Skip to Content.
Sympa Menu

comanage-users - Re: [comanage-users] Comanage, Mailman, DMARC, DKIM, and SPF

Subject: COmanage Users List

List archive

Re: [comanage-users] Comanage, Mailman, DMARC, DKIM, and SPF


Chronological Thread 
  • From: warren anderson <>
  • To: Scott Koranda <>, Duncan Brown <>
  • Cc: Duncan Brown <>
  • Subject: Re: [comanage-users] Comanage, Mailman, DMARC, DKIM, and SPF
  • Date: Thu, 10 Feb 2022 09:22:30 -0700
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SqIMhZe84ckJpVWIxw4DVtE+dkGPqWEimyW3GRE+mUo=; b=VICRygaVCVleU9JwP14SOTMYDPJvSU9hXs6T1KvmYuec3PO6VXUUTC3PdbK3ZdhWbjKYIB+D/en1BpGZ5Ogsp9o8awEZ7s3juCOlOIg51k/B01iaa5ZLSU8jEUZ6YRz0EnIRkwjT+sseVoc+eupSd4LrGPwDOWPY7DhKH47V+4SK4qlWvLdclD+sPF9Jh97kXhTsil8ISm7z3TS7ziqX4ZPDx7ELwTNhmtGEuRXIazJMi/mvjkQ51Vpm11KCFLL42KlmqsF8vR7csFDjP8ck68wjckAgj1opopLpBiSW7qNEPlJ8zGzHxBRelHxgTWGeUu25o0T6dkg2Am9V3D2K3w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EvfM2MRxfGUFd5/2NmeuoHQd/Lfk1v17kQI2vvrtXvwUSO0fKjNu9fW8HNSzlFh6fAxS0tOUuu7jXRb8O/uWatYfZoh9O+0avbcLtoSf9QU8dDGYsHoKLg6jc1WtPukKr+v3CP6TjofrNr+tL/7KdxUWeigPctH71XvCCDTtGeQHv2TQeA1beSz9Fr9761qFUdz1KSEfj0vJHFnmAZ3YPetp4wjuaZ/VXu6Ptr0LHVld/gXCa6wFzlGgqWPrFY6spQUXQ6BezNDvplRkey9TOmLb1f/LInn+OpHVEkcHF8AtyPgQqguWe5fiXGCMm4kQQ4OvGA++rmNnJkx0uuyshw==

Hi Scott,

I agree entirely with what you say. Unfortunately, Google Workspace is very expensive and direct offers like mail-list.com do not appear to allow integration with SAML or OIDC SSO or ldap integration, the two main reasons we selected sympa back in the day. In the case of LIGO, with the recent announcement that certain legacy free licenses for Google Workspace are being revoked (although fortunately not the legacy education licenses) and the heavy use we now make of the Workspace, we are trying to solve the "Google Workspace is very expensive" issue.

Cheers,
Warren

On 2/10/2022 6:43 AM, Scott Koranda wrote:
Hi Duncan (and Warren),

I think the practical way forward for organizations, including research
VOs, is to outsource mailing list functionality to one of the cloud
providers that either directly offer this service (mail-list.com)
or include it as part of their service offerings (Google groups).

Their infrastructure, size, and partner agreements help. A VO like
Cosmic Explorer (or LIGO) just does not have the resources to engage the
ISPs and the mail administration community.

It costs money, yes, but it is the cost of collaboration today I think.

The MailmanProvisioner was the first email provisioner for COmanage
Registry because it had a specific funder, but I expect eventually to
see mail list provisioners that integrate with the cloud providers.

Cheers,

Scott

Hi Warren,

Thanks, that makes sense. Some Outlook servers in particular seem to be
adding ARC records, but there's no transparency into any decisions being made
by the ARC headers, as far as I can see. At lest the Authentication-Results
header gives me some insight into DMARC.

But, yes, this whole issue seems like a huge PITA. Cosmic Explorer is
starting to face a LIGO.org scale solution with the number of institutions
and addressing every edge case seems impossible.

Cheers,
Duncan.

On Feb 9, 2022, at 6:40 PM, Warren G Anderson <> wrote:

I feel your pain. Spammers and the countermeasures to combat them have made
email one of the least reliable communication methods these days.

We do not use mailman, but I have gone through much of the same pain with the
LIGO.ORG sympa mailing lists. We do not use ARC, DMARC has been sufficient.
My understanding is that ARC is a protocol that allows SMTP endpoints to
evaluate email that passes through intermediate SMTP services that resend and
ruin the SPF and/or DKIM checks.

But the real issue, from my perspective, is that each SMTP service can
implement any of SPF, DKIM, DMARC and/or ARC, and can set whatever policy
they want (reject, quarantine, flag, etc) based on each of them. Also, as you
have seen, when comparing domains, there is leeway in from where the SMTP
service grabs the domain in the headers. As a resender, like our mailing
lists, or LIGOs vanity email service which forwards email sent to personal
ligo.org addresses, you have to care about what every SMTP endpoint to which
you send does and set a policy that tries to satisfy all of them. I do not
think there is guaranteed to be such a policy.

It's a mess.

Warren

Warren G Anderson, Ph.D.
Leonard E Parker Center for Gravitation, Cosmology and Astrophysics
From: <>
on behalf of Duncan Brown <>
Sent: Wednesday, February 9, 2022 17:18
To: Duncan Brown <>
Cc: Duncan Brown <>
Subject: Re: [comanage-users] Comanage, Mailman, DMARC, DKIM, and SPF
One other thing I tried that didn't work: I tried setting up ARC signing in mailman following the docs:

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.mailman3.org%2Fprojects%2Fmailman%2Fen%2Flatest%2Fsrc%2Fmailman%2Fhandlers%2Fdocs%2Farc_sign.html&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Ohr63gYMinX%2BL0IU5MKRhWdcpFv6v4OajOAvVgzg9vw%3D&amp;reserved=0>

No matter what I did in the configuration, mailman wouldn't ARC sign the
messages. One thing I did *not* try was to strip any incoming ARC headers
before mailman and see if that allowed ARC signing. The DMARC/SPF/DKIM
solution seemed to work, so I just left ARC off and ignored it. It's also not
completely clear to me how ARC fits into the DMARC ecosystem anyway...

Cheers,
Duncan.

On Feb 9, 2022, at 6:13 PM, Duncan Brown <> wrote:

Hi Scott, Jim, Warren,

I've been having issues with spam filters junking mail from my
comanage+mailman instances on cosmicexplorer.org and np3m.org. I spent some
time digging into this and I thought that I'd share what I discovered, incase
it is useful to others or if you spot something that I've done that seems
bad. I'll use np3m.org as the example here, but Cosmic Explorer sees the same
thing.

NP3M runs a comanage instance on roster.np3m.org (really the docker container
np3m-roster.phy.syr.edurunning on the host np3m-services.phy.syr.edu) and a
mailman instance on mail.np3m.org (really the docker comanage-registry-docker
containers running on np3m-services) The MX record for np3m.org points to
smtp-ext.syr.edu and Rich routes mail to port 25 on np3m-mail.phy.syr.edu
which routes to the container running postfix. Outgoing mail from mailman is
routed via the postfix container to port 25 on smtp-host.syr.edu which routes
to the outside world. comanage itself sends also mail to port 25 on
smtp-host.syr.edu.

The two main problems are:

1. One class of users has problems completing enrollment flows as the
confirmation emails (and other emails) from
and sent by np3m-roster.phy.syr.edu get junked. There are some universities
(e.g. msu.edu) that will junk and reject the email even is the user tries to
whitelist the np3m.org in outlook.

2. Mailman. There's a world of pain with mailman and DMARC with lots of tales
of woe on the internets of mail servers servers junking mail from mailman,
but not a lot of good recipes on how to solve it.

Digging into how DMARC works, I discovered the following: to pass the DMARC
spam test, a mail must

(EITHER: pass the SPF check, which checks that the message comes from an ip
address that the domain claims that it sends from in a DNS record; OR: pass
the DKIM check which signs the message with a private key whose public key is
published in the domain's DNS record) AND (has From field in the mail header
is the same as to the MSG FROM sender domain in the SMTP envelope).

The clause after the AND is critical and will cause a DMARC rejection, even
if SPF and/or DKIM pass.

I solved problem 1 by setting up a DMARC record and and SPF record in the DNS
for np3m.org. I created a txt record in the DNS with the name _dmarc that
contains the string

v=DMARC1; p=reject; sp=reject; rua=;
ruf=; fo=1; rf=afrf; pct=100; ri=86400

This is basically the Syracuse DMARC record and I'm using the SU URIs for XML
feedback (rua) an forensic reports (ruf). Then I created a txt record for the
top-level domain (@ in GoDaddy) that contains the string:

v=spf1 ip4:128.230.21.177 ip4:128.230.21.178 ip4:128.230.21.179
ip6:fe80::250:56ff:fead:e75b ip6:fe80::250:56ff:fead:805a
ip6:fe80::250:56ff:fead:b06f include:syr.edu -all

This includes the ip4 and ip6 addresses of the machines that can send email
from np3m.org and includes the syr.edu SPF record, as we relay though
smtp-host.syr.edu.

That seemed to fix the problem where e.g. MSU would bounce enrollment flow
emails from comanage.

Next I tried to fix mailman. Oh boy, as Sam Beckett might say.

SPF is supposed to compare the domain in the email's Envelope From with the record in
the DNS. I configured my mailman lists to turn on the DMARC mitigation option
"Replace From: with list address" and mitigate unconditionally so that all
mails come from the mailing list e.g. .

However, this did not fix mailman delivery for everything. For reasons I
don't understand, SPF validation sometimes seems to be done on the hostname
of the first IP address found in the Received: from headers. To get around
this, I configured postfix to strip all the Received: from headers from the
incoming mailing list mail before delivering it to mailman. This ensures that
the first Received: from header in the outgoing mail, as well last the
X-Originating-IP header:

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2Fmain.cf%23L81&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=DwRsBfvWugP3h1dv1XkKsvv36zJsCmcENTCIoRaPw3o%3D&amp;reserved=0>

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2Fheader_checks&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=dqjiIVIRbiN50FNckQU3gc3uE9s3WZRuWNXkLRahPvQ%3D&amp;reserved=0>

This was sufficient to get SPF to pass on a bunch of different hosts.
However, some hosts also seemed to want DKIM to keep the mail out of spam,
even though SPF is supposed to be enough...

To get around this, I created a public/private key pair for DKIM

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnp3m%2Fce-it-infrastructure%2Fblob%2Fmaster%2Fmail%2Fbuild-mailman.sh%23L80&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=ySsS6qIgYtWVwFe%2BM50CNO9YqbpPL5QCJug3Dt81Nj0%3D&amp;reserved=0>

I used the selector mailman022022 to name the key (this is an arbitrary
string, just has to be a valid in a domain name) and published it into
GoDaddy as a txt record for the host mailman022022._domainkey

v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArZ7zl5yRwK3pBuXxxWunkwd8dX+EqA310shWZ49qLbr5FmzELUD/edaqmKuvY4lmPPE2eysWN9imWMByM0d6LeWwxpOt9G/5NJViZUKeRMc13hfvlB2c6L0b7q774p9BGGAGIailAFb0alk+3hyRaxRJAJ/+bGrCdiz6U+DHUqJBrmxrWOMFDylnO8e49H/8G56erpz1P2Zj5wXubKWnXQTE73Ns51yM6ZfyeEesPMZ0LlpNpJirUouusUlPh5SMIzIn+UrxZMs/z9+UgWzq+g1UHnefU3vyYMY6xxrp3aCE/H/XUSOq595mY8i/IiA1mO8/2dtBxmZLBXiWbd5lwQIDAQAB

I had to configure mailman to strip the DKIM headers from inbound messages,
as apparently some servers don't like it if there is more than one DKIM
signature in the headers of a message:

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fcore%2Fdocker-entrypoint.sh%23L163&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=S5N1fIipVz1XnGIej4rvrXZOKCmP%2B3UJwycKtpTkvSo%3D&amp;reserved=0>

I then installed and configured OpenDKIM in the postfix docker container.
Take a look at

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Ftree%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=tLp%2FJ%2FyaEhCkzuj8T53alWxHWR7eTJLW1%2BADP14GuEo%3D&amp;reserved=0>

for changes to the Dockerfile, supervisord.conf and OpenDKIM config files.
The file TrustedHosts has to contain the IP of the internal address of the
mailman container (for me, this is 172.30.100.7)

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2FTrustedHosts&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=boZdbhgpXJfe28iDG8J4xfzapB6xfa09nHLaeHNELyk%3D&amp;reserved=0>

and the SigningTable configures OpenDKIM to sign all messages sent by this
host that match From: *@np3m.org with the key I created:

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2FSigningTable&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=GRgc2aB2V43JEU%2Fwop2n0NersuoO8M%2FibebnWstk5OY%3D&amp;reserved=0>
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2FKeyTable&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=zpn%2FFnEE55bGk6CeJH67MyWFhxVTXZnB82hzhL6%2F4vs%3D&amp;reserved=0>

Finally, postfix is considered to used OpenDKIM as a milter to sign mail that
passes through it:

<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcosmic-explorer%2Fcomanage-registry-docker%2Fblob%2Fmaster%2Fcomanage-registry-mailman%2Fpostfix%2Fmain.cf%23L84&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=OYcw0rwNhYHtsdsVed7oo7rLPNiTBk4LOQnTbWOPk1w%3D&amp;reserved=0>

Since I used mailman's "Replace From: with list address," all mail coming
from mailman comes from , so OpenDKIM signs all list emails on their
way out to smtp-host.syr.edu. This happens after mailman munges with the message and
headers, so

That seems to be the magic needed to minimize DMARC rejections. There might
be an easier way of doing this, but this works...

Caveats:

1. You have to use mailman's "Replace From: with list address" feature for
all messages. If you don't then envelope from doesn't match the header from and DMARC
will fail even if SPF and DKIM pass.

2. Some users who forward their institutional mail to gmail are screwed whatever you
do. gmail won't let users specify trusted domains, so if your institution changes the
envelope from when it forwards to gmail, DMARC will fail. This is a widely known
problem with the solution "don't forward your mail to gmail."

3. Apple mail has a nasty feature where it caches the From: and Reply-To:
fields of mailman mailing lists in its previous recipients tab complete. This
means that if you start typing

Duncan....

it might complete to

Duncan Brown via PIs <>

and go to the list rather than

Duncan Brown <>

which would just go to me. Because Apple Mail hides the real email in the blue box, you
need to watch for the "via." There's no way to disable this cacheing in Apple
Mail, unfortunately. This could result in embarrassment.

Hope this is useful to others. Happy to corrected if I did something crazy.

Cheers,
Duncan.

p.s. hello to me when I find this email googling some related problem six
months from now...

--

Duncan Brown Room 263-1, Physics Department
Charles Brightman Professor of Physics Syracuse University, NY 13244
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdabrown.expressions.syr.edu%2F&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WdrW4peUPBgaAkf6sMYjSUdUEwOhO5wjrFG%2FrljEV8E%3D&amp;reserved=0
(+1) 315 443 5993


--

Duncan Brown Room 263-1, Physics Department
Charles Brightman Professor of Physics Syracuse University, NY 13244
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdabrown.expressions.syr.edu%2F&amp;data=04%7C01%7Canders15%40uwm.edu%7C37b97d6747f2478defdf08d9ec9b67d3%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637800974483679618%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WdrW4peUPBgaAkf6sMYjSUdUEwOhO5wjrFG%2FrljEV8E%3D&amp;reserved=0
(+1) 315 443 5993

--
Warren G Anderson
Adjunct Professor
Leonard E Parker Center for Gravitation, Cosmology and Astrophysics




Archive powered by MHonArc 2.6.24.

Top of Page