Re: [mailop] DANE validation

2019-07-11 Thread Brandon Long via mailop 
At this point, for mail sending, Gmail does not support DANE, though we do
support STS and TLSRPT.  I imagine DANE is somewhere on their TODO list,
but couldn't give any time frame for that.

It is supported by a bunch of European ISPs, as well as Comcast.

Brandon

On Thu, Jul 11, 2019 at 2:45 PM Heiko Schlittermann via mailop <
mailop@mailop.org> wrote:

> Ross Tajvar via mailop  (Do 11 Jul 2019 17:58:36 CEST):
> > However, the mail server I'm using (Mailcow) suggests I add TLSA records
> > for ports that serve SMTP, POP3, and IMAP (as well as HTTPS). I'm
> curious,
> > do any major mail services actually validate these records when receiving
> > mail? Do any major mail clients?
>
> As Jeremy already pointed out, DANE is about receiving, giving the the
> sender
> a chance to check the recipient's server. If Mailcow suggests you to use
> TLSA records, your question is probably about services that would use
> these records to avoid sending mails destined for your domain to the
> wrong server.
>
> I'm not sure if Gmail does, but I *seems* that GMX (a German mail service)
> does checking of my TLSA records. (I can tell, because once I messed up
> these records and messages from @gmx.de to my domains bounced back to
> their GMX senders.)
>
> I'm not sure if GMX can be counted as a major service.
>
> For mail clients this question isn't relevant, if this is meant as
> "MUA", since MUAs normally talk to their submission hosts, and often do
> certificate checking similar to that what HTTPS clients do: compare the
> certificate's CN, and SAN with the hostname they connect to and verify
> the certificate against locally stored trusted CAs.
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
>  SCHLITTERMANN.de  internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DANE validation

2019-07-11 Thread John Levine via mailop 
In article  
you write:
>However, the mail server I'm using (Mailcow) suggests I add TLSA records
>for ports that serve SMTP, POP3, and IMAP (as well as HTTPS). I'm curious,
>do any major mail services actually validate these records when receiving
>mail? Do any major mail clients?

Comcast does on inbound SMTP.  I know that because I screwed up my
TLSA records and my wife couldn't write to her mother who has a
Comcast account.

Dunno any MUAs who check on POP or IMAP but it would be an interesting
idea to deter MITM attacks.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DANE validation

2019-07-11 Thread Tom Ivar Helbekkmo via mailop 
Jeremy Harris via mailop  writes:

> On 11/07/2019 16:58, Ross Tajvar via mailop wrote:
>> do any major mail services actually validate these records when receiving
>> mail? Do any major mail clients?
>
> DANE is relevant to sending mail, not receiving.
> That doesn't answer your question, though.

Postfix supports DANE.

See http://www.postfix.org/TLS_README.html#client_tls_dane for details.

Shumon Huque has some tools for DANE setup and testing:

https://www.huque.com/bin/danecheck-smtp

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DANE validation

2019-07-11 Thread Jeremy Harris via mailop 
On 11/07/2019 16:58, Ross Tajvar via mailop wrote:
> do any major mail services actually validate these records when receiving
> mail? Do any major mail clients?

DANE is relevant to sending mail, not receiving.
That doesn't answer your question, though.
-- 
Cheers,
  Jeremy

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] DANE validation

2019-07-11 Thread Ross Tajvar via mailop 
Hi all,

Apologies if this has been discussed before but I did a cursory search and
didn't find anything.

I've been looking into DANE and TLSA records recently. It seems that no
major browsers support validating websites via DANE, and the third-party
plugin that CZ.NIC developed to do so has been deprecated.

However, the mail server I'm using (Mailcow) suggests I add TLSA records
for ports that serve SMTP, POP3, and IMAP (as well as HTTPS). I'm curious,
do any major mail services actually validate these records when receiving
mail? Do any major mail clients?

Thanks,
Ross
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any URI whitelists out there?

2019-07-11 Thread Al Iverson via mailop 
If you decide you want to whitelist various ISP or webmail email
sending domains, here's a few lists I've compiled with help from
folks:

Microsoft, Verizon (AOL, Yahoo):
https://www.spamresource.com/2018/07/reference-omg-domains-list-oath.html
AT:
https://www.spamresource.com/2018/10/reference-all-at-email-domains.html
Roadrunner/Spectrum:
https://www.spamresource.com/2018/01/reference-time-warnerroad.html
Apple only has three domains for end consumer users of email:
https://www.spamresource.com/2018/04/reference-apple-email-domains.html
Gmail only has two:
https://www.spamresource.com/2018/03/fun-fact-gmail-has-two-domains.html

Cheers,
Al

On Thu, Jul 11, 2019 at 7:48 AM Benoit Panizzon via mailop
 wrote:
>
> > Have you taken a look at white.uribl.com:
>
> Perfect, exactly what I was looking for.
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



-- 
al iverson // wombatmail // chicago
http://www.aliverson.com
http://www.spamresource.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any URI whitelists out there?

2019-07-11 Thread Benoit Panizzon via mailop 
> Have you taken a look at white.uribl.com:

Perfect, exactly what I was looking for.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Any URI whitelists out there?

2019-07-11 Thread Simon Forster via mailop 


> On 11 Jul 2019, at 05:47, Benoit Panizzon via mailop  
> wrote:
> 
> We operate the SWNIOG Blacklists and Spamtraps.
> 
> We fairly often find URI which make it onto the blacklist, which should
> clearly be whitelisted. Like 'apple.com' just this week.
> 
> We do maintain a whitelist, but I start wondering, if there are
> DNS based URI whitelists which we could query to prevent listing
> domains which shouldn't get listed.
> 
> All google dit spit out on my searches were IP whitelists.

Have you taken a look at white.uribl.com:

• white.uribl.com
- This list contains legit domain names that we do not want to show up on any 
other URIBL lists. This list is pretty static, with only a handful of changes 
per day. URIBL white is not currently bitmasked into multi.uribl.com. If you 
want to query it, you have to send a seperate query. This zone rebuilds as 
needed.



I know next to nothing about the list and certainly not in a production 
environment. Nor do I know about licence terms. However, it may match your 
needs.

HTH

Simon





___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Any URI whitelists out there?

2019-07-11 Thread Benoit Panizzon via mailop 
Hi Mailops!

We operate the SWNIOG Blacklists and Spamtraps.

We fairly often find URI which make it onto the blacklist, which should
clearly be whitelisted. Like 'apple.com' just this week.

We do maintain a whitelist, but I start wondering, if there are
DNS based URI whitelists which we could query to prevent listing
domains which shouldn't get listed.

All google dit spit out on my searches were IP whitelists.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop