nasauber.de

Blog

Mail servers nowadays and vsmlist

Running an own mail server is a hard task

Back in the days I started playing around with mail servers, it was an easy and peaceful life. Either, you had a static IP address, or you used a relay host – and you were done and could send emails. This was also the time I started writing vsmlist, as I didn't want to mess around with Mailman to setup a mailing list for a handful of people.

Well, things have changed quite a bit since then. I learned that the hard way, because I set up my own "real" mail server some months ago. Mostly, because I didn't want some big company read my mails anymore, and also because I wanted to have Sieve. And that's something even the paid mail hosters don't provide – for whatever reason.

So here we go. Nowadays, you need a static IP address, a PTR record pointing to the mail domain you're sending from, the SPF policy set, DKIM signing and a DMARC policy. And despite everything being setup correctly, your IPs being not listed in any blacklist, even being listed in some whitelists, and not a single spam mail ever having been sent through your server, you're still blocked by some mail servers. Perhaps, because they never saw your server before, and thus simply claim you're a spammer. A spammer following all best practices in existance, but a spammer. Or for whatever reason. Who knows.

It has become a hard job to run an own mail server. But anyway, one should not leave the field to the monopolists and data krakens. But here, we are back at vsmlist.

vsmlist matures

The last release of vsmlist dates back to 2015. So it really needed some love concerning what a mail server needs or does nowadays. Some updates have been made, and this is what we have now:

SPF

SPF, the "Sender Policy Framework", is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF is not a problem with vsmlist. It now sets the Return-Path header to a bounce address (which is forwarded to the mailing list's admin). This makes SPF pass on a forwarded email, presumed the SPF record for the domain used for list is setup correctly.

DKIM

DKIM, "DomainKeys Identified Mail", is an email authentication method designed to detect forged sender addresses in email. DKIM is also not a problem. Classical mailing lists invalidated DKIM signatures by changing the subject (e. g. prepending "[Some List]" or such) and/or appending some information about the list (archives etc.) to the text. Vsmlist never did this. By leaving the original mail untouched, DKIM signatures stay intact. If the mail server running vsmlist does DKIM signing, another signature is added to the mail when distributing it. Both are valid.

DMARC

DMARC, "Domain-based Message Authentication, Reporting and Conformance", is an email authentication protocol to protect domains being used unauthorizedly (e. g. for spoofing). It's a disputed standard. It breaks RFC 5322 and causes a lot of problems with mailing lists.

DMARC checks if either SPF is okay, or DKIM, or both – and if all components use the same domain.

The problem is that a mail is typically sent to the mailing list, which then distributes it. So, according to the standard, the list becomes the Sender whereas the original sender stays the author, represented in From. This is an intended use-case for emails.

Example: An email from an @gmx.de account is sent through vsmlist. From is the @gmx.de address. Return-Path is set to the domain where vsmlist runs, e. g. an @some-domain.org address. The same address is used for the Sender address. SPF will pass, and also, GMX's DKIM signature will be evaluated to be correct. But still, DMARC will fail, because From differs from Return-Path. According to RFC 5322, DMARC should check the Sender header, not the From header. But it doesn't.

There's no solution to this. There are workarounds to migitate deliverability problems, but all with drawbacks (e. g. the original sender is lost, replying to the list creates a private answer and not a list answer and so on – all that sucks).

The workaround I chose for vsmlist is to wrap the original mail into a completely new one along with some notice if the DMARC policy of the original sender will cause troubles. This sucks as much as all the other workarounds, but at least, it leads to an "aligned" mail passing SPF, DKIM and also DMARC – and it preserves the original mail.

One should really think about boycotting stuff like DMARC, designed to break things and to cause trouble. But after all, most end-user have never even heard about that stuff. Anyway, vsmlist will be ready for an up-to-date use beginning with the next release :-)