Re: [mailop] Guide for setting up a mail server ?

[Florian.Kunkel--- via mailop]

On top of that a mailbox receiving such a forwarded message could "unpack" it 
automagically, provided it trusts the forwarding instance signature.
So the message appears as delivered locally with original signatures intact, 
and the MUA opening the message would not have to open an attachment anymore.

Florian

Von: mailop  Im Auftrag von Hans-Martin Mosner via 
mailop
Gesendet: Donnerstag, 13. Juli 2023 11:00
An: mailop@mailop.org
Betreff: Re: [mailop] Guide for setting up a mail server ?

Has anyone on this list tried forwarding (e.g. for ex-employees) via 
attachment? The original message would be kept intact, while the outer message 
clearly originates with the forwarding agent who may even add a human readable 
reminder to the addressee to let the sender know about the changed address.

Opening message attachments should be possible with most modern MUAs, but TBH I 
don't really have much experience with that.

Cheers,
Hans-Martin

Am 13. Juli 2023 09:46:11 schrieb Andrew C Aitchison via mailop 
mailto:mailop@mailop.org>>:

On Wed, 12 Jul 2023, Michael Peddemors via mailop wrote:

And yes, email forwarding will break.. but email forwarding remotely should
be killed off anyways.. everyone can log into two accounts.

Universities would like to allow the world to contact staff who have
recently left. We forward paper mail; why not email ?
Former staff don't have door keys.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] So, Sendgrid / Zoom, planning on actually doing anything about webinar spams?

[Florian.Kunkel--- via mailop]

Hi Laura, *!

/
The ESPs are interested in sender reputation. But, in this context, reputation 
means “Our mail gets accepted at the ISPs”. In that context their reputation is 
fine. They’re not being blocked. Specific customers may have delivery problems, 
but a lot of the modern machine learning filters are very good at blocking the 
problem customers without blocking the good ones. 
\

ESPs specialized in their business. If they expect the MBPs to solve their 
problems with modern machine learning filters, I'd expect the MBPs earn their 
fair part of the job.
I suggest ESPs book filter capacity in advance with the MBPs they intend to 
feed.

And maybe we should treat "we're too big to fail candidates" the same way.
We teach our children that the bigger you get, the more responsibility you have 
to take on.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: What am I supposed to do with abuse complaints on legit mail?

[Florian.Kunkel--- via mailop]

/
> Maybe set up an address like mailto:spamrep...@your-provider.com where users 
> should
> forward all messages they consider to be spam?
Not helpful. And please don't encourage regular users to forward spam to abuse 
addresses. Forwarded mails are usually missing most relevant information which 
might be helpful to do anything.
- Marcel
\

FULLACK

and even worse, we (@t-online.de) will suspend your account for (forward) 
sending SPAM/PHISH/... if you do so.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Anyone from @t-online.de or @laposte.net on list?

[Florian.Kunkel--- via mailop]

Hey Omid,

what's wrong with our postmaster site 
https://postmaster.t-online.de/index.en.html
or just contacting the address named in each and every single reject message?

Cheers

Florian


Von: mailop  Im Auftrag von Omid Majdi via mailop
Gesendet: Dienstag, 11. Januar 2022 02:05
An: mailop@mailop.org
Betreff: [mailop] Anyone from @t-online.de or @laposte.net on list?

Looking for anyone on list (or a contact) for t-online.de and lapost.net. 
Experiencing some deliveries blocked that I'd like to resolve.

Thanks!

Omid Majdi
Product Lead
DuckDuckGo, Inc.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi Stefano,

> do you have any update about this DMARC enforcement "experiment" @t-
> online.de ?


as advertised before ...
/
worst come first
Expect this procedure to hit you the earlier, the more traffic we are already 
used to reject from your infrastructure.
\

did we miss to take you on into our early adopters program ?-)

Cheers!
Florian
 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] IMAP and SMTP in the same or separated IPs?

[Florian.Kunkel--- via mailop]

Hi, Leandro,

> In which scenarios are there advantages on having IMAP and SMTP on
> different IPs?

[IP -> routing]
when the services are not located in the same LAN or even in a remote data 
center, it will become necessary to directly address the different IP addresses 
as they are routed to different network locations.
a common setup in our days is to have an external service provider to clean 
your inbound (MX) mail stream, an forward it to your mailbox (IMAP) server.

of course you can accept your MX traffic yourself (on the same IP your IMAP 
mail box service is reachable), but then you have to reroute this inbound SMTP 
stream internally (for that special setup).

IP reputation comes into play only when a service wants to evaluate what to 
expect from a client.
Since only your SMTP server should appear as a client to other MXs (hopefully 
your IMAP server doesn’t call out 8-), only that one may lose on reputation 
that needs to be maintained. 

As long as your single server's IP reputation is high enough not to get listed 
into /BGP drop list/  of any kind, your servers IP address should be reachable 
(IP routing) for all your (mail) clients.

HTH

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Digital Ocean spoofing activity

[Florian.Kunkel--- via mailop]

https://bgp.he.net/AS16276#_prefixes

;-)

> -Ursprüngliche Nachricht-
> Von: mailop  Im Auftrag von Klaus Ethgen via
> mailop
> Gesendet: Donnerstag, 12. August 2021 07:09
> An: mailop@mailop.org
> Betreff: Re: [mailop] Digital Ocean spoofing activity
> 
> Hi,
> 
> I used to block OVH and DO not only caused by mail abuse than of a bad
> reputation of hosting many bot nets.
> 
> Unfortunately I always find other networks of them that is not in my
> blocklist.
> 
> Does anybody have a complete list of IP ranges relating to OVH and DO?
> 
> Regards
>Klaus
> --
> Klaus Ethgen   http://www.ethgen.ch/
> pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
> Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] abuse@hetzner/AS24940

[Florian.Kunkel--- via mailop]

Hi, is abuse@hetzner listening here?

pls. contact me off list.

Florian Kunkel
E-Mail Engineering

Deutsche Telekom AG
Deutsche-Telekom-Allee 9, 64295 Darmstadt

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi, Tim, Jaroslaw, *

the requirements posted before only apply to ESPs (email service providers | 
mass mailers | ... mailhosters).
Mailing lists should not be concerned as far as I can tell from our stats.

The case for new infrastructure is, that you'd allow us to automate detection 
and classification of your new machinery.
Of course you can reach out to our postmasters (preferably the contact 
mentioned in our SMTP reject message) to get your IP reclassified if we didn't 
yet before (automagically).

>  From my experience the 'Return-Path' of mailing lists usually does not
> match the 'From' domain. The exception is DMARC mangling because the
> mailing list modifies the email (e.g. by inserting a tag to the
> 'Subject' or a message footer), thus breaking a valid DKIM signature of
> the original sender.

that's the reason we didn't start with DMARC policy enforcement so far.
it's to gamy to adhere the domain policy without regard of the source IP you 
see the message from.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi Dave, *,

/
I represent a platform that sends mail on behalf of our customers but we 
maintain a separate 5321.From that points back to us.
We dual-sign messages using the client domain and our own domain, but these do 
not align. We rely on DKIM alignment to pass a DMARC test.

Example:
5321.MailFrom: {encoded local mailto:part...@ourcompany.com
5322.FromHeader: mailto:r...@customer.com
DKIM 1: http://customer.com
DKIM 2: http://ourcompany.com
\

looks totally fine complying DMARC requirements, but wouldn't fit ours.

nevertheless these our requirement apply only to those IPs/IP pools, that we 
see abuse from and get user complaints for.
As long as you/your customers do not address SPAMtraps or cause complaints, 
your totally fine with your setup.
But If you do attract our attention that way, your IP(s) get blocked for maybe 
one customer behaving irregularly.

You can get from your logs the number of SPAM reject or user unknown bounces 
you incur with @t-online.de . 
If there are, stop these or get aligned.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi Luke, *!

/
Has anyone gotten a firm answer on these scenarios yet?
5321.from: mailto:boun...@srv12.example.com
5322.from: mailto:cont...@example.com
The vast majority of our customers will have a subdomain on the 5321 from that 
isn't present on the 5322 from. I'd like to know if this is a problem.
\

you are asking for non strict alignment? ... yes that should be ok, as long 
it's a subdomain to your domain (and not to a public suffix).
at least I'm not jet aware of an abusive scenario so far.


/
I'd also like to hear confirmation that messages with 2 DKIM signatures will 
still "pass" if one matches the 5322 and one doesn't.
\

we'll love if one signature matches both from; 5321 AND 5322.
additional valid signatures welcome, ideally matching the sending 
infrastructure.

hth

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Complete set of rules for delivering to t-online.de ?

[Florian.Kunkel--- via mailop]

Hi Tom,

/
Would someone from t-online.de please publish the COMPLETE and DEFINITEIVE set 
of ALL rules for sending to your customers? Preferably on your web site instead 
of in mailops, so that everyone can see them?
I’ve seen bits and pieces here, with many unanswered questions. It’s not at all 
clear what to do to meet your new requirements.
\

let’s start with the basics.

your bounce address should be reachable, if you expect someone to accept your 
mails.
care for bounces ... after a year or more.

SCNR


for now you'll find our expectations documented here 
https://postmaster.t-online.de/index.en.html#t5
if you are sending via any sort of pool or relay and want to be prepared I 
posted the /upcoming rules/ here on the list.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi Tim,

all this is about domains, not local parts 

> This sounds like it would break variable envelope return path
> techniques, unless a mailing list replaces the 5322.from, needlessly
> breaking a valid DKIM signature from the original sender.

so, no, VERP should be possible if within the same domain.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

Hi Laura, Kai, 

On 6 Apr 2021, at 12:38, Laura--- via mailop <mailto:mailop@mailop.org> wrote:
> On 6 Apr 2021, at 10:36, Florian.Kunkel--- via mailop 
> <mailto:mailop@mailop.org> wrote:
>
> Just so I understand what t-online.de is announcing. 
> t-online.de is looking for full alignment between the SPF domain (5321.from) 
> AND the d=domain (DKIM) with the header from (5322.from). 

ACK

> Additionally, t-online.de will reject any message that fails either SPF or 
> DKIM authentication even if the other method passes. 

we don't follow DMARC, DKIM or SPF logic here, but this terminology and tech is 
known and understood by senders.
The requirement is, that if we can not build reputation on IPs, we do so on the 
author's domain, visible to the recipient user.
These must be fully aligned.

> t-online.de is rejecting any message that does not align with both SPF and 
> DKIM. 

we don't care of DNS SPF RRs for authentication.

* align mail from and header from to your DKIM d= (you don't do this for us, 
but for your customer/correspondent to recognize you!)
* DKIM sign your message
* have the necessary DNS RRs for your DKIM keys
+ use double opt in
+ stop addressing dead recipients
+ keep complaint rates low

> t-online.de is rejecting any message that is not signed by DKIM. 

... if you're not already known to us as a good netizen, yes.


> If I understand the above statements, you are going much stricter than the 
> DMARC spec
> and asking for a level of authentication currently beyond anything anyone 
> else is doing.

Let me form it the other way around:
what do you need DKIM for, if not to be held accountable for what you send?
And if you go for professional email services, what's the problem anyhow?


Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)

[Florian.Kunkel--- via mailop]

!
* to all those sending email without their very own static IP-Address,
* and all newly set up MTA infrastructure
... especially ESPs using IP pools professionally for their numerous customers' 
mail.
!

As you might already have observed we are evaluating DKIM signatures 
@t-online.de for a while now.
We are starting to expect aforementioned IP infrastructure to have all messages 
DKIM signed conforming DMARC, so header from and mail from must be aligned.
unsigned messages, unaligned or messages failing validation otherwise, will be 
rejected while in SMTP session.

worst come first
Expect this procedure to hit you the earlier, the more traffic we are already 
used to reject from your infrastructure.

Do not expect DMARC reports anytime soon.
Equally we won't check for DMARC policies at the moment; ... but p=reject could 
become an option.


Cheers

Florian
E-Mail Engineering

Deutsche Telekom AG
Deutsche-Telekom-Allee 9, 64295 Darmstadt, Germany

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Some Days I think that Gmail isn't even trying to stop outbound spam..

[Florian.Kunkel--- via mailop]

/
Preventing outbound spam on a large system is a far greater challenge than 
stopping inbound spam. The technical challenges are similar, but the logistical 
challenges of preventing outbound spam without pissing off customers is far 
greater than the challenge of preventing inbound spam without pissing off 
customers. 
\

but detecting compromised accounts before they got abused is much easier on 
large systems than it is on smaller ones.

Florian

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Speaking of t-online.net, since the admin's are here..

[Florian.Kunkel--- via mailop]

Hi Michael,

> X-TOI-EXPURGATEID: 150726::1592860321-8954-
> 87EE5AE6/19/6861980920
> SUSPECT MAIL-COUNT
> 
> Looks like your systems are aware that the sending count is probably
> compromised, but you are NOT rate limiting them?
> Examples..
> Return-Path: 
> Return-Path: 

as you see, the messages were from different accounts each, so it's /sort of 
hard/ to rate limit them to any effect.

but both got shut down with a bunch of others afterwards.

Florian


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop