Mailman 3 ARC Signing_

Support the Entertainment Community Fund.
🇺🇦 Resources to help support the people of Ukraine. 🇺🇦
Original: July 04, 2022 @20:45 Edited: September 06, 2022 @17:50

I have had several complaints about Mailman 3 being the result of an unfortunate set of decisions that lead to the replacement of Mailman 2.

The mailman 3 web frontend sucks so much compared to pipermail (the mailman 2 web frontend). Apparently using static files on disk is gauche these days so of course it has to use a database and an ORM and all this other crap. Anyway, I needed to migrate from SQLite to MariaDB and Django's tools kept triggering the Linux OOM killer so I had to find a way to do it at the database layer. SQLite and MySQL/MariaDB produce slightly incompatible dump formats so after trying to fight with translating a 5GB dump file I found sqlite3-to-mysql which Just Worked. If you end up needing to coax some performance out of the trash pile that is Hyperkitty, it Worked For Me.

I've been trying to setup ARC (RFC 8617) to improve deliverability of several mailing lists that I run and as might be expected the Mailman 3 documentation is utter garbage so here is some information that might help others figure this out in the future.

For reference I'm running Postfix with rspamd as a milter. Rspamd will DKIM sign and DMARC validate mail passing through it. This is all running on Debian Linux so your milage may vary with configuration file paths.

# Defaults to no, this turns ARC as a whole on/off
enabled: yes

# These cause mailman to process DMARC and DKIM validations itself but
# the authserv info below will tell it what to trust if an
# Authentication-Results header is already present.
dmarc: yes
dkim: yes

# The FQDN of your mailserver so mailman will trust it.  In my case this
# header is injected by rspamd running on

# If you have any other names that may end up in an Authentication-Results
# header, list them here.

# Path to the RSA private key.  Again, this MUST be RSA not EC.
privkey: /etc/mailman3/arc_key.pem

# The selector you chose.
selector: 2022

# The domain that selector lives in.

# This is the default list of headers to sign, I just copied it to be explicit.
sig_headers: From, Sender, Reply-To, Subject, Date, Message-ID, To, Cc, MIME-Version, Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description, Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID, In-Reply-To, References, List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive

Restart mailman and you should get an ARC seal on messages sent from the list, an example of which are below.

Received: from (localhost [])
    by (Postfix) with ESMTP id 67BF7104B09;
    Mon,  4 Jul 2022 20:33:03 -0400 (EDT)
ARC-Seal: i=2; cv=fail; a=rsa-sha256;; s=2022;
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;; s=2022; t=1656981181; h=from : sender : reply-to
 : subject : date : message-id : to : cc : mime-version : content-type
 : content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=iSR9LIxiC7oHBn3E8MCUiSet5myvrdXB8H7LOEpDY4I=;
ARC-Authentication-Results: i=2;; dkim=pass header.s=selector1 header.b=aOESSguC;
  dmarc=pass (Used From Domain Record)
Authentication-Results-Original:; dkim=pass header.s=selector1 header.b=aOESSguC; arc=pass;
 dmarc=pass; spf=pass;
 arc=pass; dmarc=pass (Used From Domain Record)
Received: by (Postfix)
    id A00B5104B12; Mon,  4 Jul 2022 20:32:59 -0400 (EDT)
Received: from ( [])
    (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by (Postfix) with ESMTPS id 220FF104B09
    for <>; Mon,  4 Jul 2022 20:32:57 -0400 (EDT)

I hope this helps someone avoid the headache I had of setting this up with EC keys and trying to parse the cryptic logged exceptions that mailman threw up while eating messages.

Update, 9-6-2022

The astute out there will notice that the ARC seal generated by Mailman is broken. This is at least in part due to bugs in Mailman prior to 3.3.5. At the time of this update Debian still has not updated their package so it seems that unless you are building Mailman yourself turning on ARC is more harm than good. I am hopeful they will pick it up soon, but given bug 998223 I am not holding my breath.

Anyone know a good replacement for Mailman?

Comment via e-mail. Subscribe via RSS.