Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Trojitá, a fast Qt IMAP e-mail client http://www.trojita.flaska.net/ I also use http://opendkim.org/ http://www.trusteddomain.org/opendmarc/ as milters on Postfix Active development, I'm sure they could all use some help, or forks for alternatives, I don't know, I'm not involved in development per se, just a user, and I have to get off the property of any of these places with my code before anything happens. All that Finnish osalliyhdistys and by the time a Swede gets online all hell breaks loose./ On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote: On 2022-10-11 14:05, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-10-11 13:42: ... Indeed, it's because you set the following headers in dkim signing headers:- from : subject : date : to : message-id Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- from:subject:date:to:message-id Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- OX:- Date:From:To:In-Reply-To:References:Subject:From IRM:- x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-transfer-encoding:content-type:from iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further. Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) Good luck. Zakaria.
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-10-11 14:05, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-10-11 13:42: On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. i have no frinds, but it might be related https://gitlab.com/fumail/fuglu/-/issues/262 with my conservative list of signed headers it pass Indeed, it's because you set the following headers in dkim signing headers:- from : subject : date : to : message-id Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- from:subject:date:to:message-id Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- OX:- Date:From:To:In-Reply-To:References:Subject:From IRM:- x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-transfer-encoding:content-type:from iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further. Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) Good luck. Zakaria.
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 10/11/22 07:42, hi@zakaria.website wrote: Another update yet with a solution. I found the causing issue with DKIM and DMARC failure when a signed email pass through mailing list such as dovecot as I expected, it has nothing to do with the mailing list but it's to do with DKIM signing headers set. It's due to one of or several headers in the DKIM signing set, getting added or modified after signing at dovecot end. Anyhow, here is the DKIM signing headers set in this mailing list, that it should work and it will prevent the batch of DMARC emails and bad signature from happening again. from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Please forgive me for jumping in, but I just noticed this. I (like many others) have issues with mailing lists and the flurry of DMARC emails after posting. I'm using OpenDKIM. There's a lot of material out there about proper configuration of DKIM, but nothing really definitive, with lots of "it depends on your requirements" type of noncommittal crap. Email use cases don't differ THAT much. So does what you said above mean that you've come up with a working configuration to address the issue of mailing lists causing DKIM to barf due to header modifications? If so, can you tell me more about specifically what you're doing, like which headers you're signing and how? I've been at my wits' end with this for some time; DKIM (and SPF etc etc) seem to be really quite awful overall. Thanks, -Dave -- Dave McGuire, AK4HZ New Kensington, PA
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
hi@zakaria.website skrev den 2022-10-11 13:42: On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. i have no frinds, but it might be related https://gitlab.com/fumail/fuglu/-/issues/262 with my conservative list of signed headers it pass
dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-09-13 13:10, Benny Pedersen wrote: hi@zakaria.website skrev den 2022-09-13 14:03: least to must pass Signature Verification. Have anyone managed to configure EXIM to verify more than one DKIM Signature header? postfix smtpd_milter_maps with a list of ips that is known maillists ips is best for software that are brokken, use DISABLE as results pr ip that is maillist ips, that will disabled opendmarc and other milters when client ip is a maillist, postfix be happy until trusted domain have updated and stable milters use rspamd if possible, with is imho the only stable milters with solve it all, i hate to write that but it might be right for time being, while spamassassin v4 is on the way Another update yet with a solution. I found the causing issue with DKIM and DMARC failure when a signed email pass through mailing list such as dovecot as I expected, it has nothing to do with the mailing list but it's to do with DKIM signing headers set. It's due to one of or several headers in the DKIM signing set, getting added or modified after signing at dovecot end. Anyhow, here is the DKIM signing headers set in this mailing list, that it should work and it will prevent the batch of DMARC emails and bad signature from happening again. from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references Thanks to my friend who didnt need a credit, and helped me out in reaching this solution. Zakaria.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
