Re: [mailop] message attachments, was Guide for setting up a mail server ?
It appears that Grant Taylor via mailop said: >I'd be worried that some (web) MUAs would deal with multipart/digest >worse than they deal with message/rfc822 contained in the former. >Especially with the comment that someone made about inline vs attachment >disposition of the message/rfc822 MIME parts. I found they dealt pretty badly with all of them. I use quaint old Alpine which deals with attached messages just fine, but then I am strange. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] message attachments, was Guide for setting up a mail server ?
On 7/14/23 9:22 PM, John Levine via mailop wrote: Well, sure. What do you think mailing list MIME digests are? I assume that you're referring to multipart/digest. The disadvantage is that a lot of mail systems, particularly popular webmail, deal poorly with embedded messages. Agreed. I'd be worried that some (web) MUAs would deal with multipart/digest worse than they deal with message/rfc822 contained in the former. Especially with the comment that someone made about inline vs attachment disposition of the message/rfc822 MIME parts. When the IETF was trying to figure out the least bad way to deal with DMARC list damage I mocked up some possibilities including a couple of ways to wrap messages as attachments. We found that unwrapping and replying to them worked poorly, so we decided on per-user From rewrites (my dmarc.fail hack) instead. Yep. Grant. . . . ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
It appears that Michael Peddemors via mailop said: >On 2023-07-14 09:20, Slavko via mailop wrote: > >You all realize that the poor guy looking for a guide on how to set up >and email server long since left, you scared him to death with the >complexity.. Um, that was me who asked the question on behalf of someone else. To reply to someone else's question, we're not talking about setting up an entire mail system for random users. He wants to be able to send and receive mail for a handful of people and rols accounts and wonders how to make it more likely that other mail systems will accept his mail. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] message attachments, was Guide for setting up a mail server ?
It appears that Hans-Martin Mosner via mailop said: >Has anyone on this list tried forwarding (e.g. for ex-employees) via >attachment? Well, sure. What do you think mailing list MIME digests are? The disadvantage is that a lot of mail systems, particularly popular webmail, deal poorly with embedded messages. When the IETF was trying to figure out the least bad way to deal with DMARC list damage I mocked up some possibilities including a couple of ways to wrap messages as attachments. We found that unwrapping and replying to them worked poorly, so we decided on per-user From rewrites (my dmarc.fail hack) instead. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
It appears that Thomas Walter via mailop said: >Hey Michael, > >On 13.07.23 00:53, Michael Peddemors via mailop wrote: >> And yes, email forwarding will break.. but email forwarding remotely >> should be killed off anyways.. everyone can log into two accounts. > >Everyone has always been able to log into two accounts. Some of us are old enough that we remember when that was not true, or at least not true in a useful way. If you had accounts on different systems, you had to log out from one and log into the other to check. Usually via dialup. >I have sold one of my personal domains. The buyer agreed to forward the >personal address I had used to a new mailbox for a while. That's certainly one reason. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
It appears that Jaroslaw Rafa via mailop said: >Most of regular consumer email users don't have any reason for this. As Bill >Cole, whom I was replying to, wrote - nobody would try to impersonate you or >me in a phishing campaign for financial gain, because there won't be any. Since we all seem to have forgotten everything we talked about last week, the reason we have to deal with DMARC for normal mail systems (as opposed to places like Paypal where it makes sense) is that back when AOL and Yahoo were different companies, they both had such poor security that they let crooks steal their user address books, so people were getting spam with return addresses of people they knew. I think there were better ways to deal with that particular problem, but it is definitely the case that normal people get their addresses forged in spam. Perhaps it doesn't happen to hobby systems hosted in free public subdomains, but it happens to other people. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 7/14/2023 11:21 AM, Grant Taylor via mailop wrote: Suggest you might consider changing the topic, if you want to argue the various nuances and complexities of SPF/DKIM/DMARC etc..? And break existing threading and avoid any ignore thread filters that people have put in place? That seems like people changing email addresses to get around filters. This is exactly the type of breakage, caused by From field re-writing, that has been entirely ignored, in spite of being cited with some frequency. It is, to coin a phrase, an inconvenient truth. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 14 July 2023 18:24:45 Dave Crocker via mailop wrote: We need to 'encourage' people to run their own mail servers, not scare them away.. We also need to encourage people to do all the servicing for their car, to build their own house, and to grow their own food. Or we might take a somewhat more modern view of life and deal pragmatically with the realities of the division of labor. But if someone *wants* to set up a mail server, we shouldn't put them off unnecessarily. Or would you put someone off growing vegetables in their garden as well? If someone says "I want to receive email", then suggesting they set up their own mail server may be inappropriate, but that's not the case here. Paul ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 7/14/23 11:20 AM, Slavko via mailop wrote:
Hi,
Hi Slavko,
Possible? Yes. Expected? Hard to tell... See latter.
