Re: sending mail via a script
Hi Mick, On Wed, Jul 17, 2019 at 09:50:47PM +0100, mick crane wrote: > I have wondered about this, the actual infrastructure. I've noticed that the > fiber optic cable is in places strung along with the electricity pylons. > Presumably if you could somehow attach to that then you could be anybody ? Leaving aside the technicalities of splicing into an optical fiber link, in the context of email sending and "being anybody" I interpret your question as being alternatively phrased as: "if I gained access to some sort of backbone connection then could I pretend to be anyone, in email?" The answer is probably, "not really." Most of this email reputation stuff is operating on the source IP of the connection. With access to someone's network, you could possibly send packets from their IP address(es), and this is basically what happens when someone's device gets compromised and used for a spam run. The resulting fallout then affects their IP reputation. But you do not get to send packets of an *arbitrary* source IP just because you managed to tap into a fatter pipe¹. You get to use the IPs that you are assigned by your provider, or the provider of whatever network it is that you're connected to. Your Internet service provider may assign you IP addresses if you ask, though they may not offer this service or may charge a lot of money for it. You can always become your own service provider and go directly to a Regional Internet Registry for the IPs. For example, membership of RIPE, which covers Europe and some of Middle East and Africa, costs €1,400+VAT per year with a setup fee of an extra €2,000 in the first year. For this you currently get a /22 of IPv4 (1,024 addresses) and a /32 of IPv6 (or up to /29 if you need it, or even more if you can justify it). A /32 of IPv6 is 65,536 /48s, each of which you would generally assign to a site or a business, and each /48 is 65.536 /64s, which would be an individual network within that. As you can see that's a pretty big outlay, yet on a per address basis it's probably cheaper than getting your existing provider to assign you IPs, or rent servers or whatever. Going back to "being anybody", email of course doesn't have any security and you can put any From: address you like. That's why so much of email reputation is still focused on the source IP address and not the content. Parsing the content is expensive and comes later. Cheers, Andy ¹ A lot of networks don't have protections against spoofing, in that they allow packets to go out into the Internet with source IP addresses that do not correspond to what has been assigned to that network. This will not work for email however because email (SMTP) is a TCP service which requires a three way handshake to set up a connection. If you tried to initiate an SMTP connection with a forged source address, the communication from the server would route back to the real IP address and the IP stack of that device should reject it because it would know it was not something that it initiated. Forged source addresses are more commonly used for UDP-based denial of service. For example, I send a small request to a UDP server and forge your IP address as the source. The server sends a massive reply back to you, not me. You are crushed by the traffic. Some poorly-designed UDP services can enable 1,000x or more amplification of traffic. This has been done with NTP, DNS, portmapper, and lots of others. -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: sending mail via a script
On 7/18/19, David Wright wrote: > On Thu 18 Jul 2019 at 08:27:47 (-), Curt wrote: >> On 2019-07-17, Dan Ritter wrote: >> >> >> >> Fibre is point-to-point, and any interference with it will cause a >> >> significant drop in received signal, which will be investigated. >> > >> > And it will be located swiftly, thanks to time-domain >> > reflectrometry: >> > >> > https://en.wikipedia.org/wiki/Optical_time-domain_reflectometer >> > >> I don't know, man. >> >> http://www.fods.com/optic_clip_on_coupler.html >> https://www.linkedin.com/pulse/edward-snowden-cyber-espionage-fiber-optic-tapping-jabulani-dhliwayo You might not be able to find a clip on coupler with tdm but I'm not so sure about the rest. >> Once an attacker gains access to bare fiber on the victim’s network, Which takes a lot of practice https://joshruppe.com/fiber-optic-tapping-mid-span-fiber-access/ or access to a fiber splice tray. >> he can clamp the tool and collect enough detectable optical power >> without inducing enough loss in the network to alert the network >> administrators. My guess is that if the network admins are monitoring rx power levels on their fiber ports it'll be noticed. >> The stolen light is detected, converted from optics to electrical pulses >> using an >> E-O >> converter and then analyzed using suitable network analysis software. >> Wireshark, free