hi@zakaria.website skrev den 2022-09-13 14:03: least to must pass Signature Verification. Have anyone managed to configure EXIM to verify more than one DKIM Signature header? postfix smtpd_milter_maps with a list of ips that is known maillists ips is best for software that are brokken, use DISABLE as results pr ip that is maillist ips, that will disabled opendmarc and other milters when client ip is a maillist, postfix be happy until trusted domain have updated and stable milters use rspamd if possible, with is imho the only stable milters with solve it all, i hate to write that but it might be right for time being, while spamassassin v4 is on the way
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022 Feb 16, at 10:22, Chris Bennett wrote: > On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote: >> Thats a TLD ban. Meaning *.ru is banned. >> >> same applies for my domain for example, I ban *.xyz, *.date and a few others. > I don't understand at all why banning tld is reasonable. For the same reason that banning roadrunner was reasonable, the vast majority of mail from these new TLDs is nothing but spam, and I mean at levels far higher than the 97% of general email spam percentage. When I blacklisted .top I has getting hundreds of thousands of spam emails a day on a quite small mail server, so much mail that it was overwhelming my server. I have seen very few new olds that are not major spam magnets, and when I do, I unblock them. But my default position is that ever TLD is locked except for the ones I specifically allow. > I'm not rich. The vast majority of olds are quite cheap. > I can't afford to buy domain names that cost $200 a year to purchase. > .com .net .info , etc. have run out of the names I wish to use. If you are paying $200/yr for a domain name you are doing something very wrong. I am saying about $12/year. Maybe as high as $15/yr? I'd have to check, it is such a low number I don't really know. > I have never ever sent a single spam email, but you would block my emails? Yep. > Bluntly said, but without malice, that attitude favors the rich > over the poor. No, it's not an economic issue at all. You are confusing your DESIRE for a cheap domain 'you want' with having to get a domain in a skeezy TLD. > I refuse to trust the BIG guys. That is your choice. My choice is to not accept mail from .xyz or .rocks or .top or many hundreds of others. Email, having been designed a long time ago, has no mechanism for stopping bad behavior, so it is up to each admin to do what they can to stop unwanted mail. The vast majority of email that is sent is dangerous, malicious, illegal, or unwanted. Not like 505, but in the high 90s. The mail that a system accepts is based on a variety of trust characteristcis that are pretty much unique to every server. My mail server checks the IP address for every connection against several RBLs, checked the connection for certain behaviors before it even allows the connection to start talking to the mail server. Once communication occurs, it checks a lot more things before accepting the message. Nearly every connection attempt is refused and nearly every message that is attempted to be sent is rejected. Even so, of the mail that is accepted, 80% is spam and ends up in the user's junk mail box. > My dad uses yahoo and > gets emails yanked away while he is reading it. This has nothing to do with TLDs. > There are many other methods to block spam. > IMHO, blocking by tld is a bit harsh. That is your opinion and that is fine. But your opinion has zero effect on admins who block TLDs. You have no idea how big an issue spam really is and how much time mail mins spend trying to control it to simply a deluge. This also is probably not the best group for this discussion. -- I loved you when our love was blessed I love you now there's nothing left But sorrow and a sense of overtime
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On Sat, Feb 12, 2022 at 12:58:03PM +0100, Sebastian Nielsen wrote: > Thats a TLD ban. Meaning *.ru is banned. > > same applies for my domain for example, I ban *.xyz, *.date and a few others. > I don't understand at all why banning tld is reasonable. I'm not rich. I buy .rocks and .xyz .rocks really works well with the domain name. .xyz is short, memorable and easy to type. I can't afford to buy domain names that cost $200 a year to purchase. .com .net .info , etc. have run out of the names I wish to use. I have never ever sent a single spam email, but you would block my emails? Bluntly said, but without malice, that attitude favors the rich over the poor. I refuse to trust the BIG guys. My dad uses yahoo and gets emails yanked away while he is reading it. Also, I can't find a server company that has IP blocks that are clean enough. I truly wish I could. There are many other methods to block spam. IMHO, blocking by tld is a bit harsh. But you have the right to do whatever method you wish. I will only point out my thoughts. SPAM sucks! :-) -- Chris Bennett
RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> > Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level > domain. > > * https://abc.xyz/ > Google is probably to most fined company of all mentioned on this list, breaking countless laws over decades. That is the company you have as reference?
