[openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM

[Daniel Kahn Gillmor]

On Wed 2015-08-05 17:04:30 -0400, Jonas Maebe wrote:
> On 05/08/15 23:00, mancha wrote:
>> OpenSSL is certainly not alone in its practice of mangling headers
>> and adding body footers so I'd be curious to hear how other lists
>> handle domains such as yahoo.com.
>
> We warn people that DKIM-using domains may experience bounces, and
> that they should subscribe using a different email address to our
> lists. Yahoo/AOL switching it on before the probably most used mailing
> list manager could handle it certainly did not help in creating
> goodwill. Even now the mailman version included in our distribution
> still can't handle it, and manually installing and maintaining a
> different one is not something we care to do.

fwiw, the intersection between dkim/dmarc and mailman policy affects
even people who don't have dkim/dmarc enabled for their domains.

mailman effectively puts subscribers on hold if some threshold number of
mails sent to them bounce.

if a subscriber's mail exchanger respects dkim/dmarc reject policy, even
if they do not set it for their own domain, then all messages sent
through mailman from a "dmarc reject" domain will bounce for that
subscriber.

So if Alice from yahoo.com (which has "dmarc reject") sends mail through
mailman, which sends it to Bob from example.com (which doesn't have
"dmarc reject" set, but respects it from other domains), Bob's mail
exchanger will bounce the message.  If Alice sends enough mail through
mailman, mailman will rack up one bounce from Bob per message, and
mailman will eventually unsubscribe Bob as a result.

afaict, mailman 2.1.9 or rejecting all mail from domains with "dmarc
reject" are the only sane paths through this thicket.

bleah.

        --dkg