[mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Pierre Cros]

[-- Attachment #1: Type: text/plain, Size: 800 bytes --]

Hello there,

I installed mlmmj (via iRedMail) on Debian Bookworm.

It works well even for the pretty bad admin I am. But I don't know where to look to understand the following problem :

- My list works well for all users most of the time
- When a sender uses orange.fr SMTP to send a mail on this list, the subscribers with @protonmail.com adresses won't get the mail at all (not even in the spams), the other subscribers will receive it.
- if some @orange.fr sender, sends a mail directly (without the list) to some @protonmail.com receiver, it works

It looks like mlmmj adds something that will make mails sent by orange.fr unacceptable for @protonmail.com mail serveur.

Any idea where I should look ? Thank you

Pierre

Envoyé avec la messagerie sécurisée [Proton Mail.](https://proton.me/)

[-- Attachment #2: Type: text/html, Size: 2028 bytes --]

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Uffe Jakobsen]

Pierre Cros writes:
>
> It works well even for the pretty bad admin I am. But I don't know where to  
> look to understand the following problem :
>
> • My list works well for all users most of the time
>
> • When a sender uses orange.fr SMTP to send a mail on this list, the  
> subscribers with @protonmail.com adresses won't get the mail at all (not even  
> in the spams), the other subscribers will receive it.
>
> • if some @orange.fr sender, sends a mail directly (without the list) to some  
> @protonmail.com receiver, it works
>
> It looks like mlmmj adds something that will make mails sent by orange.fr  
> unacceptable for @protonmail.com mail serveur.
>

The most common problem is if a list member is sending from a domain that  
exposes SPF/DMARC information.

Relaying such message through mlmmj (and any other mailing list) will retain the sender information - but with a new origin (the mlmmj server)

If the receiving part (protonmail) inspects the SPF/DMARC (supplied by the originating domain) it will propably drop the email or put it in quarantine.

Mlmmj still nedds a proper sender rewriting feature that will rewrite the sender information into something ala "Original sender name via mlmmj-liste-name <mlmmj-list-name@mlmmj-domain-name.xxx>"

PS: I'm just guessing about the reasons for your described problem...


/UFfe

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Baptiste Daroussin]

Le 27 novembre 2023 16:09:47 GMT+01:00, Uffe Jakobsen <uffe@uffe.org> a écrit :
>Pierre Cros writes:
>> 
>> It works well even for the pretty bad admin I am. But I don't know where to look to understand the following problem :
>> 
>> • My list works well for all users most of the time
>> 
>> • When a sender uses orange.fr SMTP to send a mail on this list, the subscribers with @protonmail.com adresses won't get the mail at all (not even in the spams), the other subscribers will receive it.
>> 
>> • if some @orange.fr sender, sends a mail directly (without the list) to some @protonmail.com receiver, it works
>> 
>> It looks like mlmmj adds something that will make mails sent by orange.fr unacceptable for @protonmail.com mail serveur.
>> 
>
>The most common problem is if a list member is sending from a domain that exposes SPF/DMARC information.
>
>Relaying such message through mlmmj (and any other mailing list) will retain the sender information - but with a new origin (the mlmmj server)
>
>If the receiving part (protonmail) inspects the SPF/DMARC (supplied by the originating domain) it will propably drop the email or put it in quarantine.
>
>Mlmmj still nedds a proper sender rewriting feature that will rewrite the sender information into something ala "Original sender name via mlmmj-liste-name <mlmmj-list-name@mlmmj-domain-name.xxx>"
>
>PS: I'm just guessing about the reasons for your described problem...
>
>
>/UFfe
>

Well if you don t alter the email (no subject modifications for example) and the email is signed with dkim the from munging is not required, all the freebsd mailing lists are setup with mlmmj and have no problems with protonmail and orange or any other mail provider with "strong" verification policy.

I first went down the "munging from" path using rspamd in front of mlmmj (hence the new feature of suporting X_ORIGINAL_FROM in mlmmj 1.4.0). But then realised that if I stop altering the emails (just play with custom headers) then the dkim signatures remains valid and all mail providers do accept the emails as only being relayed.

Best regards,
Bapt

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Konstantin Ryabitsev]

On Mon, Nov 27, 2023 at 10:55:22PM +0100, Baptiste Daroussin wrote:
> Well if you don t alter the email (no subject modifications for example)

So, can we stop the mlmmj list from doing this? :)

> I first went down the "munging from" path using rspamd in front of mlmmj
> (hence the new feature of suporting X_ORIGINAL_FROM in mlmmj 1.4.0). But
> then realised that if I stop altering the emails (just play with custom
> headers) then the dkim signatures remains valid and all mail providers do
> accept the emails as only being relayed.

This should continue to work for a while, but soon we'll need to work on being
conformant with DARA [1], which will require adding Forwarded-To: headers and
ARC-signing every outgoing message. Yes, this means that if your mailing list
has 5,000 subscribers, you'll need to cryptographically sign 5,000 individual
messages.

We probably have a couple of years before that starts being relevant, though.

-K

[1] https://datatracker.ietf.org/doc/draft-chuang-replay-resistant-arc/

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Baptiste Daroussin]

On Tue, Nov 28, 2023 at 10:58:13AM -0500, Konstantin Ryabitsev wrote:
> On Mon, Nov 27, 2023 at 10:55:22PM +0100, Baptiste Daroussin wrote:
> > Well if you don t alter the email (no subject modifications for example)
> 
> So, can we stop the mlmmj list from doing this? :)

I would love to and this will simplify a lot some part of the code ;)
> 
> > I first went down the "munging from" path using rspamd in front of mlmmj
> > (hence the new feature of suporting X_ORIGINAL_FROM in mlmmj 1.4.0). But
> > then realised that if I stop altering the emails (just play with custom
> > headers) then the dkim signatures remains valid and all mail providers do
> > accept the emails as only being relayed.
> 
> This should continue to work for a while, but soon we'll need to work on being
> conformant with DARA [1], which will require adding Forwarded-To: headers and
> ARC-signing every outgoing message. Yes, this means that if your mailing list
> has 5,000 subscribers, you'll need to cryptographically sign 5,000 individual
> messages.
> 
> We probably have a couple of years before that starts being relevant, though.

Forwarded to is something that can be easily implemented in mlmmj, I will add it
to the todo list for 1.5

As for the signature, it will be up to the smtp setup to to it, meaning mlmmj
should be easily compliant to this rule.
> 
> -K
> 
> [1] https://datatracker.ietf.org/doc/draft-chuang-replay-resistant-arc/

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Konstantin Ryabitsev]

On Tue, Nov 28, 2023 at 05:06:12PM +0100, Baptiste Daroussin wrote:
> Forwarded to is something that can be easily implemented in mlmmj, I will add it
> to the todo list for 1.5

I would wait a bit -- I think the milter that will do the ARC signing will
also be able to inject Forwarded-To: headers. 

That said, it would be generally nice if control/customheaders supported
using variables.

Regards,
-K

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Baptiste Daroussin]

On Tue, Nov 28, 2023 at 11:32:57AM -0500, Konstantin Ryabitsev wrote:
> On Tue, Nov 28, 2023 at 05:06:12PM +0100, Baptiste Daroussin wrote:
> > Forwarded to is something that can be easily implemented in mlmmj, I will add it
> > to the todo list for 1.5
> 
> I would wait a bit -- I think the milter that will do the ARC signing will
> also be able to inject Forwarded-To: headers. 
> 
> That said, it would be generally nice if control/customheaders supported
> using variables.

This is what I had in mind adding variable to support Forwarded-To

Best regards,
Bapt

Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[webmaster]

[-- Attachment #1: Type: text/plain, Size: 1406 bytes --]

I must admit I've seen this behavior also; it is a troubling issue to 
track down, and it reduces the trust list-members have (approx 150) that 
everyone is receiving all the email posts.

I have been using mlmmj for many years, and I'm grateful for all the 
recent work being done!

Having said that, I haven't yet updated my installations as I've been 
waiting for a stable release - I'm optimistic that will be soon, and I 
hope it will address this issue for my participants.

Thank you all!

Philip

On 11/27/2023 5:25 AM, Pierre Cros wrote:
> Hello there,
>
> I installed mlmmj (via iRedMail) on Debian Bookworm.
>
> It works well even for the pretty bad admin I am. But I don't know 
> where to look to understand the following problem :
>
>   * My list works well for all users most of the time
>   * When a sender uses orange.fr SMTP to send a mail on this list, the
>     subscribers with @protonmail.com adresses won't get the mail at
>     all (not even in the spams), the other subscribers will receive it.
>   * if some @orange.fr sender, sends a mail directly (without the
>     list) to some @protonmail.com receiver, it works
>
> It looks like mlmmj adds something that will make mails sent by 
> orange.fr unacceptable for @protonmail.com mail serveur.
>
> Any idea where I should look ? Thank you
>
> Pierre
>
>
> Envoyé avec la messagerie sécurisée Proton Mail. <https://proton.me/>

[-- Attachment #2: Type: text/html, Size: 3624 bytes --]

Re : Re: Re : Re: [mlmmj] Problem with mail sent by @orange.fr to @protonmail.com

[Pierre Cros]

Le mercredi 29 novembre 2023 à 17:59, Baptiste Daroussin <bapt@nours.eu> a écrit :

> Nothing is needed in headers, just stop altering subject and body of the email.
> 
> Why I said adding custom headers, it means for people willing to filer the
> emails they should use List-Id instead of a prefix on the subject for example.

For those who might be interested : my lists used some custom headers.

I created a new list without fiddling with anything and... it just works out of the box between orange.fr and protonmail.com.

Thank you Baptiste and others, and congrats for the 1.4.0 release !

Pierre