Re: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
If this isn't too far off topic, is it useful to register with https://www.dnswl.org/?p=209The only servers that reject my email do so because I use DigitalOcean. Spectrum for example. Oddly enough Linode which has a fair number of hackers doesn't get the same treatment. The only odd TLDs that have become popular are "aero" and "info." I will probably add some on your list though lately all my spam comes is Google related. I met one person who used a "life" TLD. He was starting a consulting business for fire resistant home designs (hence life) and thought he would be clever with the TLD. I stopped a woman from using "design." From: sebast...@sebbe.euSent: February 12, 2022 5:25 AMTo: dovecot@dovecot.orgSubject: Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC Yep. Its a lot of TLDs that is banned at me, but I haven’t had any problems with .ru so .ru isn’t yet banned. Here is my TLD banlist: deny message = 5.7.1 Banned TLD where sending IP is not listed on DNSWL ( https://www.dnswl.org/selfservice/?action=""> ) condition = ${if eq {$acl_m4}{dnswl_whitelisted}{no}{yes}} sender_domains = ^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|faith|fit|fun|gdn|global|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$ This crap that ICANN started with “custom” TLDs is of more harm than useful. So much spam TLDs in the registry. Från: dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org>För justina colmena ~bizSkickat: den 12 februari 2022 14:06Till: dovecot@dovecot.orgÄmne: Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious and honest for what it is, unless that's part of Biden's sanctions, the others you mention look like vice domains, but looking at GitHub:* https://github.com/dovecotThere's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not heard of recent hostility between Finland and Russia, notwithstanding the Ukraine situation. Your mail client is all configured in Swedish, but Sweden & Finland are not officially part of NATO, AFAIK, and Sweden has its own currency whereas Finland did give up the markka in exchange for the Euro some 20-odd years ago I don't recall.On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen <sebast...@sebbe.eu> wrote:Thats a TLD ban. Meaning *.ru is banned.same applies for my domain for example, I ban *.xyz, *.date and a few others.-Ursprungligt meddelande-Från: dovecot-boun...@dovecot.org <dovecot-boun...@dovecot.org> För Lev SerebryakovSkickat: den 12 februari 2022 12:08Till: dovecot@dovecot.orgÄmne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARCOn 11.02.2022 16:31, Marc wrote: (sorry for posting to list this, but I don't have any ways to contact Marc off-list now) Problem is, I need to unpack each of them to be sure, that these are false positives and I'm afraid, that it could lower reputation of my mail server IP address with major providers (like Google Mail).How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages. Marc, my domain already has problems sending mail to you, for example:<m...@f1-outsourcing.eu>: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 550We have blocked this toplevel because of spam. Use another toplevel until the maintainer has resolved these issues (in reply to MAIL FROM command)--// Black Lion AKA Lev Serebryakov-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Google's corporate web page, Alphabet, Inc., is on the ".xyz" top level domain. * https://abc.xyz/ I suppose Sergey Brin is Russian as well, so what have you there? Perhaps you have inadvertently confused ".xyz" with the ".xxx" TLD. The popular grade school acronym for "eXamine Your Zipper" is obviously not commercially desirable for the same purposes, although I cannot vouch for particular instances. On February 12, 2022 5:51:12 AM AKST, Marc wrote: > > >> >> (sorry for posting to list this, but I don't have any ways to contact >> Marc off-list now) >> >> >> >> >>Problem is, I need to unpack each of them to be sure, that these are >> >> false positives and I'm afraid, that it could lower reputation of my >> mail >> >> server IP address with major providers (like Google Mail). >> >> >> > >> > How can you get a lower reputation? Afaik dmarc is just signing your >> outgoing messages. >> Marc, my domain already has problems sending mail to you, for example: >> >> : host spam1.roosit.eu[212.26.193.45] said: 553 >> 5.3.0 >> 550We have blocked this toplevel because of spam. Use another >> toplevel >> until the maintainer has resolved these issues (in reply to MAIL FROM >> command) >> >> -- > >.ru is not blocked. The connect is originating from a .xyz host. > > > -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-12 12:58, Sebastian Nielsen wrote: Thats a TLD ban. Meaning *.ru is banned. ru tld is not this time same applies for my domain for example, I ban *.xyz, *.date and a few others. why ban tld ? : host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 lets see
RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> > (sorry for posting to list this, but I don't have any ways to contact > Marc off-list now) > > >> > >>Problem is, I need to unpack each of them to be sure, that these are > >> false positives and I'm afraid, that it could lower reputation of my > mail > >> server IP address with major providers (like Google Mail). > >> > > > > How can you get a lower reputation? Afaik dmarc is just signing your > outgoing messages. > Marc, my domain already has problems sending mail to you, for example: > > : host spam1.roosit.eu[212.26.193.45] said: 553 > 5.3.0 > 550We have blocked this toplevel because of spam. Use another > toplevel > until the maintainer has resolved these issues (in reply to MAIL FROM > command) > > -- .ru is not blocked. The connect is originating from a .xyz host.
Sv: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Yep. Its a lot of TLDs that is banned at me, but I haven’t had any problems
with .ru so .ru isn’t yet banned.
Here is my TLD banlist:
deny
message = 5.7.1 Banned TLD where sending IP is not listed on DNSWL (
https://www.dnswl.org/selfservice/?action=register )
condition = ${if eq {$acl_m4}{dnswl_whitelisted}{no}{yes}}
sender_domains =
^(?i).*\\.(accountant|accountants|asia|auto|berlin|bid|buzz|camera|car|cam|cars|christmas|click|club|college|computer|country|cricket|date|design|download|exposed|email|fail|faith|fit|fun|gdn|global
|guru|help|host|jetzt|kim|icu|life|live|link|loan|london|media|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|ren|rent|rest|review|rocks|science|security
|shop|site|solutions|space|storage|store|stream|study|surf|tech|technology|theatre|today|top|trade|university|uno|us|viajes|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip|xn--.*)\$
This crap that ICANN started with “custom” TLDs is of more harm than useful. So
much spam TLDs in the registry.
Från: dovecot-boun...@dovecot.org För justina
colmena ~biz
Skickat: den 12 februari 2022 14:06
Till: dovecot@dovecot.org
Ämne: Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious
and honest for what it is, unless that's part of Biden's sanctions, the others
you mention look like vice domains, but looking at GitHub:
* https://github.com/dovecot
There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not
heard of recent hostility between Finland and Russia, notwithstanding the
Ukraine situation. Your mail client is all configured in Swedish, but Sweden &
Finland are not officially part of NATO, AFAIK, and Sweden has its own currency
whereas Finland did give up the markka in exchange for the Euro some 20-odd
years ago I don't recall.
On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen mailto:sebast...@sebbe.eu> > wrote:
Thats a TLD ban. Meaning *.ru is banned.
same applies for my domain for example, I ban *.xyz, *.date and a few others.
-Ursprungligt meddelande-
Från: dovecot-boun...@dovecot.org <mailto:dovecot-boun...@dovecot.org>
mailto:dovecot-boun...@dovecot.org> > För Lev
Serebryakov
Skickat: den 12 februari 2022 12:08
Till: dovecot@dovecot.org <mailto:dovecot@dovecot.org>
Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 11.02.2022 16:31, Marc wrote:
(sorry for posting to list this, but I don't have any ways to contact Marc
off-list now)
Problem is, I need to unpack each of them to be sure, that these
are false positives and I'm afraid, that it could lower reputation of
my mail server IP address with major providers (like Google Mail).
How can you get a lower reputation? Afaik dmarc is just signing your outgoing
messages.
Marc, my domain already has problems sending mail to you, for example:
mailto:m...@f1-outsourcing.eu> >: host
spam1.roosit.eu[212.26.193.45] said: 553 5.3.0
550We have blocked this toplevel because of spam. Use another toplevel
until the maintainer has resolved these issues (in reply to MAIL FROM
command)
--
// Black Lion AKA Lev Serebryakov
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
The ".top" TLD is popular among Russian spammers, ".ru" is a little too obvious and honest for what it is, unless that's part of Biden's sanctions, the others you mention look like vice domains, but looking at GitHub: * https://github.com/dovecot There's an "Oy" which is a Finnish "osalliyhdistys" and a ".fi" -- I have not heard of recent hostility between Finland and Russia, notwithstanding the Ukraine situation. Your mail client is all configured in Swedish, but Sweden & Finland are not officially part of NATO, AFAIK, and Sweden has its own currency whereas Finland did give up the markka in exchange for the Euro some 20-odd years ago I don't recall. On February 12, 2022 2:58:03 AM AKST, Sebastian Nielsen wrote: >Thats a TLD ban. Meaning *.ru is banned. > >same applies for my domain for example, I ban *.xyz, *.date and a few others. > >-Ursprungligt meddelande- >Från: dovecot-boun...@dovecot.org För Lev >Serebryakov >Skickat: den 12 februari 2022 12:08 >Till: dovecot@dovecot.org >Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC > >On 11.02.2022 16:31, Marc wrote: > > (sorry for posting to list this, but I don't have any ways to contact Marc > off-list now) > >>> >>>Problem is, I need to unpack each of them to be sure, that these >>> are false positives and I'm afraid, that it could lower reputation of >>> my mail server IP address with major providers (like Google Mail). >>> >> >> How can you get a lower reputation? Afaik dmarc is just signing your >> outgoing messages. > Marc, my domain already has problems sending mail to you, for example: > >: host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 > 550We have blocked this toplevel because of spam. Use another toplevel > until the maintainer has resolved these issues (in reply to MAIL FROM > command) > >-- >// Black Lion AKA Lev Serebryakov > -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sv: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Thats a TLD ban. Meaning *.ru is banned. same applies for my domain for example, I ban *.xyz, *.date and a few others. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Lev Serebryakov Skickat: den 12 februari 2022 12:08 Till: dovecot@dovecot.org Ämne: Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC On 11.02.2022 16:31, Marc wrote: (sorry for posting to list this, but I don't have any ways to contact Marc off-list now) >> >>Problem is, I need to unpack each of them to be sure, that these >> are false positives and I'm afraid, that it could lower reputation of >> my mail server IP address with major providers (like Google Mail). >> > > How can you get a lower reputation? Afaik dmarc is just signing your outgoing > messages. Marc, my domain already has problems sending mail to you, for example: : host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 550We have blocked this toplevel because of spam. Use another toplevel until the maintainer has resolved these issues (in reply to MAIL FROM command) -- // Black Lion AKA Lev Serebryakov
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 11.02.2022 16:31, Marc wrote: (sorry for posting to list this, but I don't have any ways to contact Marc off-list now) Problem is, I need to unpack each of them to be sure, that these are false positives and I'm afraid, that it could lower reputation of my mail server IP address with major providers (like Google Mail). How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages. Marc, my domain already has problems sending mail to you, for example: : host spam1.roosit.eu[212.26.193.45] said: 553 5.3.0 550We have blocked this toplevel because of spam. Use another toplevel until the maintainer has resolved these issues (in reply to MAIL FROM command) -- // Black Lion AKA Lev Serebryakov
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 11.02.2022 16:31, Marc wrote:
Problem is, I need to unpack each of them to be sure, that these are
false positives and I'm afraid, that it could lower reputation of my mail
server IP address with major providers (like Google Mail).
How can you get a lower reputation? Afaik dmarc is just signing your outgoing
messages.
DKIM is signing of headers. DMARC is policy (like "This domain must sign all messages with
DKIM, no exceptions, and has strict SFP") and reporting mechanism for other hosts ("We
get mail from you and this message violates declared policy of your domain").
As I get these reports, it means that messages from "my domain" (really,
forwarded by mailing list software) violate policies set by my domain. It means, my
domain is compromised somehow.
--
// Black Lion AKA Lev Serebryakov
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-11 16:27, Marc wrote: wait for spamassassin 4, gmail does not let users change there missing problems with no dnssec domains, how can google be serius there ? google is only to be taken serious with acquiring new clients, if they would take email serious they would eg spend money on filtering their out going spam and use -all in their spf. ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=none; dmarc=none; spf=pass (talvi.dovecot.org: domain of m...@f1-outsourcing.eu designates 212.26.193.44 as permitted sender) smtp.mailfrom=m...@f1-outsourcing.eu +1
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-11 14:31, Marc wrote: How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages. there is no repution in dmarc, it either pass or fail, if all fails, it proves nothing, if all pass it proves just a litte that is not forged content maillist should always be trusted, in the AR header, but not from untrusted AR header domains, dmarc check must not be used from untrusted AR signers, so make maillists ARC domains trusted, noice will then be lover on reports i say still opendkim/openarc/openspf/opendmarc is still unstable, and no one should relly trust it in current state
RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> wait for spamassassin 4, gmail does not let users change there missing > problems with no dnssec domains, how can google be serius there ? google is only to be taken serious with acquiring new clients, if they would take email serious they would eg spend money on filtering their out going spam and use -all in their spf.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-11 12:29, Lev Serebryakov wrote: On 09.02.2022 16:33, Aki Tuomi wrote: I'm participating in ~20 mailing lists and only this one gives a storm of DMARC reports on each my posting. +1 Problem is, I need to unpack each of them to be sure, that these are false positives and I'm afraid, that it could lower reputation of my mail server IP address with major providers (like Google Mail). your problem is that ARC seal, ARC sign, is not used or even trusted at the dmarc reporting host this will make noice and false reporting :/ until this is solved turn off reporting in dmarc policy We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. i can make that strong, people should learn on ARC, and use rspamd or wait for spamassassin 4, gmail does not let users change there missing problems with no dnssec domains, how can google be serius there ?
RE: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> > Problem is, I need to unpack each of them to be sure, that these are > false positives and I'm afraid, that it could lower reputation of my mail > server IP address with major providers (like Google Mail). > How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 09.02.2022 16:33, Aki Tuomi wrote: I'm participating in ~20 mailing lists and only this one gives a storm of DMARC reports on each my posting. Problem is, I need to unpack each of them to be sure, that these are false positives and I'm afraid, that it could lower reputation of my mail server IP address with major providers (like Google Mail). We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. Aki On 04/02/2022 23:10 Sebastian Nielsen wrote: I get it too. These appear because they don't replace either MAIL FROM: or Mime From: with the list address. This causes validations to fail since the mailing list is trying to spoof mail in your name, and of course, anti-spoofing security is going to react. DKIM can be troublesome since mailing lists sometimes change or reencode content so DKIM signature fails. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Lev Serebryakov Skickat: den 4 februari 2022 21:58 Till: dovecot@dovecot.org Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies configured. It works fine till I write to this mailing list. After that I've got several DMARC reports about "spam" from my domain. All these reports are about my mailing list post. I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK ones, and others). Looks like mailing list software for this mailing list is misconfigured. I'm sure, I'll get new after this message. -- // Black Lion AKA Lev Serebryakov -- // Black Lion AKA Lev Serebryakov
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-10, dove...@ptld.com wrote: > It is possible for a mailing list to pass DMARC verification, but > there doesn't seem to be a lot of motivation to put in the extra effort > to make it work. It is possible, but it breaks how many people expect mailing lists to work.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
