Re: [mailop] too many bad IP blocked

[Alan Hodgson via mailop]

On Fri, 2024-06-21 at 01:01 +, Ferris, Rhys (SCC) via mailop
wrote:
> 
> 
> 
> I guess my mentality is a large IPTables is still less of a load
> than letting them establish a connection and attempt to
> authenticate, but I'm certainly open to better ideas.

Somewhat OT, but if you can switch to nftables, loading a very large
set (100K+ entries) takes like a second and it's O(1) to test
against.

You can also use ipset with iptables to similar effect, although
loading the set takes quite a while at first.

You can modify things like fail2ban or ossec to update the sets
instead of creating new rules, too.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Alan Hodgson via mailop]

On Tue, 2024-02-06 at 17:46 -0500, John Covici via mailop wrote:
> Hi.  I am trying to make sure my mail server is properly
> authenticated, and I have spf and dkim set up -- seemingly
> correctly
> -- but I am not sure about dmarc.  I have downloaded and installed
> the
> open-dmarc package and I have the text record I will have to put in
> the zone,  but I don't know what to put in
> /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> sure what I really need in it.

You don't need to do anything with opendmarc to send authenticated
mail. It's used to check incoming email from other people.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Dkim fails, success on same email?

[Alan Hodgson via mailop]

On Fri, 2023-06-16 at 18:05 +, Salvatore Jr Walter P via mailop
wrote:
> 
> 
> Getting reports back from several ISPs like the one below.
> It shows dkim failing for the IP, but successful for the domain?
> The domain “mail-dkim-us-west-2.prod.hydra.sophos.com” uses
> multiple IPs,
> One of which is “198.154.181.72”. We do receive failures on all
> other IPs as well.
> Is this an actual issue or something we can ignore?
>  
> 
> 
> 198.154.181.72
> 1
> 
> none
> fail
> pass
> 
> 
> 
> warwickri.gov
> 
> 
> 
> mail-dkim-us-west-2.prod.hydra.sophos.com
> v1
> pass
> 
> 
> warwickri.gov
> pass
> 
> 
> 


It appears you're DKIM-signing it, but not with an identifier aligned
with your From: domain. So DKIM passes but not in a way that
satisfies DMARC.

It passed DMARC only because it passes SPF.

You should add a DKIM signature from a domain aligned with your From:
domain.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to delegate DMARC reporting to third-party providers for inbound mails

[Alan Hodgson via mailop]

On Tue, 2022-11-29 at 09:15 -0500, Muyeed Ali via mailop wrote:

> -- Got it. Wanted to avoid a self-managed service. But if any
> third-party solution does not work, will try to integrate rspamd
> with Postfix and keep in mind the loop-y behavior.

opendmarc is an easy integration and just needs a MySQL database and
a cron job to send reports off its own logs.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] The oligopoly has won.

[Alan Hodgson via mailop]

On Tue, 2022-09-13 at 09:30 +0100, Laura Atkins via mailop wrote:
> 
> 
> 
> That’s not what I’m seeing at all. What I’m seeing is complaints
> that it’s difficult to host your own email without any real
> commitment of resources (whether those resources be time or money).
> A lot of the complaints I’m seeing are from folks who don’t want to
> really pay for hosting at a reputable provider that takes action
> against abuse. 

Who is this VPS provider that acts immediately on abuse and therefore
is never bulk-blocked at the majors? Is there one? More than one?
Define "really pay".

I do know what I'm doing, but I find I have to smarthost my mail out
through a relay to get it reliably delivered.

The subset of VPS providers that do IPV6, reverse DNS, are reliably
up, and allow any Linux variant are small enough as it is.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Office365 blocking non Oauth2 authentication on IMAP and SMTP.

[Alan Hodgson via mailop]

On Fri, 2022-08-19 at 10:19 -0500, Mike Hammett via mailop wrote:
> 
> I wonder: How do other Microsoft Office365 customers mitigate this
> situation?

