Re: [mailop] [EXTERNAL] Re: Registered @ Microsoft JMRP - blacklisted without feedback received

2021-05-15 Thread Simon Arlott via mailop 
On 12/05/2021 04:08, Michael Wise via mailop wrote:
> S3150 is throttling.
> 
> Open a ticket and ask for a more realistic hourly/daily throttle limit.

I'm now having this problem too. My email volume is so small it never
appears on SNDS. There have been 10 messages to Hotmail this month (4
unique recipients) and now I'm getting S3150 replies to everything
despite still receiving email to the same IP from those recipients.

I'm being fed lies like "Your IP was blocked by Outlook.com because
Hotmail customers have reported email from this IP as unwanted".


"Outlook.com Deliverability Support" have also provided me with a link
to this amusing document:

> For more detailed information about best sending practices to
> Outlook.com users, please review the following white paper:
> http://download.microsoft.com/download/e/3/3/e3397e7c-17a6-497d-9693-78f80be272fb/enhance_deliver.pdf

It hasn't been updated since 2007 and it shows.

-- 
Simon Arlott
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] MTA-STS issues

2021-05-15 Thread Eric Germann via mailop 
It’s the versions of encryption  offered by the host on initiation of STARTTLS. 
 I use ASSP as a spam frontend.  Changing from only TLSv1 to 
SSLv23:!SSLv2:!SSLv3 which is TLS only makes it work with the following flagged 
error


Note: even though the server appears to be set up correctly for MTA-STS, I 
recommend using a test like Qualys SSL Labs 
 to analyze 
the HTTP host and to test the mail host 
.

Not sure why it makes a difference since the ! excludes those protocols and 
leaves TLS 1.0 -> 1.3 enabled.

I modified the mta-sts.txt file to be CR-LF terminated and that got rid of that 
warning

It now passes https://aykevl.nl/apps/mta-sts/  
in testing mode

It also passed https://esmtp.email/tools/mta-sts/ 
 in testing mode

Thanks for the food for thought!  Got me looking in the right direction

Eric



> On May 15, 2021, at 10:03 AM, Marcel de Riedmatten via mailop 
>  wrote:
> 
> On 15.05.21 14:43, Arne Jensen via mailop wrote:
> 
>> Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop:
>>> I’ve enabled MTA-STS for the domain semperen.com .
>>> 
> many good remarks  snipped
>>> My question is what could be the cause of the failure?
>>> 
>>> 1.Certificate validation error in the certificate chain
>>> 2.No reverse DNS for the IPv6 address
>>> 
>>> The host is in AWS and has a PTR for IPv4 setup correctly.  Not sure
>>> if you can do a PTR for IPv6 in AWS
> 
> I would add that trying to connect to the site  with
> 
> posttls-finger  -P /etc/ssl/certs  smtp.semperen.com
> 
> get me tls1.0 only and that might not be tasty to everyone:
> 
> 
> posttls-finger: using DANE RR: _25._tcp.smtp.semperen.com IN TLSA 3 1 1 
> AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60
> posttls-finger: Connected to smtp.semperen.com[3.13.72.96]:25
> posttls-finger: < 220 smtp.semperen.com ESMTP Postfix
> posttls-finger: > EHLO smtp2.dotforge.ch
> posttls-finger: < 250-smtp.semperen.com
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-SIZE 2
> posttls-finger: < 250-VRFY
> posttls-finger: < 250-AUTH PLAIN LOGIN
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250 DSN
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: smtp.semperen.com[3.13.72.96]:25: depth=0 matched end entity 
> public-key sha256 
> digest=AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60
> posttls-finger: smtp.semperen.com[3.13.72.96]:25: Matched subjectAltName: 
> smtp.semperen.com
> posttls-finger: smtp.semperen.com[3.13.72.96]:25: subjectAltName: 
> www.smtp.semperen.com
> posttls-finger: smtp.semperen.com[3.13.72.96]:25 CommonName smtp.semperen.com
> posttls-finger: smtp.semperen.com[3.13.72.96]:25: 
> subject_CN=smtp.semperen.com, issuer_CN=Sectigo RSA Domain Validation Secure 
> Server CA, 
> fingerprint=9E:20:AB:54:BF:CB:D8:6E:22:21:A8:9D:4C:69:33:E9:DF:BC:AD:FD, 
> pkey_fingerprint=9F:D5:08:68:79:73:22:8C:A9:AC:92:89:1D:5C:B1:15:7E:57:FF:DB
> posttls-finger: Verified TLS connection established to 
> smtp.semperen.com[3.13.72.96]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA 
> (256/256 bits)
> 
> --
> 
> Marcel de Riedmatten
> 
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop



signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] MTA-STS issues

2021-05-15 Thread Marcel de Riedmatten via mailop 

On 15.05.21 14:43, Arne Jensen via mailop wrote:


Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop:

I’ve enabled MTA-STS for the domain semperen.com .


many good remarks  snipped

My question is what could be the cause of the failure?

1.Certificate validation error in the certificate chain
2.No reverse DNS for the IPv6 address

The host is in AWS and has a PTR for IPv4 setup correctly.  Not sure
if you can do a PTR for IPv6 in AWS


I would add that trying to connect to the site  with

posttls-finger  -P /etc/ssl/certs  smtp.semperen.com

get me tls1.0 only and that might not be tasty to everyone:


posttls-finger: using DANE RR: _25._tcp.smtp.semperen.com IN TLSA 3 1 1 
AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60

posttls-finger: Connected to smtp.semperen.com[3.13.72.96]:25
posttls-finger: < 220 smtp.semperen.com ESMTP Postfix
posttls-finger: > EHLO smtp2.dotforge.ch
posttls-finger: < 250-smtp.semperen.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-SIZE 2
posttls-finger: < 250-VRFY
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.semperen.com[3.13.72.96]:25: depth=0 matched end 
entity public-key sha256 
digest=AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60
posttls-finger: smtp.semperen.com[3.13.72.96]:25: Matched 
subjectAltName: smtp.semperen.com
posttls-finger: smtp.semperen.com[3.13.72.96]:25: subjectAltName: 
www.smtp.semperen.com
posttls-finger: smtp.semperen.com[3.13.72.96]:25 CommonName 
smtp.semperen.com
posttls-finger: smtp.semperen.com[3.13.72.96]:25: 
subject_CN=smtp.semperen.com, issuer_CN=Sectigo RSA Domain Validation 
Secure Server CA, 
fingerprint=9E:20:AB:54:BF:CB:D8:6E:22:21:A8:9D:4C:69:33:E9:DF:BC:AD:FD, 
pkey_fingerprint=9F:D5:08:68:79:73:22:8C:A9:AC:92:89:1D:5C:B1:15:7E:57:FF:DB
posttls-finger: Verified TLS connection established to 
smtp.semperen.com[3.13.72.96]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA 
(256/256 bits)


--

Marcel de Riedmatten



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] MTA-STS issues

2021-05-15 Thread Arne Jensen via mailop 

Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop:
> I’ve enabled MTA-STS for the domain semperen.com .

Adding DANE and/or MTA-STS configurations is one thing, another would be
if your mail server actually allow (or even signals that it allows the
upgrade to) encrypted connections.

> I see these for various sending-mta-ip’s which I assume are the
> outbound gmail gateways.  What I’m trying to figure out is why there
> is a failed session count.
>
> semperen.com  mta-sts passes
> with https://esmtp.email/tools/mta-sts/
> 

Even though the certificate validation passes, this site yells about:

> Added missing ending \r\n to MTA-STS policy for further evaluation
>
> MTA-STS contains lines with no CRLF termination
-> https://datatracker.ietf.org/doc/html/rfc8461#section-3.2


It does for example say:

> This resource contains the following CRLF-separated key/value pairs:
Your MTA-STS policy file seems to be only LF-separated (\n).

> semperen.com  mta-sls fails
> with https://aykevl.nl/apps/mta-sts/
>  .  It throws a certificate
> validation error.

It seems to do strict validation whether or not the SMTP server signals
that it allows STARTTLS or not.

Since their server never sees the "250-STARTTLS" response from your
server, they won't try it. As such, they don't get the certificates, and
the certificate validation fails as well.

* It seems like a hit and miss on your server, regarding whether the
"250-STARTTLS" response is there or not. Some locations do show it,
others don't.

>
> For the STARTTLS cert I’m using LetsEncrypt.  DANE is also in place.

Some "Operational BCP" (in regards to DANE):

-> https://imrryr.org/~viktor/ICANN61-viktor.pdf
 [Page 25]
-> http://files.nylug.org/2018/nylug-20181017-dnssec-dane.pdf
 [Page 46]

says:

> Don't offer STARTTLS selectively to just some clients
But this is exactly what your SMTP server does, and as such, it will
produce mixed ("selective") results, too...

>
> My question is what could be the cause of the failure?
>
> 1.Certificate validation error in the certificate chain
> 2.No reverse DNS for the IPv6 address
>
> The host is in AWS and has a PTR for IPv4 setup correctly.  Not sure
> if you can do a PTR for IPv6 in AWS

A valid and consistent reverse DNS configuration (FcRDNS) does not hurt
for inbound only mail servers (MX), but it is technically not really
necessary / relevant, if being "inbound only".

It does however become necessary / relevant, if those IP(v6) addresses
also have the outbound role, and takes care of deliveries directly over
that IP(v6) addresses to third parties.

> Received: from smtp.semperen.com (unknown
>  [IPv6:2600:1f16:940:9420:c0eb:3db8:9c94:df05])
>  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
>  (No client certificate requested)
>  by mx.mailop.org (Postfix) with ESMTPS id 4FhpZY1wh6z8slr
>  for ; Sat, 15 May 2021 04:03:01 +0200 (CEST)
Since your "smtp.semperen.com" is definitely taking care of the outbound
role here, it is necessary / relevant (... as in, mandatory, for most
destinations).

-> https://forums.aws.amazon.com/thread.jspa?threadID=248430

-> https://forums.aws.amazon.com/thread.jspa?threadID=249021

-> https://forums.aws.amazon.com/thread.jspa?threadID=250565


Others have apparently had luck, according to these threads, so I would
definitely, and strongly, advice you to also pursue the IPv6 PTR.

That being said, the PTR stuff itself isn't technically relevant, if we
should be strictly on topic for the issue(s) mentioned in this thread.

> Any thoughts would be appreciated.

Fix the MTA-STS policy's (CR)LF line endings / separations, by making
them properly with CRLF (\r\n) rather than only LF (\n).

Make sure that your SMTP server returns "250-STARTTLS" consistently to
all clients.

-- 
Med venlig hilsen / Kind regards,
Arne Jensen


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop