Re: Gmail bounce unauthenticated @debian.org addresses
"LeJacq, Jean Pierre" writes: > There are standard best practices for forwarding support in SPF. > > http://www.open-spf.org/Best_Practices/Forwarding/ Well, if it only was that simple. There is NO working SRS software/example config for sendmail in Debian or anywhere else AFAICS. The only thing we have is the python3-srs packages, which are still full of python2 specific code. None of the included tools even run on bullseye. For example: bjorn@canardo:~$ /usr/bin/srs2envtol Traceback (most recent call last): File "/usr/bin/srs2envtol", line 14, in from ConfigParser import ConfigParser, DuplicateSectionError ModuleNotFoundError: No module named 'ConfigParser' bjorn@canardo:~$ dpkg -S /usr/bin/srs2envtol pysrs-bin: /usr/bin/srs2envtol bjorn@canardo:~$ apt-cache policy pysrs-bin pysrs-bin: Installed: 1.0.3-2 Candidate: 1.0.3-2 Version table: *** 1.0.3-2 700 700 http://deb.debian.org/debian bullseye/main amd64 Packages 100 /var/lib/dpkg/status (yes, I could fix that and the remaining issues - but that's not the point) IMHO, modifying postsrsd looks like a much better alternative if I were to write something. Should be pretty easy to make it optionally use the sendmail socketmap protocol instead of the postfix tcp_table protocol. Or alternatively just write a simple proxy protocol translater. Then it could be plugged right into the example sendmail config from pysrs. But as have been the result each time I've considered SRS: I got bored with it long before I got it running. Why do I care whether google can send a bounce back? So I've just added owner-aliases for all my forwarded accounts (only a handful), pointing to a /dev/null address. That does it for me. SRS and SPF can continue to burn in the hell where it was invented. Stay tuned for the next episode of Mail Server Frustrations, where we'll look at Exim and mixed TLS (port 465) and STARTTLS (port 587) submission. Bjørn
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, 4 Mar 2022 at 23:34, Ansgar wrote: > On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote: > > On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat > > wrote: > > > As a reminder debian.org addresses does support DKIM. After > > > configuration on your mail server, you can publish your DKIM public > > > key > > > to db.debian.org [1][2]. > > > > Can you point to some quick guide on how to do this for gmail? The > > support page seems kinda confusing to me. > > This usually requires you running your own mail server (for outgoing > mail). > > I don't think mail providers like GMail allow you to set up DKIM for > individual IP addresses. This is basically how I do it. My setup is I have G-Suite or whatever its name is this week and a separate outbound server. I'm not sure what the "to do this for gmail" means here, so there is three parts to this: * What Gmail does with DKIM * How I send emails from @debian.org using mutt etc * How I send emails from @debian.org using Gmail First, Gmail likes DKIM signed mails; some of these bounces are caused by DKIM problems. DKIM is basically a signature to say the senders server is allow to send those emails. You have to set it up (sign) on the outbound servers and check it on the inbound servers. For any of my servers/laptops I send outbound email to my own outbound server. This server signs emails using opendkim with the dropbear.xyz key or the debian key depending on the from address. It's no good sending email from j...@cow.com with a key good for j...@sheep.net Last of all, to send emails within Gmail using csm...@debian.org as my from address, you go into Settings->Accounts->Send mail as. The outbound mailserver is my server (that signs my debian emails). Of course my outbound server requires a username and password to send emails so that is recorded in the settings too (and is unique for each sending system/server). The result is this goodness I can see with an email from my laptop into Gsuite using my debian email address: Authentication-Results: mx.google.com; dkim=pass header.i=@debian.org header.s=debian1.csmall.user header.b=uVHcNrjO; header.i is identity, e.g. what domain are you trying to prove you can use. header.s is selector, which is what method/key am I using to prove this. header.b is the hash/signature. I'm a network engineer, not a mail server admin so this might not be 100%, but it does give me the happy mailserver headers I want. - Craig
Re: Gmail bounce unauthenticated @debian.org addresses
Baptiste Beauplat wrote: >We recently discovered that Gmail started to bounce email from >mentors.debian.net with the following message: > >550-5.7.26 This message does not have authentication information or >fails to 550-5.7.26 pass authentication > checks. To best protect our users from spam, the 550-5.7.26 message has >been blocked. Please visit 550-5.7.26 >https://support.google.com/mail/answer/81126#authentication for more 5 >50 5.7.26 information. Yup. I've seen this too. Thanks for starting the thread here, which has prompted useful clues on how to deal with this. It's maddening to see Google continue to f*ck up mail requirements for everybody else. Of course, they continue to be (one of?) the biggest sources of spam on the net and show no interest in doing anything about it. "Don't be evil" indeed... :-( -- Steve McIntyre, Cambridge, UK.st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Re: Gmail bounce unauthenticated @debian.org addresses
On 3/4/22 18:29, Marco d'Itri wrote: On Mar 04, Baptiste Beauplat wrote: Looking at your email headers, I would guess that gmail is already doing it. X-Google-DKIM-Signature: v=1; a=rsa-sha256... There is somewhat some irony in Gmail blocking email without a DKIM signature while they are using a non-standard header that other provider/tools might miss. Just a thought. > No irony, you are just missing the point. gmail uses this X header for internal purposes, and there is no DKIM signature because the message has a @debian.org 822.from address hence gmail obviously lacks a valid key for it. Thanks for pointing this out Marco. I did check a mail coming from @gmail.com and indeed the correct header was used. Stephan, sorry then. I don't use gmail and I won't be able to point you to the correct how-to :/ -- Baptiste BEAUPLAT - lyknode
Setting DKIM locally (Was: Re: Gmail bounce unauthenticated @debian.org addresses)
On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote: >> Can you point to some quick guide on how to do this for gmail? The >> support page seems kinda confusing to me. > This usually requires you running your own mail server (for outgoing > mail). > I don't think mail providers like GMail allow you to set up DKIM for > individual IP addresses. I wonder if this is a good opportunity to share what I am doing for this. I do not use gmail anymore, stopped using months back but that does not matter. Also, do not have the b/w to setup own mailserver, so what I do is that I sign my mails "locally" as MUAs can also support DKIM signing, and I send that via SMTP. I use mutt primilarily, and months back I found this smart trick to do so, see this link[1] -- created dkim keys locally, modified that script a little and the .msmtprc and .muttrc a little, and voila! Saw something similar for emacs as well[2] I actually found a very helpful advice in the 'comments' section(by Ucko) of Anarcat's blog[3] that helped. Happy to share more details if someone needs. [1]: https://bbs.archlinux.org/viewtopic.php?id=210976 [2]: https://github.com/BramvdKroef/dotemacs/blob/master/dkim.el [3]: https://anarc.at/blog/2020-04-14-opendkim-debian/ Regards, Nilesh signature.asc Description: PGP signature
Re: Gmail bounce unauthenticated @debian.org addresses
On Friday, March 4, 2022 12:37:38 PM EST Ansgar wrote: > On Fri, 2022-03-04 at 10:21 -0500, LeJacq, Jean Pierre wrote: > > There are standard best practices for forwarding support in SPF. > > > > http://www.open-spf.org/Best_Practices/Forwarding/ > > Having each individual user have to configure forwarders (i.e., per- > user whitelists), including services like mailing lists, our bug > tracker and so on, seems impractical. I also doubt many mail providers > allow user to do so. I agree. What does make sense if any forwards that the Debian infrastructure uses. > And SRS also relies on whitelists again (otherwise it just allows > bypassing any SPF policy). Again agree, so it's a scaling issue. Again, it makes sense to do for the Debian infrastructure, not necessarily every user. -- JP
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, 2022-03-04 at 10:21 -0500, LeJacq, Jean Pierre wrote: > There are standard best practices for forwarding support in SPF. > > http://www.open-spf.org/Best_Practices/Forwarding/ Having each individual user have to configure forwarders (i.e., per- user whitelists), including services like mailing lists, our bug tracker and so on, seems impractical. I also doubt many mail providers allow user to do so. And SRS also relies on whitelists again (otherwise it just allows bypassing any SPF policy). Ansgar
Re: Gmail bounce unauthenticated @debian.org addresses
On Mar 04, Baptiste Beauplat wrote: > Looking at your email headers, I would guess that gmail is already doing it. > > X-Google-DKIM-Signature: v=1; a=rsa-sha256... > > There is somewhat some irony in Gmail blocking email without a DKIM > signature while they are using a non-standard header that other > provider/tools might miss. Just a thought. No irony, you are just missing the point. gmail uses this X header for internal purposes, and there is no DKIM signature because the message has a @debian.org 822.from address hence gmail obviously lacks a valid key for it. -- ciao, Marco signature.asc Description: PGP signature
Re: DKIM and Exim (was Re: Gmail bounce unauthenticated @debian.org addresses)
On Fri, Mar 04, 2022 at 03:59:09PM +0100, Guillem Jover wrote: > On Fri, 2022-03-04 at 14:36:01 +, Colin Watson wrote: > > I reproduced a similar problem, then set up DKIM for myself and > > everything then worked, so I think you're correct. > > > > The links in the original d-d-a email were mostly stale, but I found > > https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/ > > helpful in getting this going with my local Exim setup. > > You might want to also fix the DKIM_SIGN_HEADERS macro in the Exim > config, as its default is currently broken (see #939808). The patch > attached there is not helpful for local usage, so you might want > something like what I've got in my config: [...] Useful to know - thanks! -- Colin Watson (he/him) [cjwat...@debian.org]
Re: Gmail bounce unauthenticated @debian.org addresses
On Friday, March 4, 2022 10:14:09 AM EST Ansgar wrote:
> On Fri, 2022-03-04 at 15:45 +0100, Baptiste Beauplat wrote:
> > However for SPF, if I'm not mistaken, this is not possible for
> > @debian.org addresses since Debian does not offers an MSA and
> > therefor not a single (or enumerable list of) exit point.
>
> Using SPF would be possible. Gentoo does that:
>
> gentoo.org. IN TXT "v=spf1 [...] include:%{l}.%{o}.spf.gentoo.org ?all"
>
> and their users can then add SPF entries for individual localparts.
>
> But either way is quite complicated for "just" using a mail address for
> outgoing mail.
>
> Also some infrastructure in Debian will break DKIM signatures. For
> example, bugs.debian.org (always) and lists.debian.org (sometimes, for
> example when List-* header fields are part of the DKIM signature). So
> one can't rely on valid SPF/DKIM anyway and, as far as I understand,
> rely on debian.org infrastructure being on providers' whitelists
> instead (as it "impersonates" other domains in mail sender addresses).
There are standard best practices for forwarding support in SPF.
http://www.open-spf.org/Best_Practices/Forwarding/
--
JP
Re: Gmail bounce unauthenticated @debian.org addresses
On Friday, March 4, 2022 9:45:21 AM EST Baptiste Beauplat wrote: > On 3/4/22 15:41, LeJacq, Jean Pierre wrote: > > Google uses a number of criteria when blocking. A missing DKIM is just > > one. > > See the referenced document: > > > > https://support.google.com/mail/answer/81126 > > > > One of the problems here is that mentors.debian.net does not have the > > standard email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. > > This doesn't automatically cause Google to classify as spam but we really > > should have these in place to protect email. > > > > As an example, we may be spoofing mentors.debian.net with wv-debian- > > mentors1.wavecloud.de (not 100% clear with the headers provided). SPF > > could > > handle this. > > Indeed we are looking into it for mentors. > > However for SPF, if I'm not mistaken, this is not possible for > @debian.org addresses since Debian does not offers an MSA and therefor > not a single (or enumerable list of) exit point. SPF can handle delegation like this without too much trouble. -- JP
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, 2022-03-04 at 15:45 +0100, Baptiste Beauplat wrote:
> However for SPF, if I'm not mistaken, this is not possible for
> @debian.org addresses since Debian does not offers an MSA and
> therefor not a single (or enumerable list of) exit point.
Using SPF would be possible. Gentoo does that:
gentoo.org. IN TXT "v=spf1 [...] include:%{l}.%{o}.spf.gentoo.org ?all"
and their users can then add SPF entries for individual localparts.
But either way is quite complicated for "just" using a mail address for
outgoing mail.
Also some infrastructure in Debian will break DKIM signatures. For
example, bugs.debian.org (always) and lists.debian.org (sometimes, for
example when List-* header fields are part of the DKIM signature). So
one can't rely on valid SPF/DKIM anyway and, as far as I understand,
rely on debian.org infrastructure being on providers' whitelists
instead (as it "impersonates" other domains in mail sender addresses).
Ansgar
DKIM and Exim (was Re: Gmail bounce unauthenticated @debian.org addresses)
Hi! On Fri, 2022-03-04 at 14:36:01 +, Colin Watson wrote: > I reproduced a similar problem, then set up DKIM for myself and > everything then worked, so I think you're correct. > > The links in the original d-d-a email were mostly stale, but I found > https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/ > helpful in getting this going with my local Exim setup. You might want to also fix the DKIM_SIGN_HEADERS macro in the Exim config, as its default is currently broken (see #939808). The patch attached there is not helpful for local usage, so you might want something like what I've got in my config: ,--- exim4.conf --- […] # The default headers to sign is broken, and includes things that should # not be signed by default if they are missing, or they will break mailing # lists. DKIM_SIGN_HEADERS = \ From:From:Reply-To:Subject:Subject:Date:Message-ID:To:Cc:MIME-Version:\ Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:\ In-Reply-To:References:X-Debbugs-Cc:\ =Sender:\ =Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:\ =Resent-Message-ID:\ =List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:\ =List-Owner:=List-Archive […] `--- Thanks, Guillem
Re: Gmail bounce unauthenticated @debian.org addresses
On 3/4/22 15:41, LeJacq, Jean Pierre wrote: > Google uses a number of criteria when blocking. A missing DKIM is just one. > See the referenced document: > > https://support.google.com/mail/answer/81126 > > One of the problems here is that mentors.debian.net does not have the > standard > email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. This doesn't > automatically cause Google to classify as spam but we really should have > these > in place to protect email. > > As an example, we may be spoofing mentors.debian.net with wv-debian- > mentors1.wavecloud.de (not 100% clear with the headers provided). SPF could > handle this. Indeed we are looking into it for mentors. However for SPF, if I'm not mistaken, this is not possible for @debian.org addresses since Debian does not offers an MSA and therefor not a single (or enumerable list of) exit point. -- Baptiste Beauplat - lyknode
Re: Gmail bounce unauthenticated @debian.org addresses
Hi On Fri, Mar 04, 2022 at 03:15:59PM +0100, Baptiste Beauplat wrote: > Am I mistaken in thinking that's only a case of simply rejecting > unsigned DKIM email? This might be, but… > Return-Path: > Received: from mentors.debian.net (localhost [127.0.0.1]) > by wv-debian-mentors1.wavecloud.de (Postfix) with ESMTP id 55D16823EC > for <**@gmail.com>; Fri, 4 Mar 2022 03:14:03 + (UTC) > Content-Type: text/plain; charset="utf-8" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Subject: Next step: Confirm your email address > From: mentors.debian.net > To: **@gmail.com > Date: Fri, 04 Mar 2022 03:14:03 - > Message-ID: <164636364329.4074035.11224505717463252...@mentors.debian.net> I don't see anything about debian.org in those headers? Do you? - mentors.debian.net is not debian.org. - gmail.com clearly isn't. Bastian -- "That unit is a woman." "A mass of conflicting impulses." -- Spock and Nomad, "The Changeling", stardate 3541.9
Re: Gmail bounce unauthenticated @debian.org addresses
On Friday, March 4, 2022 9:15:59 AM EST Baptiste Beauplat wrote: > > > >> mentors.debian.net with the following message: > > Can you please share the complete headers of the bounced message? Aka > > the thing in the message/rfc822 part of the DSN message. Right now we > > don't know what they see from your explanation. > > I'm attached the bounce. > > Am I mistaken in thinking that's only a case of simply rejecting > unsigned DKIM email? I've just gone through the process of securing email with Google so I might be able to help a bit. Google uses a number of criteria when blocking. A missing DKIM is just one. See the referenced document: https://support.google.com/mail/answer/81126 One of the problems here is that mentors.debian.net does not have the standard email security DNS records - SPF, DKIM, DMARC, MTA-TLS, DANE. This doesn't automatically cause Google to classify as spam but we really should have these in place to protect email. As an example, we may be spoofing mentors.debian.net with wv-debian- mentors1.wavecloud.de (not 100% clear with the headers provided). SPF could handle this. -- JP signature.asc Description: This is a digitally signed message part.