From which point of view?
My experience is that hard and fast usually surfaces errors much closer
to the time they are introduced.
Conversely soft and slow usually causes errors to surface much later,
frequently after the change that introduced the error has left the
brains cache. I usually see soft and slow errors written off as "I
don't know what caused that, I'll dig deeper if / when it happens
again." Thus becoming a circular loop.
With this in mind, my opinion is that hard and fast is often better /
less problematic in the long term.
We all are doing mistakes...
Yep.
I assume that you are aware of DMARC checking, as defined in RFC 7489,
thus i shorten only important parts. The receiver:
1. gets MIME From: domain
1. gets DMARC policy
2. does DKIM check
3. does SPF check
4. does alignment check
5. applies policy
My understanding of that RFC is that both, SPF/DKIM checks happens
as part of DMARC.
Maybe. Not always.
The DMARC implementations that I use don't do the SPF nor DKIM checks
themselves. Instead there are other independent filters that do those
before the DMARC filter and the DMARC filter uses the results from those
tests.
That RFC clearly states, that fail ("-all") can be applied by **some**
receivers before DMARC checks. I understand that section to be
included as note, that not all receivers does DMARC checks, not
as suggestion to do that before DMARC. Am i wrong?
I'm fairly certain that SPF checks significantly pre-date DMARC.
Just because something can be done as part of DMARC doesn't mean that it
has to be done as part of DMARC.
My understanding is, that DMARC compliant receivers doesn't
do independent SPF/DKIM checks, they are done as part of
DMARC (see diagram in RFC). But doing these independed checks
is is not exactly prohibited, which IMO really lacks there.
Why does the SPF check need to wait until the DMARC check which needs
the body (DATA)?
Why can't SPF be checked very much earlier at the MAIL FROM stage before
the body (DATA) is sent?
Of course, where i wrote independent check, i mean apply
result too.
Agree, but i don't extract bussines to separate category.
There's businesses hosting their own email which only effects them and
then there are businesses that host other people's email as a service.
I think the two are quite different in many regards. E.g. Google does
things quite differently for @google.com email than their Gmail product
does for @gmail.com email. GSuite hosted email is even more different.
Yes, starting without encryption is good. It makes debuging/learning
significantly simpler.
:-)
I remember my 28.8 kbit/s modem and download 50 MB MySQL
upgrade as whole day task ;-)
:-)
eg. MTA are prohibited to modify message. But yes they do it...
I question the veracity of that.
Sometimes MTAs are forced to modify messages. I usually see it when the
MSA or upstream MTAs support 8BITMIME and downstream MTA(s) don't. Thus
the last 8BITMIME supporting MTA *MUST* convert to 7-bit messages if the
sender utilized 8BITMIME.
I know that there are other scenarios where an MTA will alter a message
in transit. This is one of the reasons why DKIM has relaxed and simple
canonicalization.
I was not enough clear, these instances are not running on the same host
(container) for the same reasons as you mentioned, sorry.
Thank you for clarifying.
regards
:-)
Thank you and have a good day,
Grant. . . .
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 7/14/2023 11:20 AM, Paul Smith wrote: On 14 July 2023 18:24:45 Dave Crocker via mailop wrote: We need to 'encourage' people to run their own mail servers, not scare them away.. We also need to encourage people to do all the servicing for their car, to build their own house, and to grow their own food. Or we might take a somewhat more modern view of life and deal pragmatically with the realities of the division of labor. But if someone *wants* to set up a mail server, we shouldn't put them off unnecessarily. Or would you put someone off growing vegetables in their garden as well? If someone says "I want to receive email", then suggesting they set up their own mail server may be inappropriate, but that's not the case here. The use of 'encourage', that I was responding to, was not in a tone that had to do with an individual person's preferences, but about pressing for a professional bias. In the context of this discussion, it frankly had a tone of social pressure, IMO. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 7/14/23 11:31 AM, Michael Peddemors via mailop wrote: You all realize that the poor guy looking for a guide on how to set up and email server long since left, you scared him to death with the complexity.. Why does an active ongoing conversation between multiple parties need to stop because the person that asked the original question walked away? How and why are the currently active and communicating parties dependent on the person that originally asked the question? We need to 'encourage' people to run their own mail servers, not scare them away.. If you read any part of my replies I think you would see that I am trying to encourage people to run their own mail server. I try to be very much here's how you do something, here are the problems that you'll likely run into, and here's how you overcome those problems. Let's talk if you have questions. Suggest you might consider changing the topic, if you want to argue the various nuances and complexities of SPF/DKIM/DMARC etc..? And break existing threading and avoid any ignore thread filters that people have put in place? That seems like people changing email addresses to get around filters. No thank you. Grant. . . . ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
We need to 'encourage' people to run their own mail servers, not scare them away.. We also need to encourage people to do all the servicing for their car, to build their own house, and to grow their own food. Or we might take a somewhat more modern view of life and deal pragmatically with the realities of the division of labor. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
On 2023-07-14 09:20, Slavko via mailop wrote: You all realize that the poor guy looking for a guide on how to set up and email server long since left, you scared him to death with the complexity.. We need to 'encourage' people to run their own mail servers, not scare them away.. Suggest you might consider changing the topic, if you want to argue the various nuances and complexities of SPF/DKIM/DMARC etc..? -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Guide for setting up a mail server ?