If O365 no longer meets their needs, I guess maybe they'll have to
use something different. Or change their needs.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Alan Hodgson via mailop]

On Tue, 2022-06-14 at 19:07 +0200, Slavko via mailop wrote:
> Ahoj,
> 
> Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop
>  napísal:
> 
> > I wouldn't suggest that you implement DMARC on your list domain
> > as it
> > won't help with deliverability and will just cause more issues.
> > It's
> > not really designed for mailing lists.
> 
> Please, what issues will cause DMARC with policy None? Would not be
> better to suggest this instead of no DMARC?

You need to replace the From: address with your own address if you're
going to use any DMARC (or if the original sender uses DMARC).

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] What the f**k, Google?

[Alan Hodgson via mailop]

On Wed, 2022-03-02 at 17:28 +, Simon Arlott via mailop wrote:
> On 2 March 2022 17:12:14 GMT, Edgaras | SENDER via mailop
>  wrote:
> 
> > There's literally nothing you can do as a sender to prevent your
> > reputation from being trashed.
> 
> No, that's quite clearly not literally true. Stop DKIM signing the
> spam email and the problem goes away.
> 

This. If you're sending mail on behalf of a stranger, perhaps you
should only sign it with their domain.

It does seem like Google could notice "old" date headers and BCCs and
the fact the mail is coming from a dedicated spam factory and maybe
treat it a little differently, though.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] MX advice for small operator

[Alan Hodgson via mailop]

On Thu, 2021-12-16 at 13:29 -0500, John Levine via mailop wrote:
> It appears that Sam Mulvey via mailop  said:
> > I'm looking for advice for a reputable organization that can
> > serve as a 
> > net-facing MX for my very small mail server.  Feel free to email
> > me 
> > off-list with contacts or advice.
> 
> smtp.com seems OK and their low volume plan is $25/mo
> 
> I hate to suggest it here, but sendgrid's free plan lets you send
> 100 messages/day.
> or $15/mo for more than you will ever send.

Neither preserve the envelope sender or, therefore, return bounces to
the sender, which I found a pain for a smarthost.

DuoCircle and Dynu's relay services both do. fwiw.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Air Canada sending from Adobe space failing to send to server with Let's Encrypt SSL certificate

[Alan Hodgson via mailop]

This may be from Marketo or something? Whois shows Adobe with an
ab...@marketo.com contact address.

Oct 25 10:10:50 hyperion postfix/smtpd[1588023]: connect from
r117.mail.aircanada.com[172.82.216.117]
Oct 25 10:10:51 hyperion postfix/smtpd[1588023]: SSL_accept error from
r117.mail.aircanada.com[172.82.216.117]: -1
Oct 25 10:10:51 hyperion postfix/smtpd[1588023]: warning: TLS library problem:
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired:ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
Oct 25 10:10:51 hyperion postfix/smtpd[1588023]: lost connection after
STARTTLS from r117.mail.aircanada.com[172.82.216.117]
Oct 25 10:10:51 hyperion postfix/smtpd[1588023]: disconnect from
r117.mail.aircanada.com[172.82.216.117] ehlo=1 starttls=0/1 commands=1/2



---

This is almost certainly caused by the expiration of the DST Root CA X3
certificate:
  https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

If anyone has a contact at this sender please suggest that they install a
trust certificate for Let's Encrypt's current root certificate (and maybe any
other security updates that they've missed since 2017).

Thanks.


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So how do you actually manage to send mails to outlook/hotmail?

[Alan Hodgson via mailop]

On Mon, 2021-07-12 at 00:11 +0200, Marcus Hoffmann via mailop wrote:
> 
> Someone suggested routing emails to MS and google domains through Amazon 
> SES. Would that actually make things better?

I'd suggest a more end-user friendly relay, like Duocircle or Dynu's relay
service, who don't mess with your envelope sender address, but yes it would
help.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Technical Contact to paddle.com mail platform operator?

[Alan Hodgson via mailop]

On Mon, 2021-07-05 at 19:42 +0200, Konstantin Filtschew / Qameta via mailop
wrote:
>  They are not using postmark.
> 
> Received mails from paddle from this addresses:
> 
> 2021-06-29         mta214a-ord.mtasv.net [104.245.209.214]
> 2021-06-29         mta216a-ord.mtasv.net [104.245.209.216]
> 2020-11-25         mta200a-ord.mtasv.net [104.245.209.200]
> 
> Hope it'll help

mtasv.net is Postmark.

The recipient was probably suppressed at Postmark due to a previous rejection.
The sender would have to manually remove the suppression.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Malware waves from hotmail.com

[Alan Hodgson via mailop]

On Fri, 2021-06-04 at 18:08 -0500, Scott Mutter via mailop wrote:
> On Fri, Jun 4, 2021 at 1:24 PM Michael Peddemors via mailop
>  wrote:
> > With apache, you can use modsecurity quite easily, and you can block all 
> > azure (and other cloud providers ranges) from certain services like 
> > wordpress, or contact forms etc.. (you can even do dns based checks or 
> > rbldnsd) ..
> > 
> > 
> 
> 
> Are there any links for this? AFAIK mod_security is just a module - to
> actually do anything it requires a ruleset.  Further from that, how does it
> determine what is Azure and what is not?  Is it just blocking IP addresses? 
> Seems you'd need a list of all of the Azure IP address space.  And from what
> I have seen the offending IPs are all over the place:
> 
> 157.55.39.138
> 207.46.13.5
> 20.83.33.136
> 20.94.247.9
> 40.124.141.27
> 40.124.141.27
> 40.124.193.244
> 40.76.220.206
> 
> Are just a few.
> 
> But if there's a way to block Azure and other cloud based services, I'd be
> interested in that.  But I'd suspect you'd need a list of all of their IP
> address spaces - is that information available some where?

These should give everything routed to AS8075 (Microsoft) as of yesterday.
It's a good start.

V4URL=`curl -s
https://publicdata.caida.org/datasets/routing/routeviews-prefix2as/pfx2as-creation.log
-o -  | tail --lines=1 | awk '{print
"https://publicdata.caida.org/datasets/routing/routeviews-prefix2as/"$3}'` ;
curl -s "${V4URL}" -o - | zegrep "\s8075$" | awk '{print $1"/"$2}'

V6URL=`curl -s
https://publicdata.caida.org/datasets/routing/routeviews6-prefix2as/pfx2as-creation.log
-o -  | tail --lines=1 | awk '{print
"https://publicdata.caida.org/datasets/routing/routeviews6-prefix2as/"$3}'` ;
curl -s "${V6URL}" -o - | zegrep "\s8075$" | awk '{print $1"/"$2}'


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Malware waves from hotmail.com

[Alan Hodgson via mailop]

On Fri, 2021-06-04 at 11:45 -0500, Scott Mutter via mailop wrote:
> Not to hijack this thread and send it off-topic, but I'm also seeing a lot
> of brute force attempts (mostly WordPress login attempts) from various and
> wide-ranging subnets of Microsoft IPs.
> 
> Has Microsoft's network been compromised?

Azure.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] opendmarc fails with tencent.com emails

[Alan Hodgson via mailop]

On Fri, 2021-05-21 at 15:06 +0300, Mary via mailop wrote:
> 
> Hello,
> 
> I am seeing a lot of DMARC errors with emails coming from tencent.com, I am
> not sure but based on the opendmarc errors I think these emails are
> forwarded via qq.com and the From domain is replaced from @tencent.com to
> @qq.com (keeping the user part intact).
> 
> The domain tencent.com has valid SPF+DMARC records, but the qq.com domain
> has no TXT records whatsoever.
> 
> Anyone else seen this issue before? is opendmarc at fault?
> 
> 
> -- SAMPLE
> Received: from smtpbg.qq.com (smtpbg552.qq.com [183.3.226.181])
> (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
> bits))
> (No client certificate requested)
> by my.server.com (Postfix) with ESMTPS id D4ACD5XZ51
> for ; Fri, 21 May 2021 11:14:12 + (UTC)
> Authentication-Results: my.server.com; dmarc=fail (p=none dis=none)
> header.from=qq.com
> Authentication-Results: my.server.com; spf=pass smtp.mailfrom=l...@tencent.com
> Authentication-Results: my.server.com;
> dkim=pass (1024-bit key; unprotected) header.d=tencent.com
> header.i=@tencent.com header.a=rsa-sha256 header.s=s201512 header.b=Ucwje3sK