software typically used by network administrators for >> troubleshooting, is used to view contents of transmitted packets. There isn't a whole lot you're going to see with wireshark these days. 2013? sure. Now? not so much. > As usual, quotations have been beheaded and context lost: > >> On Wed, 17 Jul 2019 21:50:47 +0100 mick crane >> wrote: >>"I have wondered about this, the actual infrastructure. I've >> noticed that the fiber optic cable is in places strung along with >> the electricity pylons. Presumably if you could somehow attach to >> that then you could be anybody?" Not if the link is encrypted. Otherwise it depends on if the network is taking precautions against spoofed traffic (eg. unicast reverse path forwarding check enabled). But even if your "be anybody" traffic was allowed in, the chances are really good that you wouldn't see the return traffic. > Does viewing give you the means of a MITM attack? Clearly not. But if you could inject traffic then maybe you could win the race and inject your spoofed traffic before the real stuff gets there. Regards, Lee
Re: sending mail via a script
On Thu 18 Jul 2019 at 08:27:47 (-), Curt wrote: > On 2019-07-17, Dan Ritter wrote: > >> > >> Fibre is point-to-point, and any interference with it will cause a > >> significant drop in received signal, which will be investigated. > > > > And it will be located swiftly, thanks to time-domain > > reflectrometry: > > > > https://en.wikipedia.org/wiki/Optical_time-domain_reflectometer > > > I don't know, man. > > http://www.fods.com/optic_clip_on_coupler.html > https://www.linkedin.com/pulse/edward-snowden-cyber-espionage-fiber-optic-tapping-jabulani-dhliwayo > > Once an attacker gains access to bare fiber on the victim’s network, he can > clamp the tool and collect enough detectable optical power without inducing > enough loss in the network to alert the network administrators. The stolen > light is detected, converted from optics to electrical pulses using an E-O > converter and then analyzed using suitable network analysis software. > Wireshark, free software typically used by network administrators for > troubleshooting, is used to view contents of transmitted packets. As usual, quotations have been beheaded and context lost: On Wed, 17 Jul 2019 21:50:47 +0100 mick crane wrote: "I have wondered about this, the actual infrastructure. I've noticed that the fiber optic cable is in places strung along with the electricity pylons. Presumably if you could somehow attach to that then you could be anybody?" Does viewing give you the means of a MITM attack? Cheers, David.
Re: sending mail via a script
On 2019-07-17, Dan Ritter wrote: >> >> Fibre is point-to-point, and any interference with it will cause a >> significant drop in received signal, which will be investigated. > > And it will be located swiftly, thanks to time-domain > reflectrometry: > > https://en.wikipedia.org/wiki/Optical_time-domain_reflectometer > > I don't know, man. http://www.fods.com/optic_clip_on_coupler.html https://www.linkedin.com/pulse/edward-snowden-cyber-espionage-fiber-optic-tapping-jabulani-dhliwayo Once an attacker gains access to bare fiber on the victim’s network, he can clamp the tool and collect enough detectable optical power without inducing enough loss in the network to alert the network administrators. The stolen light is detected, converted from optics to electrical pulses using an E-O converter and then analyzed using suitable network analysis software. Wireshark, free software typically used by network administrators for troubleshooting, is used to view contents of transmitted packets. -- “We are all in the gutter, but some of us are looking at the stars.” ― Oscar Wilde, Lady Windermere's Fan
Re: sending mail via a script
On Wed, 17 Jul 2019 17:04:46 -0400 Dan Ritter wrote: > Joe wrote: > > On Wed, 17 Jul 2019 21:50:47 +0100 > > mick crane wrote: > > > > > > > > > > I have wondered about this, the actual infrastructure. I've > > > noticed that the fiber optic cable is in places strung along with > > > the electricity pylons. > > > Presumably if you could somehow attach to that then you could be > > > anybody ? > > > > > > > Fibre is point-to-point, and any interference with it will cause a > > significant drop in received signal, which will be investigated. > > And it will be located swiftly, thanks to time-domain > reflectrometry: > > https://en.wikipedia.org/wiki/Optical_time-domain_reflectometer > > Yes, the point is that it can't be done secretly. -- Joe
Re: sending mail via a script
Joe wrote: > On Wed, 17 Jul 2019 21:50:47 +0100 > mick crane wrote: > > > > > > I have wondered about this, the actual infrastructure. I've noticed > > that the fiber optic cable is in places strung along with the > > electricity pylons. > > Presumably if you could somehow attach to that then you could be > > anybody ? > > > > Fibre is point-to-point, and any interference with it will cause a > significant drop in received signal, which will be investigated. And it will be located swiftly, thanks to time-domain reflectrometry: https://en.wikipedia.org/wiki/Optical_time-domain_reflectometer
