[arch-general] Yahoo mail problems (was [aur-general] No notification for out-of-date package)
On 14.01.2016 14:41, Florian Pritz wrote:
On 13.01.2016 18:53, Giovanni 'ItachiSan' Santini wrote:
My package "telegram-desktop-bin-dev" was flagged as out of date on the 10th of January but I received no mail notification about that.
It appears that yahoo has decided to "temporarily" reject all mails from that system (bbs, wiki, aur, mailing lists). I've sent an email to their postmaster and hope this will clear up soon.
Until then, I'm afraid yahoo users will not receive emails from our services. Sorry for the inconvenience.
We are still unable to deliver mails to yahoo and so far my email to postmaster@yahoo.com has not received a reply. Can anyone put me in touch with someone from yahoo or tell me if the postmaster address is read (I kind of expect it to go to /dev/null)? Florian
On 01/15/2016 12:34 PM, Florian Pritz wrote:
On 14.01.2016 14:41, Florian Pritz wrote:
On 13.01.2016 18:53, Giovanni 'ItachiSan' Santini wrote:
My package "telegram-desktop-bin-dev" was flagged as out of date on the 10th of January but I received no mail notification about that.
It appears that yahoo has decided to "temporarily" reject all mails from that system (bbs, wiki, aur, mailing lists). I've sent an email to their postmaster and hope this will clear up soon.
Until then, I'm afraid yahoo users will not receive emails from our services. Sorry for the inconvenience.
We are still unable to deliver mails to yahoo and so far my email to postmaster@yahoo.com has not received a reply. Can anyone put me in touch with someone from yahoo or tell me if the postmaster address is read (I kind of expect it to go to /dev/null)?
Florian
You don't say what yahoo's reject message is, but I suspect you may be having issues with DMARC/DKIM and mailman's forwarding of DKIM signed messages. Unfortunately there is no great solution to this problem but there are options in recent versions of mailman which can be configured to do ugly header munging and workaround the problem for now. To the best of my knowledge yahoo does not make exceptions to checking DKIM signatures on incoming messages. Their DMARC record is also set to p=reject (dig _dmarc.yahoo.com. txt) and this is the cause of bounces by other providers (of list messages sent from yahoo) which causes users to be unsubscribed from the mailman list when they exceed the bounce limits set for the mailman list. Since yahoo and aol have been unwilling to budge on these issues, it forces the administrators of mailing lists to deal with the issue. Google has announced that they will be also be setting their DMARC policy to p=reject later this year (I forgot the exact date), so the choices at this point are to use the mailman options that are provided thus far to deal with this or implement your own solution, which some people have done. See the URL's below. There is also much discussion of these issues in back archive of the mailman list as well as the DMARC lists. http://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user's%20posts%20for%20DMARC%20policy%20reasons%3F?highlight=%28dmarc%29 http://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20uns... http://wiki.list.org/DEV/DMARC Natu
On 16.01.2016 05:38, Natu wrote:
You don't say what yahoo's reject message is, ...
I guess it's possible that some users simply marked mailing list mails as spam and we got blacklisted because of that. The reject message is this: 421 4.7.1 [TS03] All messages from 5.9.250.164 will be permanently deferred; Retrying will NOT succeed. See https://help.yahoo.com/kb/postmaster/SLN3436.html
but I suspect you may be having issues with DMARC/DKIM and mailman's forwarding of DKIM signed messages.
I've finally gotten around to setting up and testing DMARC for my domain and I've set up mailman to munge From for DMARC messages. Sadly, I still haven't heard back from yahoo, but I guess their postmaster@ address really just goes to /dev/null. Too bad. I don't know when yahoo will start accepting mail again though and from a quick look at the log it seems that they always reject the mail directly at MAIL FROM time or don't even accept the connection/let it time out. That also means they will probably not notice that we've changed the configuration for DMARC mails. Thanks for your input I guess, but this will probably not be resolved any time soon.
This may be part of the problem. The arch mail server is passing thru contributers DKIM signatures leading to list mail being DKIM invalid. You domain has DKIM signed mail and therefore suffers this problem For example, looking at your last message. The message from you to the list is DKIM signed and appears to check out - but the outgoing message from the arch mail server fails DKIM. So anyone rejecting invalid DKIM will reject list mail - yahoo may be doing that now I don't know. Florian, in the last message you sent the headers as received by me from the list server contain: gene ----- details below ----- Authentication-Results: serv4.intern.sapience.com; dkim=fail reason="signature verification failed" (4096-bit key) header.d=xinu.at header.i=@xinu.at header.b=y7t4Lr2Z ... (I note that spamassasin running on the arch server sees the incoming mail to the list as having DKIM being valid) X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no version=3.4.1 (the DKIM sig is clearly not from the list server) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xinu.at; s=main; t=1453641870; bh=rZxwblrwgsmPgwr3+Dlau+WI4w5pu6ne3PyhTRSKtc8=; h=Subject:To:References:From:Date:In-Reply-To; b= ...
