TMDA & Mailing Lists HOWTO

Introduction

This document describes how to interact with mailing lists when you are using TMDA (Tagged Message Delivery Agent) anti-spam software. TMDA makes use of blacklists and whitelists to restrict access to a mail user’s inbox and optionally tags outgoing email addresses to limit who can use those addresses or to set for how long those addresses are valid. Such lists and tagged email addresses can thoroughly confuse mailing list management software and so care must be taken when interacting with mailing lists.

This document assumes that the reader is familiar with TMDA’s features and how to use them. Prior knowledge of configuration variables, incoming and outgoing filter syntax, and the use of blacklists and whitelists will be very helpful.

In the examples that follow, I’ll subscribe to the fictitious list ‘howto-users@some.domain.com’ for the user ‘andrew’.

Using Lists with TMDA

What follows are instructions on how to use TMDA with three types of mailing lists. In each case, the objective is to allow other subscribers to the list in question to email you directly without TMDA forcing them to confirm their email while, at the same time, minimizing the amount of spam that appears in your inbox.

ezmlm

Identifying an ezmlm mailing list

You can identify an ezmlm mailing list by the method of subscription. To subscribe, you send an email to the list in the form <list name>-subscribe@<domain name>. So, to subscribe to the ezmlm mailing list howto-users@some.domain.com, you would use howto-users-subscribe@some.domain.com.

In the above example, ezmlm will use whatever envelope sender address it finds in the message as the address you wish to subscribe with. You can also explicitly state the address you would like to subscribe with.

So, to subscribe with the address andrew@andrews.domain, you would use howto-users-subscribe-andrew=andrews.domain@some.domain.com.

Talking to ezmlm

Because ezmlm mailing lists send each message with a different envelope sender address, you need to tell TMDA to let mail from the list through. You can do this by adding a line to either your whitelist file or incoming filter file.

          in your whitelist file add:
      howto-users-return-*@some.domain.com
          or in your incoming filter file add:
    from howto-users-return-*@some.domain.com ok

Doing this will also ease communication with the ezmlm autoresponder during the subscription process.

Subscribing

Because ezmlm does it’s own tagging of the envelope sender address, there is no point in subscribing with a sender or keyword address; you need to let messages through with your whitelist or incoming filter anyway. So, you can subscribe with either a bare address or an extension address. An extension address is normally the better choice as this provides an easy way to manipulate incoming mail (dropping mail from lists into alternate mailboxes for example).

    1. Using the extension ‘ezmlm-howto-users’, subscribe by sending an empty message to the following address:howto-users-subscribe-andrew-ezmlm-howto-users=andrews.domain@some.domain.com
  1. Get yourself a drink while you wait to receive ezmlm’s confirmation request. You will need to send ezmlm an email confirming that you really want to subscribe to the list.

Posting

In order to post to your newly subscribed mailing list, put this into your outgoing filter file:

      to howto-users@some.domain.com tag
      from       dated
    envelope extension=ezmlm-howto-users

Using the ‘dated’ tag for the From header will allow other list subscribers to send you mail without needing to send a confirmation. If this isn’t what you want, set the From header to a bare address or explicitly set it to what you want it to be:

      from bare
          or
    from explicit=andrew@andrews.domain

Getting Help

You can receive instructions on how to use an ezmlm mailing list by sending an empty mail message to the mailing list with ‘-request’ or ‘-help’ appended to the name. For example:

      howto-users-request@some.domain.com
          or
    howto-users-help@some.domain.com

Mailman

Identifying a Mailman mailing list

Mailman uses a web interface for subscribing and unsubscribing to mailing lists. When subscribing to a Mailman list, you’ll be asked to submit a password. Mailman warns you that the password you use shouldn’t be a particularly valuable one since Mailman emails it to you from time to time in plain text as a reminder. Mailman will also give you the option of receiving messages from the list in the form of a batched digest.

Subscribing

    1. The first thing to do is generate a sender address. Mailman lists use an envelope sender in the format <list name>-admin@<domain name> so use this command:tmda-address -s howto-users-admin@some.domain.com
      which produces something like
      andrew-sender-cf1736@andrews.domainRemember you can use the -c option if you need to use a TMDA configuration file other than the default and the -a option to specify the base email address to use. With these two options, the above command would look like this:tmda-address -a andrew@andrews.domain -c ~/andrew/mail/config -s howto-users-admin@some.domain.com
    1. Then enter the sender address as the email address you wish to subscribe with in the appropriate box on Mailman’s web interface.
  1. Get yourself a drink while you wait to receive Mailman’s confirmation request. You will need to send Mailman an email confirming that you really want to subscribe to the list.