Re: sending mail via a script
On Wed, 17 Jul 2019 21:50:47 +0100 mick crane wrote: > > I have wondered about this, the actual infrastructure. I've noticed > that the fiber optic cable is in places strung along with the > electricity pylons. > Presumably if you could somehow attach to that then you could be > anybody ? > Fibre is point-to-point, and any interference with it will cause a significant drop in received signal, which will be investigated. -- Joe
Re: sending mail via a script
On 2019-07-17 16:36, Andy Smith wrote: Hi Mick, On Tue, Jul 16, 2019 at 10:39:57PM +0100, mick crane wrote: well when I became aware of all this stuff, I thought this is great, everybody can connect and do what they like, if of course following protocols. But you can't do that can you ? you have to connect through a service provider. In theory any host in the Internet can talk to any other host on the Internet because that is what an internetwork is. In practice some hosts on the Internet do not want to be talked to by just anyone for any reason. So, firewalls, application firewalls, blocklists and other restrictions in the name of security. An unfortunate reality of the centralisation of email services into just a handful of very large providers is that those providers in practice dictate stricter rules for who can talk to them. IP netblocks that are known to be assigned to end users (as opposed to hosting providers) are generally outright blocked or distrusted to a degree which makes it difficult for them to be used to send email to everyone that one might want to correspond with. On the other hand, hosting services have got a lot cheaper over the years to the point where one can rent a virtual server at a decent provider for not a lot of money, and as long as one complies with modern email practices one should not generally have much of a problem. Very few people wish to go to this extent, but if you are someone who wanted to do it at home then doing it on a rented server instead is not much more effort. Running your own mail service is still within reach, just not from your own home in most cases. If intending to do this I would however caution against using the very cheapest of providers, some of which come in at just a few Euro per month. These providers do not have functioning abuse departments and as a result are widely blocked for the misdeeds of their customers. As someone who operates in this space I will not name any providers, but if it seems too cheap to be true then it probably is. Cheers, Andy I have wondered about this, the actual infrastructure. I've noticed that the fiber optic cable is in places strung along with the electricity pylons. Presumably if you could somehow attach to that then you could be anybody ? mick -- Key ID4BFEBB31
Re: sending mail via a script
Hi Mick, On Tue, Jul 16, 2019 at 10:39:57PM +0100, mick crane wrote: > well when I became aware of all this stuff, I thought this is great, > everybody can connect and do what they like, if of course following > protocols. > But you can't do that can you ? you have to connect through a service > provider. In theory any host in the Internet can talk to any other host on the Internet because that is what an internetwork is. In practice some hosts on the Internet do not want to be talked to by just anyone for any reason. So, firewalls, application firewalls, blocklists and other restrictions in the name of security. An unfortunate reality of the centralisation of email services into just a handful of very large providers is that those providers in practice dictate stricter rules for who can talk to them. IP netblocks that are known to be assigned to end users (as opposed to hosting providers) are generally outright blocked or distrusted to a degree which makes it difficult for them to be used to send email to everyone that one might want to correspond with. On the other hand, hosting services have got a lot cheaper over the years to the point where one can rent a virtual server at a decent provider for not a lot of money, and as long as one complies with modern email practices one should not generally have much of a problem. Very few people wish to go to this extent, but if you are someone who wanted to do it at home then doing it on a rented server instead is not much more effort. Running your own mail service is still within reach, just not from your own home in most cases. If intending to do this I would however caution against using the very cheapest of providers, some of which come in at just a few Euro per month. These providers do not have functioning abuse departments and as a result are widely blocked for the misdeeds of their customers. As someone who operates in this space I will not name any providers, but if it seems too cheap to be true then it probably is. Cheers, Andy
Re: sending mail via a script
On Wed, Jul 17, 2019 at 11:54:41AM +0100, Joe wrote: It's my main firewall, as I have little control over the ISP-supplied router. Ah I see: you need >1 NIC. The Microserver takes around 35 Watts with two hard drives and a small SSD aboard. The Pi consumption will be tiny, and by the time I need it, I will probably be able to afford terabyte SSDs, they're down to about £100 now. I think 35 Watts is pretty low. My mainboard claims a TDP of 10W, but that's without any drives, and I've got 2x 3.5" 1T HDDs attached, which (I imagine) are the lion's share of the draw. I document my DIY NAS stuff here, for anyone interested https://jmtd.net/hardware/phobos/ -- Jonathan Dowland https://jmtd.net
Re: sending mail via a script
On Wed, 17 Jul 2019 10:26:04 +0100 Jonathan Dowland wrote: > On Wed, Jul 17, 2019 at 10:01:00AM +0100, Joe wrote: > >I'm considering using something like a Raspberry Pi when the current > >HP Microserver dies, but I'm not sure it will be a lot cheaper to > >run, given that it will need external hard drives and an external > >Ethernet port. > > Depending on why you feel you'd need an external Ethernet port, the > Pi 4 might address that issue for you (it's no longer wired over the > USB bus) It's my main firewall, as I have little control over the ISP-supplied router. > > I'm reminded that I have never properly measured the power > consumption of my always-on NAS: I built it to be low power and I've > connected it via a watt-meter but I haven't ever read the manual for > how to use the meter (or looked at its display). > The Microserver takes around 35 Watts with two hard drives and a small SSD aboard. The Pi consumption will be tiny, and by the time I need it, I will probably be able to afford terabyte SSDs, they're down to about £100 now. -- Joe
Re: sending mail via a script
On Wed, Jul 17, 2019 at 10:01:00AM +0100, Joe wrote: I'm considering using something like a Raspberry Pi when the current HP Microserver dies, but I'm not sure it will be a lot cheaper to run, given that it will need external hard drives and an external Ethernet port. Depending on why you feel you'd need an external Ethernet port, the Pi 4 might address that issue for you (it's no longer wired over the USB bus) I'm reminded that I have never properly measured the power consumption of my always-on NAS: I built it to be low power and I've connected it via a watt-meter but I haven't ever read the manual for how to use the meter (or looked at its display). -- Jonathan Dowland https://jmtd.net Please do not CC me, I'm subscribed to the list.
Re: sending mail via a script
On Wed, 17 Jul 2019 10:51:43 +0200 wrote: > > I don't mail from my home machines. Instead I've got a virtual host > "out there" (in my case it's a slice of a "real host" I share with > a couple of friends). > > But I do know of people who do it from home. > Me for one. Once you have a server running 24/7, there are all sorts of things you can find for it to do. I'm considering using something like a Raspberry Pi when the current HP Microserver dies, but I'm not sure it will be a lot cheaper to run, given that it will need external hard drives and an external Ethernet port. -- Joe
Re: sending mail via a script
On Wed, Jul 17, 2019 at 03:38:45AM -0500, Dave Sherohman wrote: > On Tue, Jul 16, 2019 at 10:39:57PM +0100, mick crane wrote: > > well when I became aware of all this stuff, I thought this is great, > > everybody can connect and do what they like, if of course following > > protocols. > > But you can't do that can you ? you have to connect through a service > > provider. > > Certain ISPs (primarily those focusing on home customers, and especially > those providing dynamic IP addresses) will block outbound connections to > port 25 (smtp) by their clients. If your connection comes from such a > provider, then, yes, you do have to pass your mail through their mail > server, because their firewalls will prevent you from directly > connecting to any other mail servers. I don't mail from my home machines. Instead I've got a virtual host "out there" (in my case it's a slice of a "real host" I share with a couple of friends). But I do know of people who do it from home. Cheers -- t signature.asc Description: Digital signature
Re: sending mail via a script
