Re: postfix for 2 domains on 1 vps 1 ip

[Bob Proulx <bob%proulx.com@localhost>]

Mayuresh wrote:
> My main requirement from one of the domains is a mailing list. As long as
> it merely relays the mails without touching the mail headers / body, can I
> get away without implementing all these measures? I have done so once, but
> not sure whether it survived based on reputation score or because I didn't
> tinker with the mail header and body.

Mailing lists have one very important need and that is to look for
DMARC.  A number of sites set "v=DMARC1; p=quarantine;" but notably
for me the sites that set "v=DMARC1; p=reject; sp=reject;" are the
problems.

    $ host -t txt _dmarc.yahoo.com
    _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua%yahoo.com@localhost;";

    $ host -t txt _dmarc.zoho.eu
    _dmarc.zoho.eu descriptive text "v=DMARC1; p=reject; sp=reject; fo=0; rua=mailto:dmarc.reports.eu%zoho.eu@localhost; ruf=mailto:dmarc.reports.eu%zoho.eu@localhost";

This means that mail with a From: header of @yahoo.com will be
rejected by servers unless it is either sent by Yahoo's servers or the
DKIM signature is verified.  A signed DKIM signature means the headers
and body have not been modified.

If the sending address site has set a strict DMARC configuration then
you basically have two options.  One is to modify the headers and
forward it through the mailing list.  Or two it can be discarded or
rejected.  Forwarding a message from a sender site with strict DMARC
set will be seen as a forgery by the recipient site receiving the
mailing list and many sites, Google for one, will reject those
messages.

This has a perhaps surprising effect.  Let's talk about Mailman to
keep it concrete but the different mailing list managers have
different rules and are all slightly different.  Mailman tracks
bounces and rejects per recipient.  Upon receiving a bounce it will
increment the bounce count for that recipient.  It will do so at most
once per day.  After the bounce count exceeds the default threshold
value of 7 then it will unsubscribe the recipient.  Which means that
if there are seven days of bounces Gmail recipients will be
unsubscribed from a mailing list that forwards through messages from
senders that set a strict DMARC setting.

Basically this makes it a data dependent behavior.  It depends upon
the traffic of the mailing list.  Every day that there is no message
from a strict DMARC site will decrement the count.  But if it is an
active list with lots of posts then almost certainly one of them will
be from a strict site and will cause the bounce count to increment.
But over the course of months there is bound to be seven consecutive
days where this happens.  Therefore one must either modify the headers
or discard mail from sites with strict DMARC set.  Otherwise properly
configured sites will validly reject those messages causing innocent
victims to be unsubscribed.  Repeatedly.

These days when you see that the From: address has been modified to
say something like the sender's name "via the mailing list" that is
usually the reason behind it.  Almost certainly when you see that only
some of the messages are that way and some are normal.  However I am
on at least one list that has decided to /always/ munge the header so
that every message is the same.  I don't prefer that but it is at
least uniform.

    https://wiki.list.org/DEV/DMARC
    https://dmarc.org/wiki/FAQ#senders
    https://dmarc.org/overview/

The next problem are subject tags and mailing list footers.  They will
break DKIM signatures.  Therefore footers are problematic.  They were
always problematic before though so this is nothing new.

    https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html

None of the above has anything to do with sharing domains on a single
server however and are just part of the environment for running
mailing lists these days.

> There is an occasional requirement to send system generated mail, and if
> it comes to that can I use gmail smtp with from field set to my own domain
> (I guess they still allow) so that I need not implement all these
> measures?

System generated mail makes me think of two types of messages.  One is
root mail to me as the admin.  Those are definitely no problem because
I will always allow those messages through.  Either by making sure
everything is happy with them from the sender side or allowing them
with an allow-list on my receiving side.

The others is mail such as password recovery mail and other such small
but necessary infrastructure messages that originate on the server but
are then sent to random addresses out on the net.  Those are no
problem if the server has SPF and DKIM set appropriately.

For SPF that is simply setting up the DNS records to allow the
address.  Most likely something like this:

    @ IN  TXT  "v=spf1 a mx example.com -all"

I am a hardliner here so I will say -all but ~all is also okay and
probably what you should use when setting this up.  That's a soft-fail
flag.  Tools like SpamAssassin and others would score it if it fails
but it shouldn't be hard failed if it fails.

    @ IN  TXT  "v=spf1 a mx example.com ~all"

That's all that you need for SPF to be happy.

For DKIM things are a little more involved.  I am using the OpenDKIM
daemon as a "milter" in Postfix.  It took me a bit to understand how
it works but not too hard.  There is help to get it understood.
Therefore I will just recommend OpenDKIM as a milter and then there
can be more later if needed.

Bob