> when dkim pass there is no breakage, but dkim fail can lead to in some setups > to make reject, even for maillists > that is a design fail on dkim I disagree. DKIM is doing its job. It is a design fail on the part of most mailing list and/or lack of user's DKIM signatures. Look at it logically, DKIM is reporting that the email has been manipulated and isn't being delivered by the authorized server. Isn't that what you want out of DKIM? Detecting forged, phishing and spam email? If you want to get emails that have been captured by a man in the middle, manipulated, then sent to you from a hackers server then why bother setting up DKIM at all? To us humans, we don't conceptually view a mailing list as doing that, but on the technical level that is what is happening when DMARC breaks. It is possible for a mailing list to pass DMARC verification, but there doesn't seem to be a lot of motivation to put in the extra effort to make it work. Regarding ARC; I don't get it, i don't see it as useful. The only thing ARC does is tell you that the server sending you email promises the email is legit. How does that prevent spam/phishing when the attack server can ARC something saying trust me its legit? And the big 3 using ARC, so what, what does it even mean? Gmail is telling you yep they got that email from someone else and are relaying it to you. What does that solve? Spammers send through gmail accounts and use private domains relayed through gmail servers for delivery. Great, ARC confirms it really was someone who sent that spam through gmail and gmail really did deliver it. How is that useful in fighting spam? If im way off on that, feel free to set me straight.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-09 17:25, Julien Salort wrote: Le 09/02/2022 à 16:55, Benny Pedersen a écrit : hope maillist users turn there dkim signers into sign only, not verify aswell, verify must only happen in dmarc I am a little bit confused. - why not verify dkim ? It seems fine for your message. I get: when dkim pass there is no breakage, but dkim fail can lead to in some setups to make reject, even for maillists :/ that is a design fail on dkim hence why i say sign only in dkim Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=94.237.105.223; helo=talvi.dovecot.org; envelope-from=dovecot-boun...@dovecot.org; receiver= Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=junc.eu Authentication-Results: vps2.salort.eu; dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu header.a=rsa-sha256 header.s=default header.b=CC9G/2tV; dkim-atps=neutral perfectly good no problem - Is it useful to install something besides OpenDMARC (OpenARC ?), or some dedicated OpenDMARC configurations, for the ARC-Seal to be useful ? we are all waiting for spamassassin 4, and maybe ietf stable rfc on openspf, opendkim, openarc, opendmarc, currently none of it is production stable I suppose SPF works because the Envelope is correctly set to dovecot.org address, so I don't understand the problem the OP was mentionning. postfix maillist have no spf helo pass, no spf pass, i think its to force pass only on dkim in dmarc :=) i dont control dovecot.org spf, so if it recieved in arc test pass i am happy, note arc miss spf helo fail/pass its not production stable
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Le 09/02/2022 à 16:55, Benny Pedersen a écrit : hope maillist users turn there dkim signers into sign only, not verify aswell, verify must only happen in dmarc I am a little bit confused. - why not verify dkim ? It seems fine for your message. I get: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=94.237.105.223; helo=talvi.dovecot.org; envelope-from=dovecot-boun...@dovecot.org; receiver= Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=junc.eu Authentication-Results: vps2.salort.eu; dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu header.a=rsa-sha256 header.s=default header.b=CC9G/2tV; dkim-atps=neutral - Is it useful to install something besides OpenDMARC (OpenARC ?), or some dedicated OpenDMARC configurations, for the ARC-Seal to be useful ? I suppose SPF works because the Envelope is correctly set to dovecot.org address, so I don't understand the problem the OP was mentionning. Cheers, Julien
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
Google, Yahoo and Microsoft, the big providers all use ARC, and have used it for years. But Wikipedia doesn't have much nice to say about it. --> allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing. ARC is defined in RFC 8617, published in July 2019, as "Experimental". It sounds like a Microsoft/Google/corporate standard, not IETF. I do seem to have trouble communicating with insurance companies' email systems in particular when I'm not using ARC on my email system, but outside the insurance industry -- and I'm making an educated guess that they are the main sticklers -- it doesn't seem to be a problem if SPF, DKIM, and DMARC are all working. On February 9, 2022 6:16:19 AM AKST, Benny Pedersen wrote: >On 2022-02-09 14:33, Aki Tuomi wrote: >> We did that replacement for a while, but people complained. We have >> ARC signing there, unfortunately it only works if you trust it. > >ARC-Authentication-Results: i=1; talvi.dovecot.org; > dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq; > dmarc=pass (policy=reject) header.from=open-xchange.com; > spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com >designates > 87.191.57.183 as permitted sender) >smtp.mailfrom=aki.tu...