On Tue, Jul 16, 2019 at 10:39:57PM +0100, mick crane wrote: > well when I became aware of all this stuff, I thought this is great, > everybody can connect and do what they like, if of course following > protocols. > But you can't do that can you ? you have to connect through a service > provider. Certain ISPs (primarily those focusing on home customers, and especially those providing dynamic IP addresses) will block outbound connections to port 25 (smtp) by their clients. If your connection comes from such a provider, then, yes, you do have to pass your mail through their mail server, because their firewalls will prevent you from directly connecting to any other mail servers. But if you're not in such a situation, then you absolutely can run your own mail server, although there are hoops you need to jump through to avoid being mistaken for a spammer. Having a static IP in a non-blacklisted subnet and properly-configured DNS pointing back to that IP address are, in my experience, the primary factors. I don't think I've ever needed to do more than that for my own personal mail server, which I've been running since the summer of 2000, and it's been connected on at least 4-5 different ISPs over that time, including both residential and commercial providers. If you want to send mail claiming to originate from other servers, then *that's* where it gets tricky and cumbersome, because you need to properly handle SPF and DKIM restrictions, which you may not have any direct control over. I occasionally have to deal with this at work, and it's never a pleasant experience. -- Dave Sherohman
Re: sending mail via a script
On Tue, 16 Jul 2019 22:39:57 +0100 mick crane wrote: > On 2019-07-16 08:18, Andrei POPESCU wrote: > > On Lu, 15 iul 19, 06:21:28, Dan Ritter wrote: > >> Reco wrote: > >> > >> Why do you think they have that requirement? > >> > >> It's entirely because IPs without PTR records are more likely to > >> be spammers than those who do. Specfically, because it's an > >> indication that the person running the machine didn't set it up > >> as a server, or doesn't know what they are doing. > > > > Or is trying to run the server on an IP without a (useful) PTR > > record, e.g. a "personal" ISP account. > > > > This requirement mitigates somewhat the spam problem, at the > > expense of making it much harder/costlier for individuals to run > > their own mail server. > > > > Kind regards, > > Andrei > > > > well when I became aware of all this stuff, I thought this is > great, everybody can connect and do what they like, if of course > following protocols. > But you can't do that can you ? you have to connect through a service > provider. You can in the UK. You need to use an ISP who will provide a fixed IP address (most do, though BT will charge an extra tenner a month for the privilege) and who takes care to stay off email blacklists. I stayed with Demon long after it was a competent ISP because I had no trouble sending email. I've been with Plusnet for nearly two years, and have had no problems. But yes, sooner or later, Internet regulation will reach the point where governments will permit only licensed organisations to send email, and a licence will not be cheap. -- Joe
Re: sending mail via a script
On Tue, Jul 16, 2019 at 05:54:56PM -0400, Dan Ritter wrote: > mick crane wrote: > > > > well when I became aware of all this stuff, I thought this is great, > > everybody can connect and do what they like, if of course following > > protocols. > > But you can't do that can you ? you have to connect through a service > > provider. > > You can and you can't. > > In theory you can. > > In practice, the email giants -- GMail, Outlook.com, and a few > others -- demand certain things that make it very difficult to > deliver mail to them if you've just got a home net connection. I, for one, do. I run my own mail server. But yes, you gotta invest some elbow grease. Cheers -- tomás signature.asc Description: Digital signature
Re: sending mail via a script
mick crane wrote: > > well when I became aware of all this stuff, I thought this is great, > everybody can connect and do what they like, if of course following > protocols. > But you can't do that can you ? you have to connect through a service > provider. You can and you can't. In theory you can. In practice, the email giants -- GMail, Outlook.com, and a few others -- demand certain things that make it very difficult to deliver mail to them if you've just got a home net connection. Meanwhile, traffic to other domains might go through easily. -dsr-
Re: sending mail via a script
On 2019-07-16 08:18, Andrei POPESCU wrote: On Lu, 15 iul 19, 06:21:28, Dan Ritter wrote: Reco wrote: Why do you think they have that requirement? It's entirely because IPs without PTR records are more likely to be spammers than those who do. Specfically, because it's an indication that the person running the machine didn't set it up as a server, or doesn't know what they are doing. Or is trying to run the server on an IP without a (useful) PTR record, e.g. a "personal" ISP account. This requirement mitigates somewhat the spam problem, at the expense of making it much harder/costlier for individuals to run their own mail server. Kind regards, Andrei well when I became aware of all this stuff, I thought this is great, everybody can connect and do what they like, if of course following protocols. But you can't do that can you ? you have to connect through a service provider. mick -- Key ID4BFEBB31
Re: sending mail via a script
On Lu, 15 iul 19, 06:21:28, Dan Ritter wrote: > Reco wrote: > > Why do you think they have that requirement? > > It's entirely because IPs without PTR records are more likely to > be spammers than those who do. Specfically, because it's an > indication that the person running the machine didn't set it up > as a server, or doesn't know what they are doing. Or is trying to run the server on an IP without a (useful) PTR record, e.g. a "personal" ISP account. This requirement mitigates somewhat the spam problem, at the expense of making it much harder/costlier for individuals to run their own mail server. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser signature.asc Description: PGP signature
Re: sending mail via a script
On Mon, 15 Jul 2019 09:07:05 -0400 Dan Ritter wrote: > to...@tuxteam.de wrote: > > On Mon, Jul 15, 2019 at 06:21:28AM -0400, Dan Ritter wrote: > > > Reco wrote: > > > > Hi. > > > > > > > > On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > > > > > > > > > > That's not a problem sending mail via a script; that's a > > > > > problem with Google's view of the reputation of the mail > > > > > server that you are using. (Which may be the machine that you > > > > > are typing on, or might not.) > > > > > > > > > > In other words: you successfully sent mail, but Google > > > > > rejected it because they think you are a spammer. > > > > > > > > No. Google rejected it because of the reason stated above. > > > > I.e. MTA's IP does not have a valid PTR record. Not required by > > > > RFC per se, but is considered mandatory by some (included > > > > Google). > > > > > > Why do you think they have that requirement? > > > > Because their server says so. Quoting from this very thread [1] > > This is like answering "why do you think mother married father?" > with "Because the marriage certificate is hanging on the wall." > > Did you and Reco both translate the question as a request for > evidence? I would think that my next statement, which you both > decided to drop from quoting, would correct that. > A mail server admin's choice of anti-spam measures can be fairly arbitrary. My mail server does what it does 'because I say so'. I think that was the point being made. PTR records are nowhere near as useful as they used to be. Many domestic users are given PTR records now, even if they are just some derivative of the IP address, and many companies using email simply outsource it. Some email services are run by people who don't know what they are doing, so some legitimate business email arrives from addresses without a complementary PTR-A record pair. -- Joe
Re: sending mail via a script
to...@tuxteam.de wrote: > On Mon, Jul 15, 2019 at 06:21:28AM -0400, Dan Ritter wrote: > > Reco wrote: > > > Hi. > > > > > > On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > > > > > > > > That's not a problem sending mail via a script; that's a problem with > > > > Google's view of the reputation of the mail server that you are using. > > > > (Which may be the machine that you are typing on, or might not.) > > > > > > > > In other words: you successfully sent mail, but Google rejected > > > > it because they think you are a spammer. > > > > > > No. Google rejected it because of the reason stated above. > > > I.e. MTA's IP does not have a valid PTR record. Not required by RFC per > > > se, but is considered mandatory by some (included Google). > > > > Why do you think they have that requirement? > > Because their server says so. Quoting from this very thread [1] This is like answering "why do you think mother married father?" with "Because the marriage certificate is hanging on the wall." Did you and Reco both translate the question as a request for evidence? I would think that my next statement, which you both decided to drop from quoting, would correct that. -dsr-
Re: sending mail via a script
On Mon, 15 Jul 2019 10:34:44 + Andy Smith wrote: > Hi Pierre, > > On Sun, Jul 14, 2019 at 06:17:50PM +0200, Pierre Frenkiel wrote: > > I tried with mail.mailutils, and I get the following error: > > > ><< 550-5.7.1 [2a01:e35:8a7f:9c50:2e4d:54ff:fed0:5806] Our system > > has detected that <<< 550-5.7.1 this message does not meet IPv6 > > sending guidelines regarding PTR <<< 550-5.7.1 records and > > authentication. Please review <<< 550-5.7.1 > > https://support.google.com/mail/?p=IPv6AuthError for more > > information > > If sending email to Gmail over IPv6 you absolutely require matching > forward and reverse DNS and some email IP authentication mechanism > such as SPF and/or DKIM. If you can't do this, disable IPv6 in your > mail server either in general or when sending to Gmail (could be > tricky because this affects Google Apps For Your Domain also, so you > don't necessarily know all the domains). > > You will have an easier time over IPv4 as Gmail relax their SPF/DKIM > requirement, though can still avoid unwanted trashing of your email > by implementing SPF and/or DKIM. > They have a damn cheek, as they don't appear to do anything to stop their own customers sending out spam, nor (last time I tried) did they either accept email to 'abuse' or provide any other means to report email abuse by their customers. -- Joe