Hi,
Dňa 13. júla 2023 23:42:15 UTC používateľ Grant Taylor via mailop
napísal:
>I absolutely think that it's quite possible to apply SPF independently
>nowadays.
Possible? Yes. Expected? Hard to tell... See latter.
>Is it better to fail soft and slow or hard and fast?
From which point of view?
>Sure, SPF publishers make mistakes.
We all are doing mistakes...
>I'll argue that if I set a "-all" on my SPF record that I really honestly and
>truly want no server than my authorized server to send email claiming to be
>from me. This includes mailing lists.
I assume that you are aware of DMARC checking, as defined in RFC 7489,
thus i shorten only important parts. The receiver:
1. gets MIME From: domain
1. gets DMARC policy
2. does DKIM check
3. does SPF check
4. does alignment check
5. applies policy
My understanding of that RFC is that both, SPF/DKIM checks happens
as part of DMARC.
That RFC clearly states, that fail ("-all") can be applied by **some**
receivers before DMARC checks. I understand that section to be
included as note, that not all receivers does DMARC checks, not
as suggestion to do that before DMARC. Am i wrong?
My understanding is, that DMARC compliant receivers doesn't
do independent SPF/DKIM checks, they are done as part of
DMARC (see diagram in RFC). But doing these independed checks
is is not exactly prohibited, which IMO really lacks there.
Of course, where i wrote independent check, i mean apply
result too.
>For a business selling email services, no.
Agree, but i don't extract bussines to separate category.
>I say this because I think that people don't /need/ to learn about / mess with
>encryption when they are /first/ starting to learn about email servers.
Yes, starting without encryption is good. It makes debuging/learning
significantly simpler.
>I've routinely seen MSAs configured with longer time out values than MTAs.
I remember my 28.8 kbit/s modem and download 50 MB MySQL
upgrade as whole day task ;-)
>What's the actual violation? What fails to function from and end users stand
>point?
eg. MTA are prohibited to modify message. But yes they do it...
>For Sendmail, it's actually more complicated to run multiple instances of the
>daemon.
I was not enough clear, these instances are not running on the same host
(container) for the same reasons as you mentioned, sorry.
regards
--
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
On Fri, Jul 14, 2023 at 8:54 AM Larry Smith via mailop wrote: > Hmmm, so are these simply connections this filter is blocking > or verifiable (high probability of spam source) spam connections? > Spam. Of course. > From the conversation it seems mom and pop's are the ones losing > "seems" is the keyword here. People's opinions and anecdotes do not really reflect actual data at scale. Mom and pops tend to have correct DNS setups. And as I said before (multiple times now) we help the (very few) edge cases. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
On Fri July 14 2023 09:26, Marcel Becker via mailop wrote: > On Fri, Jul 14, 2023 at 12:46 AM Thomas Mechtersheimer via mailop < > > mailop@mailop.org> wrote: > > Do you have any numbers that suggest that this specific method does > > filter a significant amount of spam which other filters would not > > recognise? > > Yes, of course. We wouldn't do it otherwise. It's billions. And it kept > getting worse. > You can thank the scum of the internet. Once more. Hmmm, so are these simply connections this filter is blocking or verifiable (high probability of spam source) spam connections? From the conversation it seems mom and pop's are the ones losing and the spammers just move on to another technic. -- Larry Smith lesm...@ecsis.net ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
On 7/14/23 9:26 AM, Marcel Becker via mailop wrote: Yes, of course. We wouldn't do it otherwise. It's billions. And it kept getting worse. Can ~> will you share any rough (as in order of magnitude / log10) numbers? -- If so, please do. One of the things that I find so confusing about this thread is how the SOA test that Yahoo is doing provides any different results than requiring an MX / A / record for a (purported) sending domain. You can thank the scum of the internet. Once more. I assumed that denizens of the Internet's Mos Eisley cantina were the impetus behind such a test / filter. Grant. . . . ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
On Fri, Jul 14, 2023 at 12:46 AM Thomas Mechtersheimer via mailop < mailop@mailop.org> wrote: > > Do you have any numbers that suggest that this specific method does filter > a significant amount of spam which other filters would not recognise? > Yes, of course. We wouldn't do it otherwise. It's billions. And it kept getting worse. You can thank the scum of the internet. Once more. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
In message <56b83491-6441-4d1e-a3ef-008da3311...@slavino.sk>, Slavko via mailop writes >When spammers are able to create proper DNS records directly used >in email authentification, what problem will be the SOA record for them? In order to have a domain with an SOA record they have to purchase a domain (and provide a DNS service for it) ... and when that domain falls in reputation they have to buy another one ... (and yes there are free domains out there but they start off with a poor reputation!) If an SOA is not required (and other mailbox providers have other ways of testing that domains actually exist) then n-character-random- string.respectable-tld can be used as a domain and every spam email will have a domain with a neutral reputation -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
Dňa 14. júla 2023 7:16:43 UTC používateľ Thomas Mechtersheimer via mailop napísal: >I guess he means filtering based solely on the existance of a SOA record. Of course, that is what this thread about... Thanks to clarify behind me ;-) >Do you have any numbers that suggest that this specific method does filter >a significant amount of spam which other filters would not recognise? I know that you don't ask me, but consider that spammers adapted SPF, DMARC and DKIM. That doesn't means, that these methods dosn't do what they have to do. But they are not reliable SPAM mark anymore. Some months ago a collect stats about DKIM on my server: + all failed DKIMs was in legal mails, mostly from maillists + all rejected SPAMs (with DKIM signature) had DKIM pass When spammers are able to create proper DNS records directly used in email authentification, what problem will be the SOA record for them? Thus more than spammers (perhaps except some script kids), IMO that will mostly catch misconfigurations of regular people. If mission is to improve DNS, then OK. But spammers? I don't believe... regards -- Slavko https://www.slavino.sk/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] [E] Re: AOL/Yahoo requiring SOA record for MAIL FROM domain name?
On Thu, Jul 13, 2023 at 11:31:48AM -0700, Marcel Becker via mailop wrote: > On Thu, Jul 13, 2023 at 11:19 AM Slavko via mailop > wrote: > > Would not be more effective to not use technique prone to false > > positives? For both sides... > > So you mean not trying to filter spam or fight spammers at all? I have not > seen a solution which doesn't produce false positives. I guess he means filtering based solely on the existance of a SOA record. Do you have any numbers that suggest that this specific method does filter a significant amount of spam which other filters would not recognise? -- Thomas Mechtersheimer - Necklenbroicher Str. 45a - D-40667 Meerbusch - Germany EMail: thom...@wupper.com IRC-Nick: Mechti Of course I'm crazy, but that doesn't mean I'm wrong. I'm mad but not ill. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] AOL/Yahoo requiring SOA record for MAIL FROM domain name?
In message <601b01c7-1475-32e0-5aba-e595272e9...@tnetconsulting.net>, Grant Taylor via mailop writes >My concern is that Yahoo / AOL isn't creating an arbitrary "every domain >must have an SOA record" and completely loosing sight of the fact that >SOAs belong to the /zone/ apex and are not associated with /domain/s. One more time ... I can see two people have already explained this clearly, but perhaps three's a charm ? The check is whether there is an SOA record for the domain used in the RFC5321 MAIL FROM. If there is not, then a check is made for an SOA for the administrative domain (using the DMARC approach to determining the administrative domain which involves consulting the Public Suffix List). So if you use a.b.c.tld then the check will be for an SOA for a.b.c.tld (which in many cases would not exist) and then for an SOA on c.tld What is turning out to be problematic for some people is that "tld" is any entry on the PSL -- so, to take the recent example when the MAIL FROM is a.b.c.or.us then because or.us is on the PSL then checks will be made for an SOA at a.b.c.or.us and then for c.or.us If it is problematic then as Marcel pointed out, the postmaster team at Yahoo are pleased to help. It does seem to me (viz: this is a personal opinion and not that of $DAYJOB) that some entries have been put onto the PSL by people who do not fully understand that they are declaring "treat this as a TLD" without thinking through all of the implications for cookies, for DMARC and for anyone who is trying to understand whether a domain exists or has merely been invented by a spammer -- so that every email they send can evade domain-based reputation systems. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
