Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

I have sendmail set up for dkim, I don't see anywhere where you need
anything for dmarc.  Right now the opendmarc.conf is just what comes
when you install.

On Wed, 07 Feb 2024 13:07:25 -0500,
Randolf Richardson, Postmaster via mailop wrote:
> 
>   What's in the configuration file now?  If you could share what the 
> settings are (with comments stripped out and any sensitive 
> information removed -- you'll need to manually inspect for any 
> passwords, etc., that you don't want to reveal and redact them).
> 
>   Do you have the milter configuration aspect covered in sendmail?
> 
> > Thanks a lot, I am using sendmail as my mta.
> > 
> > On Wed, 07 Feb 2024 00:39:41 -0500,
> > Randolf Richardson, Postmaster via mailop wrote:
> > > 
> > >   Which mail server software and OS are you using?  Are you receiving 
> > > some error messages (e.g., in syslog)?
> > > 
> > >   I'm using Postfix on Debian, and I'd be happy to try to help you get 
> > > things working no matter which software you're using.
> > > 
> > >   The OpenDMARC package supports running as a milter, which is 
> > > supported by most technologies.
> > > 
> > >   If you can use a UNIX Domain socket you'll get better performance, 
> > > but the permissions can be a bit of a challenge (which is why a lot 
> > > of administrators set it up to listen on 127.0.0.1 and use TCP 
> > > sockets instead -- I prefer UNIX Domain sockets because there's 
> > > slightly less overhead than with TCP, but overall there generally 
> > > won't really be a noticeable performance hit).
> > > 
> > >   For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> > > default settings, most of which I didn't need to alter.  Adding one 
> > > line to /etc/postfix/main.cf got it all working after I made sure the 
> > > permissions were where they needed to be for the UNIX Domain socket:
> > > 
> > >   smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> > > 
> > >   This is the order that may be helpfult you that works well fo rme:
> > > 
> > >   smtpd_milters =
> > >unix:/var/run/opendkim/opendkim.sock
> > >unix:/var/run/opendmarc/opendmarc.sock
> > >unix:/var/run/clamav/clamav-milter.ctl
> > > 
> > >   Feel free to share a comment-stripped copy of your opendmarc.conf 
> > > file here (and make sure you don't have any passwords in it; there 
> > > shouldn't be, but do check it first before attaching to be sure), and 
> > > I (and I'm sure other MailOp members as well) will be happy to help.
> > > 
> > > > Hi.  I am trying to make sure my mail server is properly
> > > > authenticated, and I have spf and dkim set up -- seemingly correctly
> > > > -- but I am not sure about dmarc.  I have downloaded and installed the
> > > > open-dmarc package and I have the text record I will have to put in
> > > > the zone,  but I don't know what to put in
> > > > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > > > sure what I really need in it.
> > > > 
> > > > Thanks in advance for any suggestions.
> > > > 
> > > > -- 
> > > > Your life is like a penny.  You're going to lose it.  The question is:
> > > > How do
> > > > you spend it?
> > > > 
> > > >  John Covici wb2una
> > > >  cov...@ccs.covici.com
> > > > ___
> > > > mailop mailing list
> > > > mailop@mailop.org
> > > > https://list.mailop.org/listinfo/mailop
> > > 
> > > 
> > > -- 
> > > Postmaster - postmas...@inter-corporate.com
> > > Randolf Richardson, CNA - rand...@inter-corporate.com
> > > Inter-Corporate Computer & Network Services, Inc.
> > > Vancouver, Beautiful British Columbia, Canada
> > > https://www.inter-corporate.com/
> > > 
> > > 
> > > ___
> > > mailop mailing list
> > > mailop@mailop.org
> > > https://list.mailop.org/listinfo/mailop
> > > 
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, Beautiful British Columbia, Canada
> https://www.inter-corporate.com/
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

OK, thanks.  I did this all because of problems sending to some places
managed by Google.

On Tue, 06 Feb 2024 18:12:14 -0500,
Alan Hodgson via mailop wrote:
> 
> [1  ]
> [1.1  ]
> On Tue, 2024-02-06 at 17:46 -0500, John Covici via mailop wrote:
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly
> > correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed
> > the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> 
> You don't need to do anything with opendmarc to send authenticated
> mail. It's used to check incoming email from other people.
> 
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

Thanks a lot, I am using sendmail as my mta.

On Wed, 07 Feb 2024 00:39:41 -0500,
Randolf Richardson, Postmaster via mailop wrote:
> 
>   Which mail server software and OS are you using?  Are you receiving 
> some error messages (e.g., in syslog)?
> 
>   I'm using Postfix on Debian, and I'd be happy to try to help you get 
> things working no matter which software you're using.
> 
>   The OpenDMARC package supports running as a milter, which is 
> supported by most technologies.
> 
>   If you can use a UNIX Domain socket you'll get better performance, 
> but the permissions can be a bit of a challenge (which is why a lot 
> of administrators set it up to listen on 127.0.0.1 and use TCP 
> sockets instead -- I prefer UNIX Domain sockets because there's 
> slightly less overhead than with TCP, but overall there generally 
> won't really be a noticeable performance hit).
> 
>   For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> default settings, most of which I didn't need to alter.  Adding one 
> line to /etc/postfix/main.cf got it all working after I made sure the 
> permissions were where they needed to be for the UNIX Domain socket:
> 
>   smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> 
>   This is the order that may be helpfult you that works well fo rme:
> 
>   smtpd_milters =
>unix:/var/run/opendkim/opendkim.sock
>unix:/var/run/opendmarc/opendmarc.sock
>unix:/var/run/clamav/clamav-milter.ctl
> 
>   Feel free to share a comment-stripped copy of your opendmarc.conf 
> file here (and make sure you don't have any passwords in it; there 
> shouldn't be, but do check it first before attaching to be sure), and 
> I (and I'm sure other MailOp members as well) will be happy to help.
> 
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> > 
> > Thanks in advance for any suggestions.
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, Beautiful British Columbia, Canada
> https://www.inter-corporate.com/
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] problem setting up open-dmarc

[John Covici via mailop]

Hi.  I am trying to make sure my mail server is properly
authenticated, and I have spf and dkim set up -- seemingly correctly
-- but I am not sure about dmarc.  I have downloaded and installed the
open-dmarc package and I have the text record I will have to put in
the zone,  but I don't know what to put in
/etc/openmarc/opendmarc.conf -- its quite a large file and I am not
sure what I really need in it.

Thanks in advance for any suggestions.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any evidence of SMTP smuggling in the wild - yet?

[John Covici via mailop]

Thanks much -- that version is not in my repository yet, but I will
keep an eye out for it.

On Mon, 01 Jan 2024 13:53:57 -0500,
ml+mailop--- via mailop wrote:
> 
> On Mon, Jan 01, 2024, John Covici via mailop wrote:
> > I use sendmail  8.17.1.9 under gentoo -- any patch for that one to fix this?
> 
> Upgrade to 8.18.0.2,:
> https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz
> https://ftp.sendmail.org/snapshots/sendmail.8.18.0.2.tar.gz.sig
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any evidence of SMTP smuggling in the wild - yet?

[John Covici via mailop]

I use sendmail  8.17.1.9 under gentoo -- any patch for that one to fix this?

On Mon, 01 Jan 2024 12:58:47 -0500,
Gellner, Oliver via mailop wrote:
> 
> 
> > On 28.12.2023 at 20:29 Marco Moock via mailop wrote:
> >
> > Am 28.12.2023 um 18:15:39 Uhr schrieb Tom Perrine via mailop:
> >
> >> Has anyone detected or seen any evidence of SMTP smuggling in the
> >> wild?
> >>
> >> I’m trying to get an independent read on how quickly the bad actors
> >> have (or haven’t) picked up on this, yet.
> >
> > According to the information I read, it affected some hosting solutions
> > at 1und1/IONOS, but that has been fixed.
> 
> The vulnerability is not super critical, but it has been fixed only for a 
> very small subset of affected systems. All kind of MTAs from Postfix to 
> Sendmail, Exim and various proprietary systems are affected and the 
> vulnerability generally remains unfixed until the administrators adjust the 
> configuration of their system.
> I haven’t heard of any large scale exploitation in the past, but I imagine 
> that spammers will include the technique in their toolset for the future.
> 
> > Although, it needs to have certain circumstances, so the sending server
> > (for example a submission server for the customer) must accept it as one
> > message and the receiving server (e.g. the outgoing relay) must
> > interpret it as 2 messages and the 1. server need to be allowed to
> > relay through the second one for the really bad attacks
> > (unauthenticated relaying).
> 
> To exploit the issue, an email message needs to traverse two MTAs that treat 
> the EOM marker differently. The MTAs do not need to be in a special trust 
> relationship or allowed to relay to each other.
> 
> —
> BR Oliver
> 
> 
> dmTECH GmbH
> Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
> Telefon 0721 5592-2500 Telefax 0721 5592-2777
> dmt...@dm.de * www.dmTECH.de
> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
> Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher
> 
> Datenschutzrechtliche Informationen
> Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
> ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
> Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder 
> sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen 
> unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren 
> Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
> hier.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

I just wanted to thank the folks on here -- although the syntax
checkers say there is an error in my spf record(s) I was able to send
a message to a gmail address and that has solved my problem.

Thanks again.


Thanks again.

On Wed, 18 Jan 2023 05:50:51 -0500,
Mark Alley via mailop wrote:
> 
> [1  ]
> [1.1  ]
> One other thing - it also appears the SPF syntax for
> "ccs.covici.com" is currently an issue. You'll want to address
> this so it can be parsed by mail servers correctly.
> 
> Here's what I'm assuming it was intended to look like -
> 
> /v=spf1 a include:covici-com.spf-a.smtp25.com
> include:covici-com.spf-b.smtp25.com
> include:covici-com.spf-c.smtp25.com a:ccs.covici.com
> a:debian-2.covici.com -all/
> 
> Based on the A records used previously in the email thread, I'm
> presuming it was meant to reference "ccs.covici.com" and
> "debian-2.covici.com" as /"a" /mechanisms rather than
> "include". You may also want to address/remove the null "/a/"
> mechanism reference to "a:zixworks.com" in this RR
> "covici-com.spf-c.smtp25.com".
> 
> 
> 
> On 1/18/2023 4:33 AM, Mark Alley wrote:
> > //X-Spam-Last-External-HELO: covici.com/ * 0.3 KHOP_HELO_FCRDNS
> > Relay HELO differs from its IP's reverse DNS * I don't
> > understand this one, I have rdns pointers on ccs.covici.com and
> > debian-2.covici.com .///
> > 
> >   * "debian-2.covici.com" and "ccs.covici.com" may be the FQDN of the
> > mail server(s), but the HELO presented (covici.com) does not match
> > the server IP rDNS as reflected above. The HELO of each server
> > would need to be match its IP's rDNS FQDN (i.e.
> > "debian-2.covici.com" and "ccs.covici.com" respectively) to pass
> > this check.
> >   * You will also want to publish an SPF record for these HELO
> >     identities once it matches, probably something like -/v=spf1 a ~all
> > /I see you already have one for ccs.covici.com, but there is not
> > one currently for "debian-2.covici.com".
> > 
> > 
> > - Mark Alley
> > 
> > 
> > On 1/18/2023 4:08 AM, John Covici via mailop wrote:
> >> Thanks, it was my bad.  I did put an spf record, a couple of hours
> >> ago, but mail-tester said it had not propagated.
> >> 
> >> I am going to paste my test results, because I have still some
> >> questions.
> >> 
> >> Comments in line
> >> 
> >> 
> >> Good stuff. Your email is almost perfect
> >> Score :
> >> 7.7/10
> >>   Subject : test #4Received 0 minutes ago
> >> Click here to view your message
> >>  From : John Covici
> >> Bounce address :cov...@ccs.covici.com
> >> Reply-To :cov...@ccs.covici.com
> >>   Text version
> >> hello.
> >> 
> [1.2  ]
> [1.2.1  ]
> [1.2.2 DL4BwTVAgVz9PGM0.png ]
> [1.2.3 bAUUQBf9Ix4iOBZ2.png ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

So, what can I use to begin and end the record?  Do I need any
delimiter character like Mark gave me?

Thanks.