Re: sending mail via a script
Hi Pierre, On Sun, Jul 14, 2019 at 06:17:50PM +0200, Pierre Frenkiel wrote: > I tried with mail.mailutils, and I get the following error: > ><< 550-5.7.1 [2a01:e35:8a7f:9c50:2e4d:54ff:fed0:5806] Our system has > detected that ><<< 550-5.7.1 this message does not meet IPv6 sending guidelines regarding > PTR ><<< 550-5.7.1 records and authentication. Please review ><<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more > information If sending email to Gmail over IPv6 you absolutely require matching forward and reverse DNS and some email IP authentication mechanism such as SPF and/or DKIM. If you can't do this, disable IPv6 in your mail server either in general or when sending to Gmail (could be tricky because this affects Google Apps For Your Domain also, so you don't necessarily know all the domains). You will have an easier time over IPv4 as Gmail relax their SPF/DKIM requirement, though can still avoid unwanted trashing of your email by implementing SPF and/or DKIM. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: sending mail via a script
On Mon, Jul 15, 2019 at 01:28:40PM +0300, Reco wrote: > On Mon, Jul 15, 2019 at 06:21:28AM -0400, Dan Ritter wrote: [...] > > Why do you think they have that requirement? > > An error message included a link to support.google.com. Along with the other > things it says: Heh. Great minds think alike :) Cheers -- t signature.asc Description: Digital signature
Re: sending mail via a script
On Mon, Jul 15, 2019 at 06:21:28AM -0400, Dan Ritter wrote: > Reco wrote: > > Hi. > > > > On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > > > > > > That's not a problem sending mail via a script; that's a problem with > > > Google's view of the reputation of the mail server that you are using. > > > (Which may be the machine that you are typing on, or might not.) > > > > > > In other words: you successfully sent mail, but Google rejected > > > it because they think you are a spammer. > > > > No. Google rejected it because of the reason stated above. > > I.e. MTA's IP does not have a valid PTR record. Not required by RFC per > > se, but is considered mandatory by some (included Google). > > Why do you think they have that requirement? Because their server says so. Quoting from this very thread [1] <<< 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR <<< 550-5.7.1 records and authentication. Please review <<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more infor And quoting from that Google link (eek, I clicked a Google link and feel now... dirty): - The sending IP must have a PTR record (i.e. a reverse DNS of the sending IP) and match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. - The sending domain should pass either a SPF check or DKIM check. So you need a PTR (for reverse name resolution) AND (SPF OR DKIM) (so yeah, PTR alone ain't enough). Cheers [1] Message-ID: -- t signature.asc Description: Digital signature
Re: sending mail via a script
On Mon, Jul 15, 2019 at 06:21:28AM -0400, Dan Ritter wrote: > Reco wrote: > > Hi. > > > > On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > > > > > > That's not a problem sending mail via a script; that's a problem with > > > Google's view of the reputation of the mail server that you are using. > > > (Which may be the machine that you are typing on, or might not.) > > > > > > In other words: you successfully sent mail, but Google rejected > > > it because they think you are a spammer. > > > > No. Google rejected it because of the reason stated above. > > I.e. MTA's IP does not have a valid PTR record. Not required by RFC per > > se, but is considered mandatory by some (included Google). > > Why do you think they have that requirement? An error message included a link to support.google.com. Along with the other things it says: The sending IP must have a PTR record (i.e. a reverse DNS of the sending IP) and match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. OP's MTA does not have IPv6 PTR at all. > > > Another is to build the reputation of the server you are using, > > > > Won't do any good. Another option is to get that PTR record for > > starters. > > That would be part of building the reputation. I must've misinterpreted your phrase then. Reco
