1095359 – Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1095359 - Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release

Summary: Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to n...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	mailman
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Kaluža
QA Contact:	Alois Mahdal
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Duplicates (1):	1107397 (view as bug list)
Depends On:
Blocks:	1075802 1107652 1192124
TreeView+	depends on / blocked

Reported:	2014-05-07 14:21 UTC by James B. Byrne
Modified:	2019-07-11 07:57 UTC (History)
CC List:	11 users (show)
Fixed In Version:	mailman-2.1.12-23.el6
Doc Type:	Release Note
Doc Text:	Mailman now includes enhanced DMARC mitigation features With this update, Mailman introduces several enhanced Domain-based Message Authentication, Reporting & Conformance (DMARC) mitigation features. For example, Mailman can be configured to recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures and it is now able to correctly handle forwarded messages from domains with a 'reject' DMARC policy.
Clone Of:
Clones:	1107652 1192124 (view as bug list)
Environment:
Last Closed:	2015-07-22 07:41:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1417	0	normal	SHIPPED_LIVE	Moderate: mailman security and bug fix update	2015-07-20 18:06:40 UTC

Description James B. Byrne 2014-05-07 14:21:33 UTC

Description of problem:
Domain-based Message Authentication, Reporting & Conformance (DMARC) does not recognize a Sender alignment for Domain Key Identified Mail (DKIM). The version of Mailman (2.1.12) shipped with RHEL6 cannot be configured to meet DMARC enforcement requirements for subscribers whose domains use DKIM. Notably, as of April 2014 two such domains are yahoo.com and AOL.com.

In consequence, Mailman list subscribers that belong to either yahoo.com or AOL.com cannot receive any Mailman forwarded messsages whose sender resides in any domain that provides DKIM signatures.

Version-Release number of selected component (if applicable):
Mailman-2.1.12

How reproducible:
Always

Steps to Reproduce:
1. Subscribe two aol.com accounts to a Mailman mailing list.
2. Send a message from one account to the mailing list.
3.

Actual results:
Neither account receives the mailing list forwarded message.

Expected results:
Both accounts should receive the message

Additional info:
The DMARC configuration issue is addressed in mailman-2.1.18 released 2014-May-03. However, this project is not FHS aligned and requires a great deal of reconfiguration to meet FHS requirements. Without the FHS modifications it is all but impossible to run mailman-2.1.18 with SELinux enabled.

The new version also introduces a new dependency, dnspython, for both build and installation. However, this dependency is already available in RHEL6 and is therefore readily satisfied.

This is a case where the environment Mailman-2.1.12 expects is no longer available and while the software works as specified it no longer functions in practice for a very large number of users. As DKIM signatures and DMARC enforcement is reasonably anticipated to increase rather than diminish Mailman is in urgent need of an upgrade.

Comment 2 Joe Orton 2014-05-12 11:39:46 UTC

Thanks for reporting this issue to us.  If this issue is critical or in any way
time sensitive, please raise a ticket through your regular Red Hat support
channels to make certain it receives the proper attention and prioritization to
assure a timely resolution.

For information on how to contact the Red Hat production support team, please
visit: https://www.redhat.com/support/process/production/#howto

Comment 3 Jan Kaluža 2014-06-10 06:32:15 UTC

*** Bug 1107397 has been marked as a duplicate of this bug. ***

Comment 4 Marc Perkel 2014-06-10 14:51:56 UTC

I thought this was the regular channel for reporting problems.

Comment 5 William Yardley 2014-08-09 17:14:59 UTC

Following this ticket.

I think it's important that the DMARC patches for Mailman be included for RHEL6.

In addition, I would love to see it backported to RHEL5. We do have a support contract, and I will try to make requests via the support channels.

Comment 7 William Yardley 2014-08-26 20:45:05 UTC

For those folks who have Red Hat support accounts, you may wish to create a support ticket (with "business justification" for requesting expedited handling) and have them attach it to this ticket. So far, my request is the only one tied to this ticket, apparently.

Comment 10 Joe Orton 2014-10-27 11:43:36 UTC

To comments above: Bugzilla is NOT a good place for reporting production issues which affect Red Hat customers.  Please contact Red Hat Support in the first instance.

For bugs like this that's doubly true: we really need to understand the customer impact and demand for potentially disruptive changes like this, which is hard to do if we can't identify bugs with customers.

Comment 14 Alois Mahdal 2015-06-04 10:26:18 UTC

Verified on all architectures.

Comment 15 errata-xmlrpc 2015-07-22 07:41:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1417.html

Note You need to log in before you can comment on or make changes to this bug.