High 	20
209.85.160.200 	mail-qt1-f200.google.com 	Very High 	20
209.85.222.197 	mail-qk1-f197.google.com 	Very High 	54
209.85.222.198 	mail-qk1-f198.google.com 	Very High 	55
209.85.222.199 	mail-qk1-f199.google.com 	Very High 	51
209.85.222.200 	mail-qk1-f200.google.com 	Very High 	46
69.252.207.33 	resqmta-ch2-01v.sys.comcast.net 	Very High 	86
69.252.207.34 	resqmta-ch2-02v.sys.comcast.net 	Very High 	83
69.252.207.36 	resqmta-ch2-04v.sys.comcast.net 	Very High 	91
69.252.207.37 	resqmta-ch2-05v.sys.comcast.net 	Very High 	81
69.252.207.38 	resqmta-ch2-06v.sys.comcast.net 	Very High 	86
69.252.207.41 	resqmta-ch2-09v.sys.comcast.net 	Very High 	94
69.252.207.42 	resqmta-ch2-10v.sys.comcast.net 	Very High 	94
69.252.207.43 	resqmta-ch2-11v.sys.comcast.net 	Very High 	86
96.114.154.160 	resqmta-po-01v.sys.comcast.net 	Very High 	85
96.114.154.162 	resqmta-po-03v.sys.comcast.net 	Very High 	84
96.114.154.163 	resqmta-po-04v.sys.comcast.net 	Very High 	85
96.114.154.164 	resqmta-po-05v.sys.comcast.net 	Very High 	88
96.114.154.165 	resqmta-po-06v.sys.comcast.net 	Very High 	82
96.114.154.166 	resqmta-po-07v.sys.comcast.net 	Very High 	82
96.114.154.168 	resqmta-po-09v.sys.comcast.net 	Very High 	81
96.114.154.170 	resqmta-po-11v.sys.comcast.net 	Very High 	81

Change History (15)

comment:1 Changed 6 weeks ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jamie
  • Status changed from new to assigned

I have questions about this as well. Copying jamie here but adding just a few details I think I can confirm.

As far as the spf record if you want to use a more limited range you could try using just:

cleveland.smtp.mayfirst.org rustin.smtp.mayfirst.org

I think you probably want to avoid using mumia.mayfirst.org directly. We can check the logs and try to identify which software is still delivering mail from there. If you do need to send mail from mumia for any reason then you should also add it to the spf record.

Last edited 6 weeks ago by https://id.mayfirst.org/jaimev (previous) (diff)

comment:2 Changed 6 weeks ago by https://id.mayfirst.org/wolcen

Excellent, ty. For the record, I'd checked Senderscore for portside.org, and it is significantly cleaner - and in fact, exactly matches your limited recommendation. Personally, I'm more concerned with cutting off legitimate senders than excluding potentially offending sources - at least for the first go at this. I'm just not sure how to go about it, but thankfully it sounds like you have an idea on where to look for that :)

Sending IPs
IP Address    	Hostname 	Volume    	Sender Score   
162.247.75.110 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.111 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.112 	cleveland.smtp.mayfirst.org 	Very High 	89
162.247.75.113 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.185 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.186 	cleveland.smtp.mayfirst.org 	Very High 	97
162.247.75.187 	cleveland.smtp.mayfirst.org 	Very High 	96
162.247.75.208 	cleveland.smtp.mayfirst.org 	Very High 	97
209.51.163.203 	rustin.smtp.mayfirst.org 	Very High 	97

comment:3 Changed 6 weeks ago by https://id.mayfirst.org/wolcen

Just to note: perhaps my biggest lack of understanding here is "where" (when?) SPF/DKIM, etc. should apply. For example, does it all happen at/apply to the "border" where some MTA finally talks to the target servers (per the MX of the recipient domain's records)? Or, does, e.g. SPF, look "backwards" from that, such that where the message originated might have any bearing? Judging from the recommendations of MayFirst re using the include for spf.mayfirst.org, I'm guessing that the border is the appropriate place - at least for SPF. If DKIM applies earlier, would that mean that there might be multiple keys on record, one for each sending program (i.e. mailman + listserv). No need to respond to this directly - just trying to explain my own perspective so you know what I do/don't understand as we proceed here - I'll continue to read up, there's no shortage of info on the huge topic, I just have yet to have dug into a good overarching guide :)

comment:4 Changed 6 weeks ago by https://id.mayfirst.org/jamie

Yeah, it is a mess of concepts to learn.

it's further complicated by the fact that not all mail servers properly follow the spec :).