@open-xchange.com > >X-Spam-Status: No, score=-6.4 required=5.0 >tests=AWL,DKIM_INVALID,DKIM_SIGNED, > HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL, > MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W, > RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, > T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no > >seems it breaks :/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-09 16:16, Benny Pedersen wrote: On 2022-02-09 14:33, Aki Tuomi wrote: We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq; dmarc=pass (policy=reject) header.from=open-xchange.com; spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com designates 87.191.57.183 as permitted sender) smtp.mailfrom=aki.tu...@open-xchange.com X-Spam-Status: No, score=-6.4 required=5.0 tests=AWL,DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no seems it breaks :/ my own in return X-Spam-Status: No, score=-6.2 required=5.0 tests=AWL,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LOCAL_HASHWL_ALL, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no so it seems fuglu works hope maillist users turn there dkim signers into sign only, not verify aswell, verify must only happen in dmarc
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-09 14:33, Aki Tuomi wrote: We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=open-xchange.com header.s=201705 header.b=kWkbHwXq; dmarc=pass (policy=reject) header.from=open-xchange.com; spf=pass (talvi.dovecot.org: domain of aki.tu...@open-xchange.com designates 87.191.57.183 as permitted sender) smtp.mailfrom=aki.tu...@open-xchange.com X-Spam-Status: No, score=-6.4 required=5.0 tests=AWL,DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,LOCAL_HASHWL_ALL, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_HOSTKARMA_W, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no seems it breaks :/
Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On February 4, 2022 11:56:53 AM AKST, Lev Serebryakov wrote: > After that I've got several DMARC reports about "spam" from my domain. All > these reports are about my mailing list post. > Interesting. That's exactly how DMARC is supposed to work with reporting enabled. So you've got that set up correctly at any rate! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
We did that replacement for a while, but people complained. We have ARC signing there, unfortunately it only works if you trust it. Aki > On 04/02/2022 23:10 Sebastian Nielsen wrote: > > > I get it too. These appear because they don't replace either MAIL FROM: or > Mime From: with the list address. This causes validations to fail since the > mailing list is trying to spoof mail in your name, and of course, > anti-spoofing security is going to react. DKIM can be troublesome since > mailing lists sometimes change or reencode content so DKIM signature fails. > > -Ursprungligt meddelande- > Från: dovecot-boun...@dovecot.org För Lev > Serebryakov > Skickat: den 4 februari 2022 21:58 > Till: dovecot@dovecot.org > Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC > > > My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies > configured. It works fine till I write to this mailing list. > > After that I've got several DMARC reports about "spam" from my domain. All > these reports are about my mailing list post. > > I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK > ones, and others). > > Looks like mailing list software for this mailing list is misconfigured. > > I'm sure, I'll get new after this message. > > -- > // Black Lion AKA Lev Serebryakov
Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
I get it too. These appear because they don't replace either MAIL FROM: or Mime From: with the list address. This causes validations to fail since the mailing list is trying to spoof mail in your name, and of course, anti-spoofing security is going to react. DKIM can be troublesome since mailing lists sometimes change or reencode content so DKIM signature fails. -Ursprungligt meddelande- Från: dovecot-boun...@dovecot.org För Lev Serebryakov Skickat: den 4 februari 2022 21:58 Till: dovecot@dovecot.org Ämne: dovecot mailing list (this mailing list), DKIM, SPF and DMARC My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies configured. It works fine till I write to this mailing list. After that I've got several DMARC reports about "spam" from my domain. All these reports are about my mailing list post. I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK ones, and others). Looks like mailing list software for this mailing list is misconfigured. I'm sure, I'll get new after this message. -- // Black Lion AKA Lev Serebryakov
dovecot mailing list (this mailing list), DKIM, SPF and DMARC
My domain (serebrtyajov.spb.ru) has all these "new" e-mail technologies configured. It works fine till I write to this mailing list. After that I've got several DMARC reports about "spam" from my domain. All these reports are about my mailing list post. I don't have such problems with other mailing lists (FreeBSD ones, OpenJDK ones, and others). Looks like mailing list software for this mailing list is misconfigured. I'm sure, I'll get new after this message. -- // Black Lion AKA Lev Serebryakov