It's testing qq.com, not tencent.com. They do appear to have an SPF record,
fwiw. Which doesn't help DMARC if they don't replace the envelope sender.
They'd have to fix that or add a DKIM sig from qq.com. Not sure how tencent's
DKIM sig passed; that suggests they put the @qq.com in the From:, or else qq
resigned it with a tencent.com key after rewriting the From:. Neither is
helpful.

qq.com's DMARC policy is p=none, though. Which is good considering how broken
that mail is.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Hotmail and block on OVH: possible solutions alternatives?

[Alan Hodgson via mailop]

On Thu, 2021-02-25 at 23:15 +, Andrew C Aitchison via mailop wrote:
> On Thu, 25 Feb 2021, Michael Wise via mailop wrote:
> >https://go.microsoft.com/fwlink/?LinkID=614866
> 
> Hmm. No indication of how to specify IPv6 addresses.
> Do people think 256 addresses total is reasonable for IPv 6 ?

Does Microsoft even accept mail over IPV6?


signature.asc
Description: This is a digitally signed message part
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft antispam

[Alan Hodgson via mailop]

On Mon, 2021-02-08 at 14:09 +0100, Ale via mailop wrote:
> > Being "properly configured" these days entails needing many things
> > that you didn't say.  Forward-Reverse-DNS, SPF, DKIM, DMARC just for
> > starters.  And then more in other places.
> 
> > Impossible to know and so impossible to say.  It's a private 3rd party
> > reputation scoring system in use.
> 
> Hello,
> 
> I've setup all these things, so *i assume* that my mail server is 
> properly configured now. the domain it's the same I'm using right now. 
> But like i said previously, it's a testing server, because i knew 
> something could go wrong.

It's a testing server at ... Hetzner. So, yeah, good luck.

Unfortunately getting mail accepted at MS or Google from a new VPS seems to be
nearly impossible. I would love to be proved wrong, though, by those more
knowledgeable.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Effeciveness (or not) of SPF

[Alan Hodgson via mailop]

On Sun, 2020-12-06 at 14:12 +0100, Hans-Martin Mosner via mailop wrote:
> 
> In your experience, where does SPF really help? What are the use cases that I 
> don't see in my spam-blocker tunnel vision?

SPF is most useful as a fallback mechanism for DMARC. DKIM checks fail at
least occasionally for various reasons. You should have an accurate ~all SPF
record to allow the majority of those to pass using SPF. Assuming your ESP
allows you to use an aligned envelope sender domain, of course.

I don't think SPF alone has even been useful for blocking. You can't control
who forwards mail to you or which of your recipients forwards their mail
elsewhere.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] How to reply to this list?

[Alan Hodgson via mailop]

On Fri, 2020-10-16 at 12:51 +, Larry Struckmeyer via mailop wrote:
> Using Outlook thru O365 attempts to reply to a message in this list result
> in the reply being addressed to the address of the person being replied to
> and not the list. 
> 
>  
> What is the correct way to reply to a message on this list?
>  
> Thanks for your help.

Type in the list address, I guess. Or use a better mail client (one that
understands the List-Post: header).
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Just how does SendGrid fail this badly?

