Bug 1095359

Summary: Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release
Product: Red Hat Enterprise Linux 6 Reporter: James B. Byrne <byrnejb>
Component: mailmanAssignee: Jan Kaluža <jkaluza>
Status: CLOSED ERRATA QA Contact: Alois Mahdal <amahdal>
Severity: high Docs Contact: Lenka Špačková <lkuprova>
Priority: high    
Version: 6.5CC: amahdal, cww, emsearcy, eric.eisenhart, jherrman, jorton, jscotka, psklenar, rdieter, tony, wby+redhat
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: mailman-2.1.12-23.el6 Doc Type: Release Note
Doc Text:
Mailman now includes enhanced DMARC mitigation features With this update, Mailman introduces several enhanced Domain-based Message Authentication, Reporting & Conformance (DMARC) mitigation features. For example, Mailman can be configured to recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures and it is now able to correctly handle forwarded messages from domains with a 'reject' DMARC policy.
Story Points: ---
Clone Of:
: 1107652 1192124 (view as bug list) Environment:
Last Closed: 2015-07-22 07:41:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1075802, 1107652, 1192124    

Description James B. Byrne 2014-05-07 14:21:33 UTC
Description of problem:
Domain-based Message Authentication, Reporting & Conformance (DMARC) does not recognize a Sender alignment for Domain Key Identified Mail (DKIM).  The version of Mailman (2.1.12) shipped with RHEL6 cannot be configured to meet DMARC enforcement requirements for subscribers whose domains use DKIM.  Notably, as of April 2014 two such domains are yahoo.com and AOL.com.

In consequence, Mailman list subscribers that belong to either yahoo.com or AOL.com cannot receive any Mailman forwarded messsages whose sender resides in any domain that provides DKIM signatures.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Subscribe two aol.com accounts to a Mailman mailing list.
2. Send a message from one account to the mailing list.

Actual results:
Neither account receives the mailing list forwarded message.

Expected results:
Both accounts should receive the message

Additional info:
The DMARC configuration issue is addressed in mailman-2.1.18 released 2014-May-03.  However, this project is not FHS aligned and requires a great deal of reconfiguration to meet FHS requirements.  Without the FHS modifications it is all but impossible to run mailman-2.1.18 with SELinux enabled.  

The new version also introduces a new dependency, dnspython, for both build and installation.  However, this dependency is already available in RHEL6 and is therefore readily satisfied.

This is a case where the environment Mailman-2.1.12 expects is no longer available and while the software works as specified it no longer functions in practice for a very large number of users.  As DKIM signatures and DMARC enforcement is reasonably anticipated to increase rather than diminish Mailman is in urgent need of an upgrade.

Comment 2 Joe Orton 2014-05-12 11:39:46 UTC
Thanks for reporting this issue to us.  If this issue is critical or in any way
time sensitive, please raise a ticket through your regular Red Hat support
channels to make certain it receives the proper attention and prioritization to
assure a timely resolution.

For information on how to contact the Red Hat production support team, please
visit: https://www.redhat.com/support/process/production/#howto

Comment 3 Jan Kaluža 2014-06-10 06:32:15 UTC
*** Bug 1107397 has been marked as a duplicate of this bug. ***

Comment 4 Marc Perkel 2014-06-10 14:51:56 UTC
I thought this was the regular channel for reporting problems.

Comment 5 William Yardley 2014-08-09 17:14:59 UTC
Following this ticket.

I think it's important that the DMARC patches for Mailman be included for RHEL6.

In addition, I would love to see it backported to RHEL5. We do have a support contract, and I will try to make requests via the support channels.

Comment 7 William Yardley 2014-08-26 20:45:05 UTC
For those folks who have Red Hat support accounts, you may wish to create a support ticket (with "business justification" for requesting expedited handling) and have them attach it to this ticket. So far, my request is the only one tied to this ticket, apparently.

Comment 10 Joe Orton 2014-10-27 11:43:36 UTC
To comments above: Bugzilla is NOT a good place for reporting production issues which affect Red Hat customers.  Please contact Red Hat Support in the first instance.

For bugs like this that's doubly true: we really need to understand the customer impact and demand for potentially disruptive changes like this, which is hard to do if we can't identify bugs with customers.

Comment 14 Alois Mahdal 2015-06-04 10:26:18 UTC
Verified on all architectures.

Comment 15 errata-xmlrpc 2015-07-22 07:41:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.