Typically, receiving servers will evaluate messages when they are received.

When one server sends email to a second server, the sending servers supplies "envelope" information - including a "MAIL FROM" and a "RCPT TO" value. These values can be totally different from the To: and From: values in the message header. (The envelope RCPT TO will determine what mail box it lands it and the MAIL FROM often is reflected in the Return Path header that is usually hidden in most email clients).

With SPF, it is supposed to apply to the MAIL FROM envelope information. However, in my experience I've found that servers apply SPF rules to the from address in the headers as well.

DKIM, on the other hand, is stricly about the from header. The sending server is supposed to sign the entire message using the private key associated with the domain in the From: header. Then the receiving server should retrieve the public key via dns and validate the signature.

jamie

comment:5 Changed 3 weeks ago by https://id.mayfirst.org/wolcen

OK - so, I think we are ready to start rolling out some changes. Things to keep in mind with these suggestions:

  • We are not positive where all email originates.
  • The largest concern is reducing deliverability (obviously), but given this is for a very important asset to Portside, I'm just trying to be extra cautious.
  • The email we are working on at this time is from the lists.portside.org subdomain that listserv originates messages from.
  • We are relying heavily on your verification/recommendations here - I'm not an expert on these records by any means.

We are thinking of taking the following next step: Enable DKIM for lists.portside.org, and adjust DMARC accordingly:

  • Add domain key: listserv._domainkeys.lists.portside.org (create with test flag - t=y)
  • Configure L-Soft software to use this key.
  • Update DMARK to the following (we'd like it to ignore SPF failure IF it is otherwise valid with DKIM) Note: DMARK record currently @ _dmarc.portside.org which I understand is inhereted by lists.portside.org.

Proposed DMARC record for: portside.org (published at _dmarc.portside.org)

v=DMARC1; p=none; rua=mailto:dmarcreports@portside.org; ruf=mailto:dmarcfailreports@portside.org; fo=0; adkim=r; aspf=r; pct=1; ri=86400; sp=none

A few things about above: the "percent" flag is 1%. Also, using https://www.kitterman.com/dmarc/assistant.html the following message was also returned, but may be a tool error?

Organization domain and reporting address domains are different. The report receiving domain must also publish a verification record.

Verification record(s) for: portside.org
Record location: portside.org._report._dmarc.portside.org
Record: v=DMARC1;

Once we have DMARC reports returned after these have rolled out, we plan to move on to adding an SPF record.

comment:6 Changed 3 weeks ago by https://id.mayfirst.org/jamie

This seems reasonable, especially given that your action is to not take action (I find dmarc overly sensitive and easy to mess up and result in less deliverability).

One point of clarification: are you adding this to the lists.portside.org domain name (recommended) or the portside.org domain name?

Also, I haven't looked... but do you know how to configure listserv to use dkim? If not we could probably configure postfix on morales to do it, but if you can get listserv to do it that would be ideal.

comment:7 Changed 2 weeks ago by https://id.mayfirst.org/wolcen

Per domains - I've confirmed it as written above, yes: the DKIM record, to the lists.portside.org. The DMARC record is currently at portside.org and seems to be being inherited OK...should we move this to lists.portside.org?

ListServ has great instructions for adding the key to itself, so yes, I'll go with putting it in there.

http://www.lsoft.com/manuals/dkim/LISTSERV-DKIM-config.html#configuration

comment:8 Changed 2 weeks ago by https://id.mayfirst.org/jamie

I recommend initially restricting everything to lists.portside.org if possible. In my experience:

  • DKIM: these only affect the messages being signed. As long as the public key is properly published, you can't go wrong and in the worse case scenario you will mess up just the emails that are being signed. Remember: DKIM is about the From: address in the email headers.
  • SPF: An incorrect record is worse then no record at all. If you publish an SPF record and you are sending from an IP that is not included, you will be punished. No so great.
  • DMARC: as long as you are not enforcing and just getting reports, you should be safe. But in my limited experience, I have found this one to be quite tricky to get right and once you switch from reporting to enforcement, it can be very painful to get it wrong.

The only possible problem is if the from address on the messages going out is a @portside.org address instead of a @lists.portside.org address. If so, your dkim record will need to be on portside.org instead of lists.portside.org. And your SPF record, if you follow the spec, should not matter but in fact I find a lot of email providers seem to check the From: address against SPF anyway, so it might need to as well.

comment:9 Changed 2 weeks ago by https://id.mayfirst.org/wolcen

So, in summary: what I have now appears incorrect. Fortunately, I set up the DKIM key under test configuration and also told ListServ to sign for lists.portside.org, so it should in fact be signing nothing if I'm understanding correctly (should be for portside.org given "moderator@…", yes?).

Here's the snapshot headers, for reference:

Return-Path: <owner-portside-snapshot*chris**AGARIC*-COM@LISTS.PORTSIDE.ORG>
Delivered-To: wolcen@sojourner.mayfirst.org
Received: from sojourner.mayfirst.org
	by sojourner.mayfirst.org (Dovecot) with LMTP id rFuFKt3I/1tJcQAA+yvYHA
	for <wolcen@sojourner.mayfirst.org>; Thu, 29 Nov 2018 06:09:17 -0500
Received: from sojourner.mayfirst.org (localhost [127.0.0.1])
	by sojourner.mayfirst.org (Postfix) with ESMTP id 0EB58139C4
	for <chris@AGARIC.COM>; Thu, 29 Nov 2018 06:09:17 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	sojourner.mayfirst.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
	autolearn=disabled version=3.4.2
X-Spam-Language: en
Received: from rustin.smtp.mayfirst.org (cleveland.smtp.mayfirst.org [162.247.75.112])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sojourner.mayfirst.org (Postfix) with ESMTPS id DA09546B67
	for <chris@AGARIC.COM>; Thu, 29 Nov 2018 06:09:16 -0500 (EST)
Received: from lists.portside.org (morales.mayfirst.org [209.51.180.25])
	by rustin.smtp.mayfirst.org (Postfix) with ESMTP id 4A664BDB0
	for <chris@AGARIC.COM>; Thu, 29 Nov 2018 06:09:15 -0500 (EST)
Received: from morales (localhost [127.0.0.1])
	by lists.portside.org (Postfix) with ESMTP id A5DAA254CB
	for <chris@AGARIC.COM>; Thu, 29 Nov 2018 01:09:14 -1000 (HST)
Received: by LISTS.PORTSIDE.ORG (LISTSERV-TCP/IP release 16.5) with spool id
          28199941 for PORTSIDE-SNAPSHOT@LISTS.PORTSIDE.ORG; Thu, 29 Nov 2018
          01:00:16 -1000
X-Original-To: PORTSIDE-SNAPSHOT@LISTS.PORTSIDE.ORG
Delivered-To: portside-snapshot@morales.mayfirst.org
Received: from mumia.mayfirst.org (mumia.mayfirst.org [209.51.163.12]) by
          lists.portside.org (Postfix) with ESMTP id 0B587254A9 for
          <PORTSIDE-SNAPSHOT@LISTS.PORTSIDE.ORG>; Thu, 29 Nov 2018 01:00:16
          -1000 (HST)
Received: from mumia.mayfirst.org (localhost [127.0.0.1]) by mumia.mayfirst.org
          (Postfix) with ESMTP id BABC5BE2F; Thu, 29 Nov 2018 06:00:09 -0500
          (EST)
Received: by mumia.mayfirst.org (Postfix, from userid 27371) id 5D82BBE32; Thu,
          29 Nov 2018 06:00:09 -0500 (EST)
X-PHP-Originating-Script: 27371:SimpleMailInvoker.php
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_=_swift_v4_1543489209_3743147083f54b1c56415ce5eb9b5d4e_=_"
X-Mailer: Drupal
X-Virus-Scanned: ClamAV using ClamSMTP
X-Envelope-From: <moderator@portside.org>
Message-ID:  <6df789c12ea4b113315af5771f15584a@swift.generated>
Date:         Thu, 29 Nov 2018 06:00:09 -0500
Reply-To:     moderator@PORTSIDE.ORG
From:         Portside Snapshot <moderator@PORTSIDE.ORG>
Subject: Portside Snapshot -  November 29, 2018
To:           PORTSIDE-SNAPSHOT@LISTS.PORTSIDE.ORG
Precedence: list
List-Help: <http://lists.portside.org/cgi-bin/listserv/wa?LIST=PORTSIDE-SNAPSHOT>,
           <mailto:LISTSERV@LISTS.PORTSIDE.ORG?body=INFO%20PORTSIDE-SNAPSHOT>
List-Unsubscribe: <mailto:PORTSIDE-SNAPSHOT-unsubscribe-request@LISTS.PORTSIDE.ORG>
List-Subscribe: <mailto:PORTSIDE-SNAPSHOT-subscribe-request@LISTS.PORTSIDE.ORG>
List-Owner: <mailto:PORTSIDE-SNAPSHOT-request@LISTS.PORTSIDE.ORG>
List-Archive: <http://lists.portside.org/cgi-bin/listserv/wa?LIST=PORTSIDE-SNAPSHOT>
X-Virus-Scanned: ClamAV using ClamSMTP

comment:10 Changed 2 weeks ago by https://id.mayfirst.org/wolcen

ListServ now signs for @portside.org:

active 	2018-11-29 11:58:04 	text 	listserv._domainkey.portside.org 		600 		t=y; g=; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/M96fb2xxDSOEwhLBtTD+RAvxqwl7HcDYkIrIQxyXSPtruyFK0vyODR2LLgS1BcJ8QNdWmaGsjQ20U9KF84aa5WWT3VqUUx7xEdx10zPvgmXm7X+UMpyo2SNv/prdIiYrorm78zcDT2xhHg0EEQwNkc7oDDMn5YVcUgkt5tYSxQIDAQAB 	0 	0 	0 	
active 	2018-11-29 10:17:19 	text 	_dmarc.portside.org 		3600 		v=DMARC1; p=none; rua=mailto:dmarcreports@portside.org; ruf=mailto:dmarcfailreports@portside.org; fo=1; adkim=r; aspf=r; pct=1; ri=86400; sp=none

comment:11 Changed 2 weeks ago by https://id.mayfirst.org/wolcen

OK then, perhaps BOTH portside.org and lists.portside.org are needed?

Return-Path: <SRS0++xcd=OI=LISTS.PORTSIDE.ORG=owner-PORTSIDE@eforward3b.registrar-servers.com>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on spoonbill.riseup.net
X-Spam-Level: 
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: No, score=0.2 required=6.0 tests=AM_TRUNCATED,CK_419SIZE,
	DEAR_FRIEND,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,
	ENV_FROM_DIFF0,FORWARD_RELAY,HEADER_FROM_DIFFERENT_DOMAINS,
	MATCH_NICK_TO,NICK_TO,PHISH_ACC6,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
	SPF_PASS,T_FILL_THIS_FORM_SHORT shortcircuit=no autolearn=disabled
	version=3.4.2
Delivered-To: food4all@riseup.net
Received: from mx1.riseup.net (mx1-pn.riseup.net [10.0.1.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
	by spoonbill.riseup.net (Postfix) with ESMTPS id 724DD133
	for <food4all@riseup.net>; Thu, 29 Nov 2018 09:50:10 -0800 (PST)
Received: from eforward3b.registrar-servers.com (eforward3b.registrar-servers.com [38.101.213.205])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.riseup.net (Postfix) with ESMTPS id 259F11A23EF
	for <wolcen@riseup.net>; Thu, 29 Nov 2018 09:50:10 -0800 (PST)
Authentication-Results: mx1.riseup.net; dkim=pass
	reason="1024-bit key; unprotected key"
	header.d=registrar-servers.com header.i=@registrar-servers.com
	header.b=TUgigysj; dkim-adsp=none (unprotected policy);
	dkim-atps=neutral
Received: from se15.registrar-servers.com (se15.registrar-servers.com [198.54.122.195])
	by eforward3b.registrar-servers.com (Postfix) with ESMTP id 547AB140670
	for <chris@WOLCEN.COM>; Thu, 29 Nov 2018 12:50:06 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 eforward3b.registrar-servers.com 547AB140670
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=registrar-servers.com; s=default; t=1543513809;
	bh=gpiIgLGEGjQPSDHve8JyXzOPC0vBW6OgV4lOz6NnfHc=;
	h=Date:From:Subject:To:cc:List-Help:List-Unsubscribe:List-Subscribe:
	 List-Owner:List-Archive;
	b=TUgigysjCo+Et6Jz4/+4OoSDcDUBmr23YRRmwXta0nt/rAPuK4S0DHj34MSkyq1pj
	 /oh9e542b09HrP0e/4BwXmCGqNZQI7i2PNcDjGpN7dyzNPk0V2YO5awlYNtdBCTc1g
	 N7KF49zv5pquHJOI6BM7RgC7KHx3B8LD4+oHsFHk=
Received: from cleveland.smtp.mayfirst.org ([162.247.75.111])
	by se15.registrar-servers.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.89)
	(envelope-from <owner-PORTSIDE@LISTS.PORTSIDE.ORG>)
	id 1gSQRr-0003Vg-II
	for chris@WOLCEN.COM; Thu, 29 Nov 2018 09:50:05 -0800
Received: from lists.portside.org (morales.mayfirst.org [209.51.180.25])
	by cleveland.smtp.mayfirst.org (Postfix) with ESMTP id 1B7EF61A3;
	Thu, 29 Nov 2018 12:49:58 -0500 (EST)
Received: from morales (localhost [127.0.0.1])
	by lists.portside.org (Postfix) with ESMTP id C5359254AC;
	Thu, 29 Nov 2018 07:49:57 -1000 (HST)
Date:         Thu, 29 Nov 2018 07:49:57 -1000
From:         "LISTS.PORTSIDE.ORG LISTSERV Server (16.5)" <LISTSERV@LISTS.PORTSIDE.ORG>
Subject: Welcome to PORTSIDE
To:           Chris Thompson <chris@WOLCEN.COM>
cc:           portside-owner@PORTSIDE.ORG
Message-ID:   <LISTSERV%201811290749577650.A92C@LISTS.PORTSIDE.ORG>
X-LSV-ListID: PORTSIDE
List-Help:    <http://lists.portside.org/cgi-bin/listserv/wa?LIST=PORTSIDE>,
              <mailto:LISTSERV@LISTS.PORTSIDE.ORG?body=INFO%20PORTSIDE>
List-Unsubscribe: <mailto:PORTSIDE-unsubscribe-request@LISTS.PORTSIDE.ORG>
List-Subscribe: <mailto:PORTSIDE-subscribe-request@LISTS.PORTSIDE.ORG>
List-Owner:   <mailto:PORTSIDE-request@LISTS.PORTSIDE.ORG>
List-Archive: <http://lists.portside.org/cgi-bin/listserv/wa?LIST=PORTSIDE>
X-Filter-Label: newsletter
X-SpamExperts-Class: ham
X-SpamExperts-Evidence: SB/registrar-servers_com (0.000257335705314)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5aX1D1WTqZz4ZUVZsEKIAZljyiqQxAAa/b4G9zgWT+BUVVs5XW3jz1DS
 5m3HwfCxjfzXkL/YrsuqF3Z0b062jwE5FupozJ+VTwbFVMHVh1gM0z6bhalFEM/pjPCQA+BAlg/E
 aziedsHG1NyNXemQquVEu+95k0FWBCR2BGo8dpAAwjc6U2vPBGNLlRKriRJJyCi63P7W5EARZWX3
 XXhYJIgeQfBRZpPvgRSRrl6kXMEY5GKGCX4svWexb26S5bwptBqpcywWOWUHzFzUSnNxnjeNGW1h
 H986SI/FHbeZp4zlX6AsUNkuOkmDD2MhS9uve5l/9eOeEpxu2WRpDn3i6SLxl/jm32lOsIS/Mav8
 R/mrezIUzJGJuHfl9QbP0DTBDdaTBJZYSEth7yLkxfSbPVV4FjctpFCe7sYB5/usQEK//jUxn5vU
 lgUsiqOA7n55SjYw3iC84z9Yxn66tdeoVqDilbHtbFYVmmyNP/jzd7CCDTvfo6HKWQCZtJaaddx8
 f2FwBdquaVA8bled12SHlW+gTLqIfbUolt38/hcsH1vT4wfFFxnmibFUQYj0o6gsZgk4pAzkKRqm
 kYn3fUyqt83vz9W/uCBLuIcHSaUk1JrQZqd/NCWX19D+AI56qmsyRaOAxtULCH1AA4+QG01k7RqN
 xaL0m5SyjL3dZsMb23TF6WlYBSniDc6pqiShUb555mvSyu5gZv883zqlc13aYgDXfkNEtYAp7yg5
 9sb8cXYHaIfVaCHpEB6cFH6WJxE4ZnXUTINaK9uS1iU/J6yBQ6RCa8WGLHdVLKMuAVnM+HuxT+As
 +2sDAVG6TwLyizjuzZmlmCIuvP0MEIMX2PL/1Q7RF3oRpqpkdj1XCPtcv21hdbYb9IXfYGRpVS/0
 hA4Mwr+R6mCHmdMyeRws8H/OQtblYoMFrwP72L++Mlbk4cboOMMSVib42Izo2iOkAJ3jTNBqLkXG
 aznuCfaQ1w/JpOE=
X-Report-Abuse-To: spam@se5.registrar-servers.com

comment:12 Changed 2 weeks ago by https://id.mayfirst.org/jamie

Ah yes - it does look like listserv is going to send some email messages from lists.portside.org and some are going to come from portside.org and to be complete, both should be dkim signed.

comment:13 Changed 2 weeks ago by https://id.mayfirst.org/wolcen

  • Description modified (diff)

comment:14 Changed 9 days ago by https://id.mayfirst.org/wolcen

Re No. 1 (SPF): Mention was made of checking logs to see where other messages may be originating. Has this been looked into, or is there something I should do? (journalctl -u postfix on mumia?) Not sure what to look for here. SPF passing (as per below) is for the messages that have been seen coming out of mayfirst.org/validating against MFPL SPF, not portside's own records, which don't exist yet.

Re No. 2 (DKIM) Current status: DKIM appears to be functioning properly for email deliveries from ListServ. Google is reporting DMARC and DKIM passing, and varies on SPF (sometimes NEUTRAL, other times PASS).

The DKIM record I first used was incorrect, but correct as of later Sunday. (The g= was changed to g=*, and the DKIM version header had been missing.. not caught originally because some services apparantly treated it improperly).

At present, the DKIM record still indicates t=y (test mode) and thus should not invalidate any improperly signed nor unsigned messages. We'd like to move to removing test, however:

What needs to be done for, e.g. roundcube or postfix outside of the listserv in order to turn this on? If I understand correctly, messages NOT sent by listserv will have no signature, so, for instance, deliverability (depending on other potential DMARC changes) of messages without a signature presumably may decline.

comment:15 Changed 7 days ago by https://id.mayfirst.org/jamie

Congrats on all the progress!

Unfortunately, we have no facility right now to DKIM-sign messages via roundcube or our other outgoing email servers, so at this point, enabling DMARC on portside.org is not going to be a good idea (just DKIM-signing should give you a significant boost though).

If there is a way to send listserve email using a from address that uses the @lists.portside.org domain (instead of @portside.org), then you could add a DMARC record to just the lists.portside.org domain and it should work out since listserv would presumably be the only source of email with that domain.

I'm not sure we have any logs that would be helpful in finding other sources that are sending portside email.

I suspect there aren't any. But a classic example would be: someone with a portside email address has a home verizon email account. Their email program is configured to relay their verizon email through the verizon email servers. Then, they add their portside account and it also is configured to relay through verizon.

This could cause a SPF failure.

This kind of setup seems rare these days and would only affect a single user, who could then change to relay their email via may first.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.