[Alan Hodgson via mailop]

On Tue, 2020-08-18 at 14:34 -0700, Carl Byington via mailop wrote:
> 
> dhl is asking folks to reject that mail, but sendgrid tries to send it
> anyway.
> 

Sendgrid doesn't seem to do any From: address authentication. They're sending
email pretending to be from all kinds of random domains.

I know they probably have customers that depend on being able to forge
addresses, but come on guys, it's 2020, you can't do that anymore.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google and Spam detection

[Alan Hodgson via mailop]

On Fri, 2020-07-24 at 12:13 -0400, John Levine via mailop wrote:
> In article <20200724160354.gg9...@ikki.ethgen.ch> you write:
> > I think it might happen that in past hetzner (my hosting provider) ...
> 
> Oh, there's your problem. Hetzner's network spews garbage. I don'taccept any
> mail from it at all.

Yeah. And unfortunately it seems every VPS and self-hosting provider is in
pretty much the same boat for mail delivery nowadays. Too much abuse.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Sendgrid and phishing

[Alan Hodgson via mailop]

On Wed, 2020-06-17 at 08:55 -0500, Michael Rathbun via mailop wrote:
> On Wed, 17 Jun 2020 14:00:35 +0100, Tim Bray via mailop w
> rote:
> > Anybody else seeing increase phishing through sendgrid?  They look fairly
> > convincing.
> 
> General spam (several per week) and phishing, especially some very nicely
> done"Reconfirm you Netflix payment method" at several per day.
> Pointing out to users reporting these that blocking Sendgrid entirely
> (thetemptation arises) would take out the SG traffic that is highly desired
> (atleast 70%).

Yeah. Tempting though. I got a dozen phishes literally From: 
supp...@amazon.com from them a few weeks ago.

Just zero attempt to authenticate senders it seems.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] How to allow different domain in envelope and header from? (Is Gmails DMARC check broken?)

[Alan Hodgson via mailop]

On Thu, 2020-06-04 at 13:36 +0200, Benoît Panizzon via mailop wrote:
> 
> So I guess using only SPF and DMARC with a reject policy will not work
> if the envelope sender and from domain do not align.

Using DMARC p=reject without DKIM is broken anyway. You cannot control
how or where your recipients forward their email (and I promise you many
of them forward it to Gmail from IP addresses that are not in your SPF
record).
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages from small personal SMTP server being marked as junk by Google

[Alan Hodgson via mailop]

On Fri, 2020-01-24 at 14:02 +0100, Renaud Allard via mailop wrote:
> 
> On 1/24/20 12:28 PM, Jaroslaw Rafa via mailop wrote:
> > In my opinion, "-all" is good only when it is the *only* entry in the SPF
> > record, ie. SPF record indicates that the domain does not send mail *at
> > all*.
> > In all other cases, I think that even if original SPF record specifies
> > "-all", the receiving server should override this and interpret it as 
> > "?all".
> > 
> 
> I tend to disagree. If you allow every IP to send mail on your behalf, 
> then why even bother putting an SPF record. For me, only -all makes 
> sense, all others are just as meaningful as having no SPF records at all.

Both SPF and DKIM are most useful as tools to allow DMARC to pass.

~all is perfectly suited to this. It allows most messages to pass SPF
without hard-failing forwards (although I agree that almost no one
bounces on an SPF hard fail anyway, so -all probably works just as well
for most cases). And you hope your DKIM signature survives forwarding in
most cases so it will allow the SPF fails to still pass DMARC.

In neither case are you trying to identify messages that fail, you are
trying to identify messages that pass. You are just trying to provide
accurate signals to recipients about messages sent from authenticated
sources so they can differentiate them from ones that aren't.