Re: Gmail bounce unauthenticated @debian.org addresses
On 3/4/22 15:27, Bastian Blank wrote: > I don't see anything about debian.org in those headers? Do you? Ah, I see the confusion. Gmail reject ALL unauthenticated email, this isn't specific to @debian.org addresses but it does, at least, affect mine. We detected the issue on mentors (the bounce I forwarded in my previous email). Later on I tried with my @d.o address and I had the exact same issue (now attaching the bounce for the @d.o address). Just to be clear, I'm not asking for support. I merely relaying the info because I think other might be affected and how to solve this :) -- Baptiste Beauplat - lyknodeReturn-Path: <> Delivered-To: lykn...@cilg.org Received: from lyra.cilg.org by lyra.cilg.org with LMTP id 5n80LizvIWKVYwAAVdkSaA (envelope-from <>) for ; Fri, 04 Mar 2022 10:51:24 + Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]) by lyra.cilg.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) id 1nQ5Wt-0006d0-Ll for lykn...@cilg.org; Fri, 04 Mar 2022 10:51:24 + Received: from lyra.cilg.org ([2001:bc8:21a6:100::1]:55848) by mailly.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) id 1nQ5Wt-Zm-BX for lykn...@cilg.org; Fri, 04 Mar 2022 10:51:23 + Received: from Debian-exim by lyra.cilg.org with local (Exim 4.92) id 1nQ5Ws-0006ct-8a for lykn...@debian.org; Fri, 04 Mar 2022 10:51:22 + X-Failed-Recipients: ***@gmail.com Auto-Submitted: auto-replied From: Mail Delivery System To: lykn...@debian.org Content-Type: multipart/report; report-type=delivery-status; boundary=1646391082-eximdsn-556502559 MIME-Version: 1.0 Subject: Mail delivery failed: returning message to sender Message-Id: Date: Fri, 04 Mar 2022 10:51:22 + Received-SPF: pass client-ip=2001:41b8:202:deb:6564:a62:52c3:4b72; helo=mailly.debian.org X-Spam-Score: -5.0 --1646391082-eximdsn-556502559 Content-type: text/plain; charset=us-ascii This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ***@gmail.com host gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. t9-20020a5d42c900b001e098215265si2648983wrr.24 - gsmtp --1646391082-eximdsn-556502559 Content-type: message/delivery-status Reporting-MTA: dns; lyra.cilg.org Action: failed Final-Recipient: rfc822;***@gmail.com Status: 5.0.0 Remote-MTA: dns; gmail-smtp-in.l.google.com Diagnostic-Code: smtp; 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. t9-20020a5d42c900b001e098215265si2648983wrr.24 - gsmtp --1646391082-eximdsn-556502559 Content-type: message/rfc822 Return-path: Received: from by lyra.cilg.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1nQ5Wr-0006cm-Oe for ***@gmail.com; Fri, 04 Mar 2022 10:51:21 + Message-ID: <098dc2a7-2602-2a06-3789-6baa285b4...@debian.org> Date: Fri, 4 Mar 2022 11:51:21 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: Mail stuff broken in mentors? Content-Language: en-US-large To: <***@gmail.com> References: <20220304095426.sza7lbfnjgn7twqp@debian> From: Baptiste Beauplat In-Reply-To: <20220304095426.sza7lbfnjgn7twqp@debian> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello, Please activate your account by visiting the following address in your web-browser: https://mentors.debian.net/accounts/reset/[REDACTED] If you didn't create an account on mentors.debian.net, you can safely ignore this email. Thanks, -- Baptiste Beauplat - lyknode --1646391082-eximdsn-556502559--
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, Mar 04, 2022 at 03:15:59PM +0100, Baptiste Beauplat wrote: > On 3/4/22 14:40, Bastian Blank wrote: > > On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote: > >> We recently discovered that Gmail started to bounce email from > >> mentors.debian.net with the following message: > > > > Can you please share the complete headers of the bounced message? Aka > > the thing in the message/rfc822 part of the DSN message. Right now we > > don't know what they see from your explanation. > > I'm attached the bounce. > > Am I mistaken in thinking that's only a case of simply rejecting > unsigned DKIM email? I reproduced a similar problem, then set up DKIM for myself and everything then worked, so I think you're correct. The links in the original d-d-a email were mostly stale, but I found https://bynicolas.com/server/exim-multi-domain-dkim-custom-selector/ helpful in getting this going with my local Exim setup. -- Colin Watson (he/him) [cjwat...@debian.org]
Re: Gmail bounce unauthenticated @debian.org addresses