Posting

Different Mailman setups will use different methods to screen incoming email. What you put in your outgoing filter file will depend on how the particular list you’re subscribing to filters its incoming mail.

    1. If the list screens email on the From header, you will need to set the From header to the sender address you used to subscribe to the list. It also means that you need to set the Reply-To header so that list subscribers can email you. Put this into your outgoing filter file:to howto-users@some.domain.com tag
      from     sender=howto-users-admin@some.domain.com
      reply-to datedAgain, using the ‘dated’ tag for the Reply-To header will allow other list subscribers to circumvent TMDA’s confirmation process. If this isn’t what you want, set the Reply-To header to a bare address or explicitly set it to what you want it to be, like so:reply-to bare
      or
      reply-to explicit=andrew@andrews.domain
  1. If the list screens email on the envelope sender, put this into your outgoing filter file:to howto-users@some.domain.com tag
    from     dated
    envelope sender=howto-users-admin@some.domain.comYou can change the ‘dated’ tag as described in the previous example if you want list subscribers to confirm their email to you.

There is no way to tell beforehand which of the above methods the list of interest is using to screen mail. You just need to try the different options until one works.


Majordomo

Identifying a Majordomo mailing list

Majordomo lists can be identified by the method you use to subscribe to one; you send an email to majordomo@some.domain with the word ‘subscribe’ in the body of the email.

Talking to Majordomo

To ease administrative communication with a majordomo list (anything other than actually posting a message to the list is considered administrative), there are a few things you can do.

    1. Add majordomo to your whitelist or to your incoming filter like so:in your whitelist
      majordomo@*or in your incoming filter file
      from majordomo@* okThere is always the possibility that spammers will send you mail from majordomo@spam.R.us.com so you can tighten up your whitelist or filter by removing the wildcards and having separate entries for each majordomo mailing list you want to interact with.
  1. Add this line to your outgoing filter file:to majordomo@* bareThis will ensure all mail sent to majordomo lists is free of tags. If you want TMDA to treat specific majordomo lists differently, you can add extra entries that replace the wildcard character with the appropriate domain name.

As an alternative to using bare email addresses and adding lines to your whitelist or incoming filter, you can use a keyword tagged address to communicate with majordomo. Add this line to your outgoing filter file:

    to majordomo@* keyword=mdadmin

If you begin receiving spam on this address, change the keyword.

Subscribing

Now that you can talk to majordomo hassle-free, you’ll want to actually subscribe to a list.

    1. The first thing to do is generate a sender address. Majordomo lists use an envelope sender in the format owner-<list name>@<domain name> so use this command:tmda-address -s owner-howto-users@some.domain.com
      which produces something like
      andrew-sender-cf1736@andrews.domainRemember you can use the -c option if you need to use a TMDA configuration file other than the default and the -a option to specify the base email address to use. With these two options, the above command would look like this:tmda-address -a andrew@andrews.domain -c ~/andrew/mail/config -s owner-howto-users@some.domain.com
    1. Then send a message to majordomo@some.domain.com with this line in the body of the message:subscribe howto-users andrew-sender-cf1736@andrews.domainAnything you put in the subject line will be ignored.
  1. Get yourself a drink while you wait to receive majordomo’s confirmation that you have been subscribed to howto-users@some.domain.com.

Posting

In order to post messages to howto-users@some.domain.com, your email will have to pass majordomo’s screening method. The tricky part is that different majordomo lists use slightly different methods to ensure incoming posts are from subscribed users.

    1. If you don’t know how your majordomo list of interest validates incoming mail or if you do know it uses the From header for validation, use this formula in your outgoing filter file:to howto-users@some.domain.com tag
      from     sender=owner-howto-users@some.domain.com
      reply-to datedThis will set both the From and envelope sender fields of your mail to the same sender address you used to subscribe to the list. It will also set the Reply-To header to a dated address. This allows list members to contact you directly without having to confirm their first message while ensuring that spammers won’t get their hands on your untagged email address.
  1. If you know that a certain majordomo list validates incoming mail using the envelope sender field, you can use this formula instead:to howto-users@some.domain.com tag
    from     dated
    envelope sender=owner-howto-users@some.domain.comFunctionally, this will produce the same results as the first example.

Since the first of the above two formulas is the more general, you should try it for any majordomo list you want to subscribe to. There is no advantage to using the second formula if the first one works.

Getting Help

You can receive instructions on how to use majordomo by sending a message to majordomo@<domain name> with the word ‘help’ in the body of the message. The message you receive will have detailed instructions on how to do such things as subscribe or unsubscribe to a list, and how to contact the majordomo manager (a real person!). Remember to put only the word ‘help’ (without the quotes) in the body of the message and nothing else.


Using Lists Around TMDA

If you use TMDA to protect your email address and don’t want to go through all the hassle of setting up a mailing list as described above, then this is the section for you. These instructions describe a way to use a TMDA protected email address with a mailing list without the list ever seeing a tagged address.

    1. First, tell TMDA to accept mail from the list by adding an entry to one of your whitelist files like so:<list-name>@some.domain.comOr if you want to set up many lists this way, consider creating a whitelist file dedicated to mailing lists. Then put a line in your incoming filter file like so:from-file ~path/to/whitelist-file-for-mailing-lists ok
    1. Put a line in your outgoing filter file telling TMDA to use a bare address when sending mail to the list:for a single list use
      to <list-name>@some.domain.com bareor for multiple lists you could use
      to-file ~/path/to/whitelist-file-for-mailing-lists bareThis point assumes that you’re using tmda-ofmipd to tag outgoing mail.
  1. Subscribe to the list with your bare, untagged email address.

The exact pattern you use in step one will vary depending on the type of list you want to talk to. This is because the administrative mailings from a list can come from different places. For a mailman list, the pattern can be quite restrictive as administrative emails come from list-name-<something>@some.domain.com. Majordomo lists, on the other hand, will require a more permissive pattern or perhaps even two entries because source addresses for administrative emails generally do not contain the list name at all.

Setting up your TMDA this way will force other users of a list who mail you directly to confirm their email the first time. On the other hand, this method should work with any type of mailing list. This behaviour can be set up as the default which can be overriden for particular lists when there is a need to do so.

One potential problem with the method outlined above is bounced mail. If you don’t have a line like

    from <> ok

in your incoming filter file, then mail bounced from a list may get caught by TMDA depending on the address the bounce comes from. The TMDA FAQ explains the reasons for this problem in more detail. If anyone has any ideas on how to get around this, drop me a note.

Mailing Lists Behaving Badly

In some cases, a list may change the Reply-To header in some way; to point back to the mailing list itself for example. If such a list also screens mail on the From header, then using TMDA with the list becomes much more complicated. It is likely better to subscribe to the list with an email address that is filtered using a tool other than TMDA (see Mailing Lists & SPAM below). If you really want to use TMDA with such a mailing list, one way to do it is to subscribe using a keyword tagged address. You generate a keyword address like so:

      tmda-address -k badlist

 

          which produces something like

 

    andrew-keyword-badlist.cf1736@andrews.domain

Add an entry to your outgoing filter file so that any mail you send the list will use this keyword address.

    to howto-users@some.domain.com keyword=badlist

This allows both the list and list subscribers to email you without replying to confirmation requests. It also means that spammers can use this address to send you mail as well. When this happens, you will need to unsubscribe from the list, generate a new keyword address, and re-subscribe. You may also want to put an entry into your incoming filter file to drop mail sent to the old keyword address.

Alternatively, you could set up the list as described in the previous section.

Mailing Lists & SPAM

Because of the way TMDA operates, it cannot filter spam that is being distributed through a mailing list. If you wish to subscribe to a list that is regularly spammed, using TMDA may not be the best choice for you.

In such a case, a viable alternative would be to subscribe using an email address that is not subject to filtering by TMDA but instead is filtered using a program such as SpamAssassin or procmail.

Credits

Much of the information contained within this document was scoured from the tmda-users mailing list archive. The major contributors to the relevant thread were Tim Legant, Jason Mastaler, and Scott Schappell.

Additional information was gleaned from the TMDA FAQ and the TMDA filter specification.