[tor-bugs] #29770 [Internal Services/Service - lists]: mails relayed to gmail.com bounce back

Thu Mar 21 18:37:25 UTC 2019

#29770: mails relayed to gmail.com bounce back
-----------------------------------------------+--------------------------
 Reporter:  anarcat                            |          Owner:  tpa
     Type:  defect                             |         Status:  assigned
 Priority:  Medium                             |      Milestone:
Component:  Internal Services/Service - lists  |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:                                     |  Actual Points:
Parent ID:                                     |         Points:
 Reviewer:                                     |        Sponsor:
-----------------------------------------------+--------------------------

Comment (by anarcat):

 so we had another report of a problem occurring with gmail.com recipients
 today on the tor-internal at lists.torproject.org mailing list.

 the problem was with the email `Message-ID:
 <20190321172741.GB78672 at vpn209009.nrl.navy.mil>` which gmail refused with
 the following error:

 {{{
 Mar 21 17:27:53 eugeni/eugeni postfix/smtp[4376]: 6C5ECE0ED2:
 to=<[REDACTED]@gmail.com>, relay=gmail-smtp-
 in.l.google.com[2a00:1450:400c:c00::1a]:25, delay=0.9,
 delays=0.03/0.22/0.15/0.5, dsn=5.7.1, status=bounced (host gmail-smtp-
 in.l.google.com[2a00:1450:400c:c00::1a] said: 550-5.7.1 Unauthenticated
 email from nrl.navy.mil is not accepted due to 550-5.7.1 domain's DMARC
 policy. Please contact the administrator of 550-5.7.1 nrl.navy.mil domain
 if this was a legitimate mail. Please visit 550-5.7.1
 https://support.google.com/mail/answer/2451690 to learn about the 550
 5.7.1 DMARC initiative. j5si3735441wmh.102 - gsmtp (in reply to end of
 DATA command))
 }}}

 The email indeed comes from a domain with the following DMARC policy:

 {{{
 _dmarc.nrl.navy.mil.    1031    IN      TXT     "v=DMARC1; p=reject;
 rua=mailto:dmarc-reporting at dren.mil; ri=86400"
 }}}

 ... an aggressive, but not unusual or invalid DMARC policy.

 I'm not sure what the way forward is here, but I believe that a simple fix
 would be to enable the `general/from_is_list` setting to "munge" the
 `From` header to be the mailing list itself instead of the original
 sender. this is a controversial change, so a "lesser-evil" alternative
 might be the `privacy/sender/dmarc_moderation_action` setting which does
 that only for messages with a DMARC policy. But then we get inconsistent
 headers for the mailing list which might confuse filters and/or users.

 since this is a little controversial, i'd like to consult with fellow TPAs
 before going ahead with any change.

 for those who want to experiment with those changes, those are direct URLs
 for the tor-project@ mailing list:

 https://lists.torproject.org/cgi-bin/mailman/admin/tor-
 project/?VARHELP=general/from_is_list
 https://lists.torproject.org/cgi-bin/mailman/admin/tor-
 project/?VARHELP=privacy/sender/dmarc_moderation_action

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29770#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online