Hi Bastian, On 3/4/22 14:40, Bastian Blank wrote: > On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote: >> We recently discovered that Gmail started to bounce email from >> mentors.debian.net with the following message: > > Can you please share the complete headers of the bounced message? Aka > the thing in the message/rfc822 part of the DSN message. Right now we > don't know what they see from your explanation. I'm attached the bounce. Am I mistaken in thinking that's only a case of simply rejecting unsigned DKIM email? -- Baptiste Beauplat - lyknodeFrom MAILER-DAEMON Fri Mar 4 03:14:04 2022 Return-Path: <> X-Original-To: expo+bou...@mentors.debian.net Delivered-To: expo+bou...@mentors.debian.net Received: by wv-debian-mentors1.wavecloud.de (Postfix) id A6A758B5E2; Fri, 4 Mar 2022 03:14:04 + (UTC) Date: Fri, 4 Mar 2022 03:14:04 + (UTC) From: mailer-dae...@mentors.debian.net (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: expo+bou...@mentors.debian.net Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="55D16823EC.1646363644/wv-debian-mentors1.wavecloud.de" Content-Transfer-Encoding: 8bit Message-Id: <20220304031404.a6a758b...@wv-debian-mentors1.wavecloud.de> This is a MIME-encapsulated message. --55D16823EC.1646363644/wv-debian-mentors1.wavecloud.de Content-Description: Notification Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit This is the mail system at host wv-debian-mentors1.wavecloud.de. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <**@gmail.com>: host gmail-smtp-in.l.google.com[172.253.120.26] said: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. ay16-20020a5d6f1000b001efd7e8dbb9si2037544wrb.218 - gsmtp (in reply to end of DATA command) --55D16823EC.1646363644/wv-debian-mentors1.wavecloud.de Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; wv-debian-mentors1.wavecloud.de X-Postfix-Queue-ID: 55D16823EC X-Postfix-Sender: rfc822; expo+bou...@mentors.debian.net Arrival-Date: Fri, 4 Mar 2022 03:14:03 + (UTC) Final-Recipient: rfc822; **@gmail.com Original-Recipient: rfc822;**@gmail.com Action: failed Status: 5.7.26 Remote-MTA: dns; gmail-smtp-in.l.google.com Diagnostic-Code: smtp; 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. ay16-20020a5d6f1000b001efd7e8dbb9si2037544wrb.218 - gsmtp --55D16823EC.1646363644/wv-debian-mentors1.wavecloud.de Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Return-Path: Received: from mentors.debian.net (localhost [127.0.0.1]) by wv-debian-mentors1.wavecloud.de (Postfix) with ESMTP id 55D16823EC for <**@gmail.com>; Fri, 4 Mar 2022 03:14:03 + (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Next step: Confirm your email address From: mentors.debian.net To: **@gmail.com Date: Fri, 04 Mar 2022 03:14:03 - Message-ID: <164636364329.4074035.11224505717463252...@mentors.debian.net> Hello, Please activate your account by visiting the following address in your web-browser: https://mentors.debian.net/accounts/reset/[REDACTED] If you didn't create an account on mentors.debian.net, you can safely ignore this email. Thanks, -- mentors.debian.net --55D16823EC.1646363644/wv-debian-mentors1.wavecloud.de--
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, Mar 04, 2022 at 12:38:02PM +0100, Baptiste Beauplat wrote: > We recently discovered that Gmail started to bounce email from > mentors.debian.net with the following message: Can you please share the complete headers of the bounced message? Aka the thing in the message/rfc822 part of the DSN message. Right now we don't know what they see from your explanation. Bastian -- A woman should have compassion. -- Kirk, "Catspaw", stardate 3018.2
Re: Gmail bounce unauthenticated @debian.org addresses
Hi Stephan, On 3/4/22 13:27, Stephan Lachnit wrote: > On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat wrote: >> >> My debian address is also affected, and probably others that did not >> setup DKIM for their @debian.org address. >> >> As a reminder debian.org addresses does support DKIM. After >> configuration on your mail server, you can publish your DKIM public key >> to db.debian.org [1][2]. > > Can you point to some quick guide on how to do this for gmail? The > support page seems kinda confusing to me. Looking at your email headers, I would guess that gmail is already doing it. X-Google-DKIM-Signature: v=1; a=rsa-sha256... There is somewhat some irony in Gmail blocking email without a DKIM signature while they are using a non-standard header that other provider/tools might miss. Just a thought. -- Baptiste Beauplat - lyknode
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote: > On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat > wrote: > > As a reminder debian.org addresses does support DKIM. After > > configuration on your mail server, you can publish your DKIM public > > key > > to db.debian.org [1][2]. > > Can you point to some quick guide on how to do this for gmail? The > support page seems kinda confusing to me. This usually requires you running your own mail server (for outgoing mail). I don't think mail providers like GMail allow you to set up DKIM for individual IP addresses. Ansgar
Re: Gmail bounce unauthenticated @debian.org addresses
On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat wrote: > > My debian address is also affected, and probably others that did not > setup DKIM for their @debian.org address. > > As a reminder debian.org addresses does support DKIM. After > configuration on your mail server, you can publish your DKIM public key > to db.debian.org [1][2]. Can you point to some quick guide on how to do this for gmail? The support page seems kinda confusing to me. Regards, Stephan