On 24.01.2016 16:14, Genes Lists wrote:
The message from you to the list is DKIM signed and appears to check out - but the outgoing message from the arch mail server fails DKIM. So anyone rejecting invalid DKIM will reject list mail - yahoo may be doing that now I don't know.
That's possible, but we can only speculate. While these are certainly issues to be addressed, yahoo might be blocking us for some completely different reason that may very well be outside of our control (like someone marking our mail as spam). The goal here is to get yahoo to accept our mails again. Everything else is nice, but not too important right now. Also as for rejecting invalid DKIM mails: People should really not do that unless DMARC tells them to. Large providers might still use the information to generate internal blacklists though. I wish they were more transparent or, better yet, they'd respond to postmaster mail. Sadly, large providers seem to not care about postmaster which kind of puts me off because delivering email is really a team effort. The way to go is probably to register as a bulk sender on their website, but I'm not a fan of giving them my birthday and phone number, which seems to be required because they send a confirmation SMS, and creating an email account with their service just because they think they do not have to read postmaster mail. I'll probably still do it at some point, but I really really dislike the idea. I guess I'm somewhat of an idealist in that regard. On the other hand, I do also dislike taking this out on our users because it's really not their fault. *sigh* Anyway, back to the quote. What is interesting is that the mail was still signed. Since I've enabled From munging mailman correctly changes the sender, but it doesn't strip the existing (now invalid) signature. Should be simple enough to remove it in postfix. I'll set that up tomorrow. As for real solutions: I guess we can either stop changing mails or drop DKIM signatures and sign the mails ourselves. If we want to keep the signatures valid that would require us to remove the subject prefix (list name in brackets). I find this rather unnecessary to begin with, but there are probably lots of people who disagree with me. If we want to sign the mails ourselves, we'd have to munge the From header which is also somewhat ugly. Especially when DKIM/DMARC usage, and thus the amount of mail affected, is growing. I'll think about what to do here at some later date. Florian
Hey,
Also as for rejecting invalid DKIM mails: People should really not do that unless DMARC tells them to.
That _is_ a problem already and will get worse this year. Yahoo has already published a "reject invalid" policy nearly two years ago[1]. See: [0 mosu@sweet-chili ~] host -t txt _dmarc.yahoo.com _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com;" It's known that Google will switch from "report" to "reject" this year, too[2]. At the moment they're only at "quarantine" which is bad enough already: [0 mosu@sweet-chili ~] host -t txt _dmarc.googlemail.com _dmarc.googlemail.com descriptive text "v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:mailauth-reports@google.com" Mailing list administrators have to act _now_ and make their lists DKIM compliant; otherwise more and more list mails will not reach their intended destinations. I already had to change my own DMARC policy from "reject" to "report" because I'm subscribed to too many mailing lists that break DKIM. Yes, this may not be the reason Yahoo currently rejects our mails, but it _is_ a problem on our side that the Arch lists haven't addressed yet. As long as there's such a known problem on our side speculating about _other_ potential reasons why Yahoo is rejecting mails is moot. Please, dear Arch list maintainers, change the mailman settings accordingly. Please. See [3] for how mailman can deal with DMARC. Kind regards, mosu [1] http://sendgrid.com/blog/update-yahoos-dmarc-policy/ [2] https://dmarc.org/2015/10/global-mailbox-providers-deploying-dmarc-to-protec... [3] http://wiki.list.org/DEV/DMARC
Hi, FWIW most mailing lists (if not all) that still work with Yahoo/Rocketmail can't send mails from the subscriber to the subscriber and mailman confirmation mails are not a good replacement to receiving the own mails sent to the list. Step by step I switch from Rocketmail to Zoho. Arch Audio and AUR will follow within the next days. I didn't receive mails from any Arch related mailing list since around end of December. Several subscribers perhaps aren't aware that something is fishy. I noticed it randomly after sending a mail to the list a few days ago. Rocketmail even didn't deliver the mailman information mail, that list delivery was disabled regarding a high bounce score. Regards, Ralf PS: My apologies assumed the thread should be broken, I needed to reply using the gmane reply option, since I didn't receive mails from the list with my "old" address.
participants (5)
-
Florian Pritz
-
Genes Lists
-
Moritz Bunkus
-
Natu
-
Ralf Mardorf