Bug 1095359 - Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release
Summary: Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to n...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mailman
Version: 6.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jan Kaluža
QA Contact: Alois Mahdal
Lenka Špačková
: 1107397 (view as bug list)
Depends On:
Blocks: 1075802 1107652 1192124
TreeView+ depends on / blocked
Reported: 2014-05-07 14:21 UTC by James B. Byrne
Modified: 2019-07-11 07:57 UTC (History)
11 users (show)

Fixed In Version: mailman-2.1.12-23.el6
Doc Type: Release Note
Doc Text:
Mailman now includes enhanced DMARC mitigation features With this update, Mailman introduces several enhanced Domain-based Message Authentication, Reporting & Conformance (DMARC) mitigation features. For example, Mailman can be configured to recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures and it is now able to correctly handle forwarded messages from domains with a 'reject' DMARC policy.
Clone Of:
: 1107652 1192124 (view as bug list)
Last Closed: 2015-07-22 07:41:53 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1417 normal SHIPPED_LIVE Moderate: mailman security and bug fix update 2015-07-20 18:06:40 UTC

Description James B. Byrne 2014-05-07 14:21:33 UTC
Description of problem:
Domain-based Message Authentication, Reporting & Conformance (DMARC) does not recognize a Sender alignment for Domain Key Identified Mail (DKIM).  The version of Mailman (2.1.12) shipped with RHEL6 cannot be configured to meet DMARC enforcement requirements for subscribers whose domains use DKIM.  Notably, as of April 2014 two such domains are yahoo.com and AOL.com.

In consequence, Mailman list subscribers that belong to either yahoo.com or AOL.com cannot receive any Mailman forwarded messsages whose sender resides in any domain that provides DKIM signatures.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Subscribe two aol.com accounts to a Mailman mailing list.
2. Send a message from one account to the mailing list.

Actual results:
Neither account receives the mailing list forwarded message.

Expected results:
Both accounts should receive the message

Additional info:
The DMARC configuration issue is addressed in mailman-2.1.18 released 2014-May-03.  However, this project is not FHS aligned and requires a great deal of reconfiguration to meet FHS requirements.  Without the FHS modifications it is all but impossible to run mailman-2.1.18 with SELinux enabled.  

The new version also introduces a new dependency, dnspython, for both build and installation.  However, this dependency is already available in RHEL6 and is therefore readily satisfied.

This is a case where the environment Mailman-2.1.12 expects is no longer available and while the software works as specified it no longer functions in practice for a very large number of users.  As DKIM signatures and DMARC enforcement is reasonably anticipated to increase rather than diminish Mailman is in urgent need of an upgrade.

Comment 2 Joe Orton 2014-05-12 11:39:46 UTC
Thanks for reporting this issue to us.  If this issue is critical or in any way
time sensitive, please raise a ticket through your regular Red Hat support
channels to make certain it receives the proper attention and prioritization to
assure a timely resolution.

For information on how to contact the Red Hat production support team, please
visit: https://www.redhat.com/support/process/production/#howto

Comment 3 Jan Kaluža 2014-06-10 06:32:15 UTC
*** Bug 1107397 has been marked as a duplicate of this bug. ***

Comment 4 Marc Perkel 2014-06-10 14:51:56 UTC
I thought this was the regular channel for reporting problems.

Comment 5 William Yardley 2014-08-09 17:14:59 UTC
Following this ticket.

I think it's important that the DMARC patches for Mailman be included for RHEL6.

In addition, I would love to see it backported to RHEL5. We do have a support contract, and I will try to make requests via the support channels.

Comment 7 William Yardley 2014-08-26 20:45:05 UTC
For those folks who have Red Hat support accounts, you may wish to create a support ticket (with "business justification" for requesting expedited handling) and have them attach it to this ticket. So far, my request is the only one tied to this ticket, apparently.

Comment 10 Joe Orton 2014-10-27 11:43:36 UTC
To comments above: Bugzilla is NOT a good place for reporting production issues which affect Red Hat customers.  Please contact Red Hat Support in the first instance.

For bugs like this that's doubly true: we really need to understand the customer impact and demand for potentially disruptive changes like this, which is hard to do if we can't identify bugs with customers.

Comment 14 Alois Mahdal 2015-06-04 10:26:18 UTC
Verified on all architectures.

Comment 15 errata-xmlrpc 2015-07-22 07:41:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.