28 May
2023
28 May
'23
4:53 p.m.
Hey all,
I've been self-hosting an ancient mailman 2.x service for many years for
the residents' association where I live, and it's time to move on. Apart
from anything else, I dread to think what security holes may still exist.
But we're experiencing issues with SPF failures causing bounces and
eventual unsubscribes, which I'm not even sure mailman 3.x handles any
better than 2.x.
So I'm looking for recommendations on a way forward, and figured this list
is full of knowledgeable sorts who probably have experience with various
options. I should mention that these lists are used for discussion, not
just for broadcasting one-way announcements.
mailman 3.x seems to be substantially more complex than 2.x, but I don't
see that as an issue, because I've decided to move away from self-hosting
since I just don't have time to become a mailman expert. Moving to SaaS
would also increase the service's bus factor above 1, and provide some
added security through isolation from other services currently on the same
machine.
I'm loathe to move to Google Groups since some of our residents are very
anti-Google, and I expect their support will be awful if ever needed. It's
also a closed source dead end. I'd prefer to pick a SaaS offering based on
Free/Open Source, to support continued development of that. I'm inclined
to go with a mailman 3 SaaS offering, and the following two both look very
promising because they're decently priced, can migrate my existing 2.x
lists, and can host on London servers:
https://www.mailmanhost.com/
https://www.mailmanlists.net/
There's also https://mailman3.com/ which can host in the EU, but I'm not
sure if they offer migration.
Does anyone have any experience with any of these, or have recommendations
of good alternatives to mailman (preferably with options to migrate
existing mailman lists)?
Thanks a lot!
Adam
28 May
28 May
6:04 p.m.
Hi Adam,
On Sun, May 28, 2023 at 05:53:11PM +0100, Adam Spiers via BitFolk Users wrote:
But we're experiencing issues with SPF failures
causing bounces and
eventual unsubscribes, which I'm not even sure mailman 3.x handles any
better than 2.x.
It's worth looking in to this as SPF normally isn't a problem for
mailing lists, neither in Mailman 2.x nor 3.x or most other
implementations.
The reason why it's not a problem is that SPF works on the envelope
sender, not the From: address, and all versions of Mailman normally
replace the envelope sender with themselves (which may or may not
include VERP encoding to catch individual bounces).
For example, your post (for me) has the envelope sender
<users-bounces+andy=bitfolk.com(a)mailman.bitfolk.com> so when my
infrastructure does an SPF check it will be against the SPF record
at mailman.bitfolk.com. In the case of this mailing list we've ALSO
replaced the From: address with the list's address but even if we
hadn't, the SPF check is still against the envelope sender so at no
point will it check the SPF of gmail.com.
Us changing the From: address was a defence against DKIM, which you
may be confusing with SPF here. DKIM does work on the From: address.
If you keep the poster's From: address and the poster has included a
DKIM signature, AND your Mailman has modified the mail in any way,
the DKIM signature will be invalidated. Most users of mailing lists
appreciate the posts being modified, perhaps to include an
explanatory footer, and/or a prefix on the subject line. That
changes the content which in turn breaks the DKIM signature.
The RFC for DKIM says that invalid signatures should be treated like
no signature at all, i.e. should not be penalised, but plenty of
receiving sites do penalise a failing DKIM signature.
Both Mailman 2 and Mailman 3 have options to replace the From:
address with the list's address. Despairing at how remote sites
treat DKIM, that's what we did, and it's what a lot of other mailing
lists I know of have done too. It makes it harder to see the
original real email address, but it prevents DKIM failures and means
you can also DKIM sign the mails yourself.
I didn't find the DKIM thing to be the main reason to move away from
Mailman 2. The main reason was that MM2 is a Python 2-only app that
is now EOL upstream and is therefore not shipped by any Linux
distribution that has also stopped shipping Python 2, which is most
of them.
It's a shame because MM3 is a behemoth. I feel it's overly complex.
A straight port of MM2 to Python 3 would have been much more
welcome. Failing that I wish I could have just put email mailing
lists into the dumpster of time.
https://www.mailmanhost.com/
https://www.mailmanlists.net/
There's also https://mailman3.com/ which can host in the EU, but I'm not
sure if they offer migration.
Does anyone have any experience with any of these, or have recommendations
of good alternatives to mailman (preferably with options to migrate
existing mailman lists)?
I don't have any experience with those, but they all seem okay.
I would not expect your issues with getting email in to Gmail and
Yahoo! to go away. Replacing your From: address with that of the
list might help you a bit.
Personally I'd be tempted to switch to Discourse, which has an email
participation mode if desired, and has SaaS options if you didn't
want to self-host. It's what I'd have replaced BitFolk's mailing
lists with if there weren't so much pushback from people who are
wedded to the 20th century mailing list experience.
(Not to be confused with Discord, which is a closed source chat
application that does have some announcement features.)
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
29 May
29 May
7:59 a.m.
Personally I'd be tempted to switch to Discourse, which has an email
participation mode if desired, and has SaaS options if you didn't
want to self-host. It's what I'd have replaced BitFolk's mailing
lists with if there weren't so much pushback from people who are
wedded to the 20th century mailing list experience.
I think I might have advocated in the past for the 20th century mailing
list experience. I do like email, but it does seem you have good
reasons for moving away from email. Like it or not, it does seem to
become a technology that is slowly but steadily being made incompatible
for anyone but google and microsoft.
Thus, for my part, if it makes your life easier, I'm sure I could learn
to live with discourse if that's what you want to do.
Conrad
8:07 a.m.
On 29 May 2023, at 08:59, Conrad Wood via BitFolk Users <users(a)mailman.bitfolk.com>
wrote:
Thus, for my part, if it makes your life easier,
I'm sure I could learn
to live with discourse if that's what you want to do.
Having used Discourse for a while on a number of forums, I’d also be happy with BitFolk
using it instead of a mailing list.
Cheers,
Mike
572
days inactive
573
days old
3 comments
4 participants
participants (4)
-
Adam Spiers -
Andy Smith -
Conrad Wood -
Mike Zanker