Search squid archive

Re: problem with squid-users maillist

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2014-08-21 at 15:02 +0400, Oleg Motienko wrote:
> Hello,
> 
> Due to DMARC policy of several domains some mail is blocked (see an
> example below).
> 
> I suppose maillist software ( ezmlm ) needs some tuning, it must
> forward email to list with own sender address ( @squid-cache.org ).
> 

I don't see a response so I'll have a go. I run DKIM on several sites.

A lot of DKIM implementations are thoroughly screwed up. 

1) Many sites have bad DNS DKIM/DMARC content (CostCo was one).

2) Many sites use small, 512-bit keys even though the RFCs 
   and NIST explicitly have words written on this subject. 
   Implementations like OpenDKIM, by default, reject messages 
   signed with keys less than 1024 bits.

3) From a DMARC perspective, which is why people are moving 
   to SPF and DKIM, the reporting email address in DNS either 
   does not exist or is encoded improperly.

4) Some email is not properly signed.

But the problem here is email lists. Squid is not alone. The FreeBSD
lists have the same problem. Section 3 of RFC-6377 has a few words on
mail lists. This probably applies:

   In general, absent a general movement by MLM developers and operators
   toward more DKIM-friendly practices, an MLM subscriber cannot expect
   signatures applied before the message was processed by the MLM to be
   valid on delivery to a Receiver.  Such an evolution is not expected
   in the short term due to general development and deployment inertia.
   Moreover, even if an MLM currently passes messages unmodified such
   that Author signatures validate, it is possible that a configuration
   change or software upgrade to that MLM will cause that no longer to
   be true.

Patches exist for resenders to strip existing DKIM signatures and add a
new, valid signature. The argument against doing this is load. In my
case, I use a 2048 bit key and process 60k outgoing messages a day. My
mailers do a lot of other work including anti-spam/anti-virus processing
with  two-to-three MILTERs. Based on my load graphs for the last 4-6
weeks of running DKIM/DMARC against the prior months, there is NO
significant load increase. In fact, the additional load is little more
than additional noise. 

Currently, as a receiver you are forced to insert exceptions, if you
can. The problem is these exception lists can get fairly lengthy and
quickly become unmanageable. It is better if resenders simply patch
their implementations.





> An example:
> 
> ------------------------------------------------------------------------------------------------------
> 
> Return-Path: <>
> Received: (qmail 8574 invoked for bounce); 9 Aug 2014 15:48:22 -0000
> Date: 9 Aug 2014 15:48:22 -0000
> From: MAILER-DAEMON@xxxxxxxxxxxxxxx
> To: squid-users-return-123504-@xxxxxxxxxxxxxxx
> Subject: failure notice
> 
> Hi. This is the qmail-send program at squid-cache.org.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
> 
> <motienko@xxxxxxxxx>:
> 74.125.142.27 failed after I sent the message.
> Remote host said: 550-5.7.1 Unauthenticated email from yahoo.com is
> not accepted due to domain's
> 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if
> 550-5.7.1 this was a legitimate mail. Please visit
> 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC
> 550 5.7.1 initiative. o17si27260806icl.100 - gsmtp
> 
> ------------------------------------------------------------------------------------------------------
> 






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux