i'm subscribed to sourceware.org & gnu.org mailing lists (they all use mailman). sometime in the last year or so, my subscriptions have been automatically canceled due to bouncing messages. they send a notice with a link to click to reenable, but messages are paused until i do that. this seems to happen maybe once per week or so. it makes it pretty difficult to participate in these projects when posts/responses get dropped & truncated.
Do the notifications include a list of bounced messages, so we can trace them?
I trawled the logs and I didn't find any obvious bounces on mail to you from sourceware.org/gnu.org and the point where it's inbound to Gentoo. I *did* find cases where your forwarding to gmail was rejected at the google level, because of the SPF & DKIM checks. Examples: Jan 21 09:21:26 woodpecker postfix/smtp[22317]: E8562340DBB: to=<vapierfilter@gmail.com>, orig_to=<vapier@gentoo.org>, relay=gmail-smtp-in.l.google.com[108.177.98.26]:25, delay=0.66, delays=0/0/0.23/0.43, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[108.177.98.26] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [gnu.org] does not pass with ip: 550-5.7.26 [140.211.166.183].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. g11-20020a65580b000000b0047701022c7dsi43872309pgr.729 - gsmtp (in reply to end of DATA command)) Jan 21 21:20:01 woodpecker postfix/smtp[20331]: 99EFF340E2D: host gmail-smtp-in.l.google.com[2607:f8b0:400e:c06::1a] said: 421-4.7.0 This message does not pass authentication checks (SPF and DKIM both do 421-4.7.0 not pass). SPF check for [sourceware.org] does not pass with ip: 421-4.7.0 [2001:470:ea4a:1:5054:ff:fec7:86e4].To best protect our users from 421-4.7.0 spam, the message has been blocked. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. q10-20020a63e20a000000b00477e5baa6fcsi44437958pgh.747 - gsmtp (in reply to end of DATA command)
here's what I'd like you to try figure out: right now you have a procmail rule that forwards. That rule does NOT rewrite the sender. Can you apply SRS rewriting, from inside procmail, to rewrite the sender in a SPF compatible way? We can look at DKIM signing outbound mail, but I'm not sure it will solve the issue for you. Full example of the forwarding being rejected: Jan 9 08:35:50 woodpecker postfix/cleanup[3393]: EC1D434027D: message-id=<20230109083526.74448-1-mengqinggang@loongson.cn> Jan 9 08:35:50 woodpecker postfix/local[657]: EA54633D3C2: to=<vapier@gentoo.org>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (forwarded as EC1D434027D) Jan 9 08:35:50 woodpecker postfix/qmgr[361]: EC1D434027D: from=<binutils-bounces+vapier=gentoo.org@sourceware.org>, size=6339, nrcpt=1 (queue active) Jan 9 08:35:51 woodpecker postfix/smtp[3447]: send attr queue_id = EC1D434027D Jan 9 08:35:51 woodpecker postfix/smtp[3447]: EC1D434027D: to=<vapierfilter@gmail.com>, orig_to=<vapier@gentoo.org>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=0.75, delays=0/0/0.26/0.48, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[74.125.197.26] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [sourceware.org] does not pass with ip: 550-5.7.26 [140.211.166.183].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. kk15-20020a17090b4a0f00b00225dacb5818si10096200pjb.86 - gsmtp (in reply to end of DATA command)) Jan 9 08:35:51 woodpecker postfix/bounce[4097]: EC1D434027D: sender non-delivery notification: B2E5833C1EB Jan 9 08:35:51 woodpecker postfix/qmgr[361]: EC1D434027D: removed
(In reply to Robin Johnson from comment #1) > Do the notifications include a list of bounced messages, so we can trace > them? unfortunately, i don't think so. the most recent one i received was: > Created at: Sat, Jan 21, 2023 at 7:43 AM (Delivered after 4 seconds) > From: libc-alpha-request@sourceware.org > To: vapier@gentoo.org > Subject: confirm 07359aec5960e89ad1d82c0563a4914a6e3cae63 > > Your membership in the mailing list Libc-alpha has been disabled due > to excessive bounces The last bounce received from you was dated > 21-Jan-2023. You will not get any more messages from this list until > you re-enable your membership. You will receive 3 more reminders like > this before your membership in the list is deleted. this was what led me to filing this bug :) > right now you have a procmail rule that forwards. to be clear, this is something i just enabled a few days ago after that most recent failure. before that, i only had my forward e-mail address listed in ~/.forward. i'm by no means a procmailrc expert ... i copied it from someone else just so i could filter a few things based on headers that gmail doesn't support. feel free to edit it and insert anything you would find helpful for debugging. i've also been keeping my head in the sand with DKIM/etc... because of the dumpster fire they've all been. > I *did* find cases where your forwarding to gmail was rejected at the google > level, because of the SPF & DKIM checks. who sees that rejection ? does mail.gentoo.org accept it so sourceware.org doesn't see the failure, and only mail.gentoo.org sees the failure when forwarding to gmail ? or does mail.gentoo.org try forwarding right away, and when the gmail forward fails, it relays it back to sourceware.org ?
(In reply to SpanKY from comment #4) > This was what led me to filing this bug :) > > > right now you have a procmail rule that forwards. > > to be clear, this is something i just enabled a few days ago after that most > recent failure. before that, i only had my forward e-mail address listed in > ~/.forward. .Forward or procmailrc:!address work out the same forwarding issue. > i'm by no means a procmailrc expert ... i copied it from someone else just > so i could filter a few things based on headers that gmail doesn't support. > feel free to edit it and insert anything you would find helpful for > debugging. > > i've also been keeping my head in the sand with DKIM/etc... because of the > dumpster fire they've all been. DKIM is a dumpster fire, which is why infra has tried to avoid it as well. > > I *did* find cases where your forwarding to gmail was rejected at the google > > level, because of the SPF & DKIM checks. > > who sees that rejection ? does mail.gentoo.org accept it so sourceware.org > doesn't see the failure, and only mail.gentoo.org sees the failure when > forwarding to gmail ? or does mail.gentoo.org try forwarding right away, > and when the gmail forward fails, it relays it back to sourceware.org ? it bounces all the way back to sourceware/gnu. In that prior paste: Jan 9 08:35:51 woodpecker postfix/bounce[4097]: EC1D434027D: sender non-delivery notification: B2E5833C1EB and if we pull the thread of B2E5833C1EB: $ grep B2E5833C1EB smtp.log.16 Jan 9 08:35:51 woodpecker postfix/cleanup[3392]: B2E5833C1EB: message-id=<20230109083551.B2E5833C1EB@smtp.gentoo.org> Jan 9 08:35:51 woodpecker postfix/bounce[4097]: EC1D434027D: sender non-delivery notification: B2E5833C1EB Jan 9 08:35:51 woodpecker postfix/qmgr[361]: B2E5833C1EB: from=<>, size=9375, nrcpt=1 (queue active) Jan 9 08:35:54 woodpecker postfix/smtp[3439]: B2E5833C1EB: to=<binutils-bounces+vapier=gentoo.org@sourceware.org>, relay=sourceware.org[2620:52:3:1:0:246e:9693:128c]:25, delay=2.4, delays=0/0/0.75/1.6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 81F6D3858C20) Jan 9 08:35:54 woodpecker postfix/qmgr[361]: B2E5833C1EB: removed
ok, feel free to throw whatever rules/rewrite logic into the procmailrc you thinks makes sense. i didn't see anything to copy & paste in the wiki [1]. also loop in Tim since he forwards to gmail. [1] https://wiki.gentoo.org/wiki/Project:Infrastructure/Developer_E-Mail
(In reply to SpanKY from comment #6) > also loop in Tim since he forwards to gmail. Having set that up over 10 years ago, I think my situation and usage has been different so I haven't seen these types of effects. I have always used the @gentoo.org address as its own alias, never used it to communicate outside of Gentoo channels, haven't advertised the address, and strongly prefer people don't use it for personal correspondence (while I still even have it). Beyond that, whenever sending emails to Gentoo lists, I've always either tunneled or directly connected to Gentoo's SMTP server, never using third party domains, when using a @gentoo.org sender address.