And none of this helps get mail to Gmail from a 0-volume host at a
generic VPS. You probably can't. Your surrounding network is full of
spammers and phishers running on their own or hacked servers, and Google
has no reason to think you aren't just one more. The bad guys use SPF
too.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail marking email from me as spam

[Alan Hodgson via mailop]

On Mon, 2019-10-07 at 15:34 +0200, Jaroslaw Rafa via mailop wrote:
> Hello All,
> this is my first post to this list - I just learned about its existence and
> someone told me that maybe it is possible to solve my issue here.
> 
> I run my own personal mailserver at rafa.eu.org for quite a few years. All
> the time I had absolutely no problems with sending messages to Gmail. Few
> weeks ago I learned that Gmail suddenly started marking e-mails that I send
> to Gmail users as spam. As users usually never look into their spam folders,
> they don't receive my mail.
> 
> 

Trust me, you're not the only one with this problem. My own server has
been on the same IP address for like 8 years, on much cleaner IP space
than OVH, and has never sent any bulk or unsolicited mail and Google
drops my mail into Spam now too for no reason.

There is no technical reason for this, they just apparently don't want
mail from infrequent senders. Or just don't want anyone running their
own mail server, take your pick.

I hear pretty much every day someone with the same problem. It's
routine now to see any communication from anyone include "please check
your spam folder, we've had a lot of problems with our mail being
filtered incorrectly".

TLDR; it's them, not you. And no I don't think there's anything you can
do to fix it :/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] booking.com dmarc

[Alan Hodgson via mailop]

On Mon, 2019-06-03 at 15:38 -0700, Carl Byington via mailop wrote:
> We can (manually) compensate for errors in dmarc records. For
> example,booking.com has a p=reject, but we see mail "From:
> .*@booking.com" dkimsigned by sg.booking.com. Strict dmarc would
> reject that. We enforce arequirement that mail from booking.com be
> signed by either booking.comor sg.booking.com. There are other
> domains with similar errors.

Unless I misunderstand something, I'm quite sure this is allowed by
DMARC in relaxed mode (which booking.com uses, as it is the default).
You can sign with a sub-domain or parent domain as long as they share
the same organizational domain.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Admin: Gmail users of mailop suspended due to bounces.

[Alan Hodgson via mailop]

On Sat, 2019-04-27 at 15:09 -0400, Bill Cole wrote:
> Yes, because the signature included the Sender and List-* headers, 
> probably non-existent originally, which mailing lists typically 
> (including this one) add to messages they relay.
> 


Like most mailing lists, mailop both modifies the Subject header and appends a 
footer to the message. It will always break all pre-existing DKIM signatures.

As several others have mentioned, I believe the current Gmail restriction can 
be overcome by creating a valid SPF record for mailop.org. It's 2019, email 
authentication is not optional.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] AT MMS gateway email delays

[Alan Hodgson]

On Thu, 2019-03-28 at 17:24 -0400, Scott Mutter wrote:
> > On  Thu, Mar 28  4:32PM Scott Evans said :
> > I, as I'm sure many here do, use this for our network/service
> > monitoring and if all heck  breaks loose and I have 100's of
> > notifications the @txt results in each appearing as an individual
> > text which can be very tedious to

Twilio works well as a replacement for sending SMS and is very cheap
for low volumes. I use it for nagios with no issues ... or at least,
the same issues an email gateway would otherwise have.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail forwarding blowback

[Alan Hodgson]

On Wed, 2017-11-08 at 12:20 -0700, Warren Volz wrote:
> All,
> 
> One of my users has their account setup to forward mail to Gmail.
> Recently I've started to see lots of rejects that look like the
> following:
> 
>  (expanded from ): host
> gmail-smtp-in.l.google.com[2607:f8b0:400e:c04::1a] said: 550-5.7.1
> [ipv6 address 18] Our system has detected that
> 550-5.7.1 this message is likely suspicious due to the very low
> reputation
> of 550-5.7.1 the sending IP address. To best protect our users from
> spam,
> the 550-5.7.1 message has been blocked. Please visit 550 5.7.1
> https://support.google.com/mail/answer/188131 for more information.
> p26si2014836pli.781 - gsmtp (in reply to end of DATA command)
> 
> I've looked over the forwarding best practices provided by google and
> we are not modifying the envelope sender. I'd rather not start
> throwing away what our filter marks as spam since I leave that up to
> the user, but is that the only way to stop the bounces? Also, is the
> "18]" an artifact or some kind of error?
> 
> Thanks for the help.

IMO, you really can't forward mail to Gmail; they will block you if you
forward any spam at all. 

Gmail accounts can be setup to pull mail in via POP-3, that's a far
better way for them to get their mail.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] autoresponders & envelope-from/return-path

[Alan Hodgson]

On Tue, 2017-06-06 at 09:02 +0100, Jethro R Binks wrote:
> If you add the following headers to your message, regardless of the 
> envelope sender, you will also greatly reduce the chances of receiving
> a 
> reply to your auto-response:
> 
> Auto-submitted: auto-generated
> X-Auto-Response-Suppress: OOF

This should actually be X-Auto-Response-Suppress: OOF,AutoReply,DR for
maximum effect. And since at least half of MS's software sends
autoresponses to the header From: anyway, you might want to add that
regardless of what you do with the envelope sender.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] autoresponders & envelope-from/return-path

[Alan Hodgson]

On Mon, 2017-06-05 at 13:32 -0700, Autumn Tyr-Salvia wrote:
> Hello,
> A customer of mine is trying to get DMARC set up on a given domain,
> and has set up aligned SPF on their corporate mail server.
> Unfortunately, we're seeing an issue, and I'm looking for advice on a
> resolution.
> 
> When someone sets up an out of office autoresponder on the corporate
> mail server, those messages are not configured to use a return-path
> address. My understanding is that this is the RFC-correct way to do
> that. 
> 
> Unfortunately, when you do that, SPF evaluation then defaults to the
> HELO domain. Since this customer is using a hosted email service
> provider, the HELO domain belongs to their email provider and not
> them, which in turn kills their alignment. Thus, DMARC failures on all
> autoresponders.
> 
> Thoughts on the best resolution for something like this?  

The resolution is to DKIM-sign all mail before turning on DMARC.

SPF can't pass on forwarded messages, and the sender doesn't control
which messages get forwarded or not, the receiver does. Lots of email
gets forwarded to Gmail, for instance. And, of course, you have your
auto-responder issue - which can never pass SPF, because the identifier
has to be aligned with the From: address to pass DMARC.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mails to microsoft

[Alan Hodgson]

On Thursday 09 February 2017 10:15:17 Philip Paeps wrote:
> Also note that DMARC breaks forwarding like this (or forwarding breaks
> DMARC, depending on your religious affiliation).  You can get around SPF
> as long as your envelope matches your relay but for DMARC, the From:
> domain also needs to be aligned.
> 

Forwarding does not break DMARC. A DMARC pass requires that either SPF or DKIM 
pass, not both.

Forwarding only breaks DMARC if you modify the message and break the DKIM 
signature. Mailing lists that modify the Subject header or body, for instance, 
break DMARC. Normal forwarding does not.

Forwarding is still a terrible idea, of course. Spam has killed forwarding, 
IMO.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deliverability services for non-newsletter services

[Alan Hodgson]

On Thursday 26 January 2017 11:58:18 Paul Kincaid-Smith wrote:
> Here's a partial list of popular email providers that built their business
> sending transactional mail:
> 
> Amazon SES
> Dyn
> Mailchimp (Mandrill) aka The Rocket Science Group
> Mailjet
> Mailgun
> Sendgrid
> Sparkpost
> 

Postmark only does transactional and they have much better IP reputation than 
any of the above. Their features are more limited, though.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Mysterious DKIM failure.

[Alan Hodgson]

On Saturday 10 December 2016 23:19:26 Bill Cole wrote:
> FWIW, Exchange has a long history of playing silly buggers with message
> whitespace. I would expect MS to have learned to stop that by now, but,
> well, MS...
> 

https://blogs.msdn.microsoft.com/tzink/2016/05/19/why-does-my-email-from-facebook-that-i-forward-from-my-outlook-com-account-get-rejected/


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop