Found a new issue possibly related to #7861. All the emails in this thread were moved to spam. First message in the thread is attached.
N/A
<img alt="Is_my_SELinux_configuration_wrong_and_dangerous.txt" src="/fedora-infrastructure/issue/raw/files/573d4a9cb42bc4e3c547c3fc7518fbb84996e475649179a0fa1fd7f2492f55cc-Is_my_SELinux_configuration_wrong_and_dangerous.txt" />
I don't know why gmail is doing that for this, but I have a hypothesis. It seems that yahoo.com has a standard DKIM that mail that doesn't come directly from them is to be quarantined. Because this email is going to a list.. it is going to be resent by us.. and when the DKIM lookup of the original email is done .. it gets marked as quarantined.
The 'fix' seems to be one of two things:
1) have us add to the DKIM header that says ANY email sent from yahoo.com is legit, which seems to allow us to also say any spam spoofed as from a list and sent from yahoo is ok. [The advise adds in gmail, microsoft, proton so pretty much all email.] 2) change the list mechanics to completely rewrite the headers so that the from is no longer there and the mail can only be replied to the list.
Neither of these are appealing and make the 'cure' worse than the disease.
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of selinux-bounces@lists.fedoraproject.org designates 38.145.60.11 as permitted sender) smtp.mailfrom=selinux-bounces@lists.fedoraproject.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=yahoo.com ... Received-SPF: pass (google.com: domain of selinux-bounces@lists.fedoraproject.org designates 38.145.60.11 as permitted sender) client-ip=38.145.60.11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of selinux-bounces@lists.fedoraproject.org designates 38.145.60.11 as permitted sender) smtp.mailfrom=selinux-bounces@lists.fedoraproject.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=yahoo.com
The headers are showing that all the things we can affect are passing are ok. but that yahoo's rules say quarantine it.
So, mailman has some DMARC mitigations that can be enabled to handle this case.
It can optionally send emails from people with DMARC headers like this as from the list instead of the user address.
We have left this as something each list should decide if they want to enable or not. So, if you would like the selinux list to enable this, you should contact the list owners and ask them to.
Personally, I think we should just reject these emails and force people to get a real provider. yahoo has consistently been horrible for decades.
Metadata Update from @kevin: - Issue close_status updated to: Will Not/Can Not fix - Issue status updated to: Closed (was: Open)
I agree. Although it would be best if their subscription is rejected on this basis. No doubt it's a silent failure - they have no idea many people aren't seeing their emails.
Most of these people have been subscribed for years and I have a hard time even getting email to them from gmail.com as yahoo to tell them we have problems.
Here's my predecessor infra leed, 10 years ago:
https://mmcgrath.livejournal.com/37248.html
yeah, I'd be fine rejecting their subscriptions, but I don't think we have any easy way to do that. ;(
Login to comment on this ticket.