Re: sending mail via a script
Reco wrote: > Hi. > > On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > > > > That's not a problem sending mail via a script; that's a problem with > > Google's view of the reputation of the mail server that you are using. > > (Which may be the machine that you are typing on, or might not.) > > > > In other words: you successfully sent mail, but Google rejected > > it because they think you are a spammer. > > No. Google rejected it because of the reason stated above. > I.e. MTA's IP does not have a valid PTR record. Not required by RFC per > se, but is considered mandatory by some (included Google). Why do you think they have that requirement? It's entirely because IPs without PTR records are more likely to be spammers than those who do. Specfically, because it's an indication that the person running the machine didn't set it up as a server, or doesn't know what they are doing. > > Another is to build the reputation of the server you are using, > > Won't do any good. Another option is to get that PTR record for > starters. That would be part of building the reputation. -dsr-
Re: sending mail via a script
Hi. On Sun, Jul 14, 2019 at 02:05:04PM -0400, Dan Ritter wrote: > Pierre Frenkiel wrote: > > On Sun, 14 Jul 2019, Pierre Frenkiel wrote: > > > > > hi, > > > I'm looking for a way to send a mail via a script What are the available > > > solutions ? > > > > I tried with mail.mailutils, and I get the following error: > > > ><< 550-5.7.1 [2a01:e35:8a7f:9c50:2e4d:54ff:fed0:5806] Our system has > > detected that > ><<< 550-5.7.1 this message does not meet IPv6 sending guidelines > > regarding PTR > ><<< 550-5.7.1 records and authentication. Please review > ><<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more > > information > ><<< 550 5.7.1 . z19si9492793wml.107 - gsmtp > > 554 5.0.0 Service unavailable > > > >I didn't find any ueseful information on the given link. > > > > That's not a problem sending mail via a script; that's a problem with > Google's view of the reputation of the mail server that you are using. > (Which may be the machine that you are typing on, or might not.) > > In other words: you successfully sent mail, but Google rejected > it because they think you are a spammer. No. Google rejected it because of the reason stated above. I.e. MTA's IP does not have a valid PTR record. Not required by RFC per se, but is considered mandatory by some (included Google). > One option is to relay mail through an email server that is > generally considered trustworthy. That'll work. > Another is to build the reputation of the server you are using, Won't do any good. Another option is to get that PTR record for starters. > Mail is tricky these days. True. And Google is trying to make it even more tricky. Reco
Re: sending mail via a script
Pierre Frenkiel wrote: > On Sun, 14 Jul 2019, Pierre Frenkiel wrote: > > > hi, > > I'm looking for a way to send a mail via a script What are the available > > solutions ? > > I tried with mail.mailutils, and I get the following error: > ><< 550-5.7.1 [2a01:e35:8a7f:9c50:2e4d:54ff:fed0:5806] Our system has > detected that ><<< 550-5.7.1 this message does not meet IPv6 sending guidelines regarding > PTR ><<< 550-5.7.1 records and authentication. Please review ><<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more > information ><<< 550 5.7.1 . z19si9492793wml.107 - gsmtp >554 5.0.0 Service unavailable > > I didn't find any ueseful information on the given link. > That's not a problem sending mail via a script; that's a problem with Google's view of the reputation of the mail server that you are using. (Which may be the machine that you are typing on, or might not.) In other words: you successfully sent mail, but Google rejected it because they think you are a spammer. One option is to relay mail through an email server that is generally considered trustworthy. Another is to build the reputation of the server you are using, but it seems likely that you have an IP connection from free.fr, and they are specifically advertising that you are a user and should not get a positive reputation. Mail is tricky these days. -dsr-
Re: sending mail via a script
On Sun, 14 Jul 2019, Pierre Frenkiel wrote: hi, I'm looking for a way to send a mail via a script What are the available solutions ? I tried with mail.mailutils, and I get the following error: << 550-5.7.1 [2a01:e35:8a7f:9c50:2e4d:54ff:fed0:5806] Our system has detected that <<< 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR <<< 550-5.7.1 records and authentication. Please review <<< 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information <<< 550 5.7.1 . z19si9492793wml.107 - gsmtp 554 5.0.0 Service unavailable I didn't find any ueseful information on the given link. best regards, -- Pierre Frenkiel