On Wed, 18 Jan 2023 10:59:21 -0500,
Giovanni Bechis via mailop wrote:
> 
> [1  ]
> [1.1  ]
> [1.1.1  ]
> On 1/18/23 16:34, John Covici via mailop wrote:
> > Thanks for that -- for some reason, an spf lookup site which I have
> > used says no spf record, are you seeing for covici.com or
> > ccs.covici.com ?
> > 
> covici.com and ccs.covici.com spf record are still invalid:
> 
> covici.com descriptive text "/v=spf1 a include:covici-com.spf-a.smtp25.com 
> include:covici-com.spf-b.smtp25.com include:covici-com.spf-c.smtp25.com 
> a:ccs.covici.com a:debian-2.covici.com -all/"
> 
> ccs.covici.com descriptive text "/v=spf1 a 
> include:covici-com.spf-a.smtp25.com include:covici-com.spf-b.smtp25.com 
> include:covici-com.spf-c.smtp25.com a:ccs.covici.com a:debian-2.covici.com 
> -all/"
> 
> spf records should not start nor end with "/".
> 
>  Giovanni
> 
> 
> 
> 
> > On Wed, 18 Jan 2023 09:55:05 -0500,
> > Bill Cole via mailop wrote:
> >> 
> >> On 2023-01-18 at 05:08:00 UTC-0500 (Wed, 18 Jan 2023 05:08:00 -0500)
> >> John Covici via mailop 
> >> is rumored to have said:
> >> 
> >> [...]
> >>>   Source
> >>> Received: by mail-tester.com (Postfix, from userid 500)
> >>>   id 567CCA0BC0; Wed, 18 Jan 2023 09:59:14 +0100 (CET)
> >>> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
> >>> mail-tester.com
> >>> X-Spam-Level:
> >>> X-Spam-Status: No/0.3/5.0
> >>> X-Spam-Test-Scores:
> >>> KHOP_HELO_FCRDNS=0.32,SPF_HELO_NONE=0.001,SPF_NONE=0.001,
> >>>   URIBL_BLOCKED=0.001
> >>> X-Spam-Last-External-IP: 166.84.7.93
> >>> X-Spam-Last-External-HELO: covici.com
> >>> X-Spam-Last-External-rDNS: debian-2.covici.com
> >>> X-Spam-Date-of-Scan: Wed, 18 Jan 2023 09:59:14 +0100
> >>> X-Spam-Report:
> >>>   *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> >>>   *  blocked.  See
> >>>   *  http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> >>>   *  for more information.
> >>>   *  [URIs: covici.com]
> >>>   *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> >>>   *  0.0 SPF_NONE SPF: sender does not publish an SPF Record
> >>> *  0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
> >>> * I don't understand this one, I have rdns pointers on
> >>>   ccs.covici.com and debian-2.covici.com .
> >> 
> >> Those are the names of rules in the SpamAssassin filter that
> >> mail-tester.com unfortunately purports to demonstrate. They are
> >> using an obsolete version of SA with (apparently) local rule
> >> adjustments and they have chronically m isreported the sign of SA
> >> scores, confusing users. As someone who fields SpamAssassin bug
> >> reports, I despise them.
> >> 
> >> KHOP_HELO_FCRDNS means that one of the trustworthy set of
> >> Received headers shows a handoff from a machine that identified
> >> itself (in the EHLO or HELO step of the transaction) with a name
> >> that did not match the name that the connecting IP's PTR record
> >> points to, which does resolve back to the connecting IP. This is
> >> a minor issue, and while it is more common in spam, the
> >> correlation is weak enough  to earn a fairly low score for that
> >> rule. In the current full SA ruleset it is scored at 0.001:
> >> basically meaningless.
> >> 
> >> [...]
> >>> OK, even without dkim and marc, why is gmail rejecting?
> >> 
> >> Only GMail can tell you for sure, if even they can.
> >> 
> >> Give it some time with your fixed SPF. That *may* be adequate,
> >> but Google changes can take time.
> >> 
> >> 
> >> -- 
> >> Bill Cole
> >> b...@scconsult.com or billc...@apache.org
> >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> >> Not Currently Available For Hire
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://list.mailop.org/listinfo/mailop
> >> 
> > 
> 
> [1.2 OpenPGP digital signature ]
> No public key for FABEEA09897258E5 created at 2023-01-18T10:59:21-0500 using 
> RSA
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

Thanks for that -- for some reason, an spf lookup site which I have
used says no spf record, are you seeing for covici.com or
ccs.covici.com ?

On Wed, 18 Jan 2023 09:55:05 -0500,
Bill Cole via mailop wrote:
> 
> On 2023-01-18 at 05:08:00 UTC-0500 (Wed, 18 Jan 2023 05:08:00 -0500)
> John Covici via mailop 
> is rumored to have said:
> 
> [...]
> >  Source
> > Received: by mail-tester.com (Postfix, from userid 500)
> > id 567CCA0BC0; Wed, 18 Jan 2023 09:59:14 +0100 (CET)
> > X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
> > mail-tester.com
> > X-Spam-Level:
> > X-Spam-Status: No/0.3/5.0
> > X-Spam-Test-Scores:
> > KHOP_HELO_FCRDNS=0.32,SPF_HELO_NONE=0.001,SPF_NONE=0.001,
> > URIBL_BLOCKED=0.001
> > X-Spam-Last-External-IP: 166.84.7.93
> > X-Spam-Last-External-HELO: covici.com
> > X-Spam-Last-External-rDNS: debian-2.covici.com
> > X-Spam-Date-of-Scan: Wed, 18 Jan 2023 09:59:14 +0100
> > X-Spam-Report:
> > *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> > *  blocked.  See
> > *  http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> > *  for more information.
> > *  [URIs: covici.com]
> > *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> > *  0.0 SPF_NONE SPF: sender does not publish an SPF Record
> > *  0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
> > * I don't understand this one, I have rdns pointers on
> >  ccs.covici.com and debian-2.covici.com .
> 
> Those are the names of rules in the SpamAssassin filter that
> mail-tester.com unfortunately purports to demonstrate. They are
> using an obsolete version of SA with (apparently) local rule
> adjustments and they have chronically m isreported the sign of SA
> scores, confusing users. As someone who fields SpamAssassin bug
> reports, I despise them.
> 
> KHOP_HELO_FCRDNS means that one of the trustworthy set of
> Received headers shows a handoff from a machine that identified
> itself (in the EHLO or HELO step of the transaction) with a name
> that did not match the name that the connecting IP's PTR record
> points to, which does resolve back to the connecting IP. This is
> a minor issue, and while it is more common in spam, the
> correlation is weak enough  to earn a fairly low score for that
> rule. In the current full SA ruleset it is scored at 0.001:
> basically meaningless.
> 
> [...]
> > OK, even without dkim and marc, why is gmail rejecting?
> 
> Only GMail can tell you for sure, if even they can.
> 
> Give it some time with your fixed SPF. That *may* be adequate,
> but Google changes can take time.
> 
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

No, but I will do that after fixing up my spf records!

On Wed, 18 Jan 2023 08:38:32 -0500,
Mark Alley via mailop wrote:
> 
> [1  ]
> [1.1  ]
> Have you tried submitting via the Google Sender Contact Form
>  to get this
> resolved?
> 
> On 1/18/2023 5:02 AM, Jaroslaw Rafa via mailop wrote:
> > Dnia 17.01.2023 o godz. 20:05:45 Jarland Donnell via mailop pisze:
> >> You visit mail-tester.com, copy the email address, send an email to
> >> it, and then wait about 15-30 seconds and click the button. It'll
> >> give you an overview. It's not perfect, but if your email has some
> >> very significant, avoidable problems it's an easy way to identify a
> >> few common ones.
> > It's a very interesting service, thank you for the info. However, I must say
> > that even having 10/10 and all green on this service (as I have) means
> > nothing with regard to deliverability to Google - my messages are still put
> > to Spam folder as they have been. Even after manually marking the message as
> > non-spam by recipient, the next message goes to spam again.
> > 
> > Seems like the only way to have my messages delivered normally to Inbox is
> > to tell the Gmail recipient to create a filter on my sender address with the
> > action "never send to spam". Which is pretty idiotic, because a) an average
> > Gmail user is a person who can't do this (if he/she could, he/she would
> > probably choose a better mail service than Gmail); b) even if the recipient
> > can do this, how am I supposed to tell this to a person for whom I have
> > only email contact?
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

Yep, I will work on that.

On Wed, 18 Jan 2023 05:53:26 -0500,
Mark Alley wrote:
> 
> The HELO identity is set by the submitting mail server during the
> SMTP session, you'll need to update that accordingly in each
> respective mail server's configuration (or whichever software is
> being used).
> 
> On 1/18/2023 4:48 AM, John Covici wrote:
> > Thanks, that was useful.
> > 
> > I wonder why it was hello covici.com since I am not sending from that
> > address?
> > 
> > On Wed, 18 Jan 2023 05:33:32 -0500,
> > Mark Alley via mailop wrote:
> >> [1  ]
> >> [1.1  ]
> >> //X-Spam-Last-External-HELO: covici.com/ * 0.3 KHOP_HELO_FCRDNS
> >> Relay HELO differs from its IP's reverse DNS * I don't
> >> understand this one, I have rdns pointers on ccs.covici.com and
> >> debian-2.covici.com ./
> >> 
> >>   * "debian-2.covici.com" and "ccs.covici.com" may be the FQDN of the
> >> mail server(s), but the HELO presented (covici.com) does not match
> >> the server IP rDNS as reflected above. The HELO of each server would
> >> need to be match its IP's rDNS FQDN (i.e. "debian-2.covici.com" and
> >> "ccs.covici.com" respectively) to pass this check.
> >>   * You will also want to publish an SPF record for these HELO
> >> identities once it matches, probably something like -/v=spf1 a ~all
> >> /I see you already have one for ccs.covici.com, but there is not one
> >> currently for "debian-2.covici.com".
> >> 
> >> 
> >> - Mark Alley
> >> 
> >> 
> >> On 1/18/2023 4:08 AM, John Covici via mailop wrote:
> >>> Thanks, it was my bad.  I did put an spf record, a couple of hours
> >>> ago, but mail-tester said it had not propagated.
> >>> 
> >>> I am going to paste my test results, because I have still some
> >>> questions.
> >>> 
> >>> Comments in line
> >>> 
> >>> 
> >>> Good stuff. Your email is almost perfect
> >>> Score :
> >>> 7.7/10
> >>>Subject : test #4Received 0 minutes ago
> >>> Click here to view your message
> >>>   From : John Covici
> >>> Bounce address :cov...@ccs.covici.com
> >>> Reply-To :cov...@ccs.covici.com
> >>>Text version
> >>> hello.
> >>> 
> >> [1.2  ]
> >> [2  ]
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

Thanks, that was useful.

I wonder why it was hello covici.com since I am not sending from that
address?

On Wed, 18 Jan 2023 05:33:32 -0500,
Mark Alley via mailop wrote:
> 
> [1  ]
> [1.1  ]
> //X-Spam-Last-External-HELO: covici.com/ * 0.3 KHOP_HELO_FCRDNS
> Relay HELO differs from its IP's reverse DNS * I don't
> understand this one, I have rdns pointers on ccs.covici.com and
> debian-2.covici.com ./
> 
>  * "debian-2.covici.com" and "ccs.covici.com" may be the FQDN of the
>mail server(s), but the HELO presented (covici.com) does not match
>the server IP rDNS as reflected above. The HELO of each server would
>need to be match its IP's rDNS FQDN (i.e. "debian-2.covici.com" and
>"ccs.covici.com" respectively) to pass this check.
>  * You will also want to publish an SPF record for these HELO
>identities once it matches, probably something like -/v=spf1 a ~all
>/I see you already have one for ccs.covici.com, but there is not one
>    currently for "debian-2.covici.com".
> 
> 
> - Mark Alley
> 
> 
> On 1/18/2023 4:08 AM, John Covici via mailop wrote:
> > Thanks, it was my bad.  I did put an spf record, a couple of hours
> > ago, but mail-tester said it had not propagated.
> > 
> > I am going to paste my test results, because I have still some
> > questions.
> > 
> > Comments in line
> > 
> > 
> > Good stuff. Your email is almost perfect
> > Score :
> > 7.7/10
> >   Subject : test #4Received 0 minutes ago
> > Click here to view your message
> >  From : John Covici
> > Bounce address :cov...@ccs.covici.com
> > Reply-To :cov...@ccs.covici.com
> >   Text version
> > hello.
> > 
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

3 00:16:53 -0500)
> John Covici via mailop 
> is rumored to have said:
> 
> > hmmm, I have one for covici.com -- does this not cover the subdomain?
> 
> No.
> 
> > I don't even think my registrar can have an spf for a subdomain.
> 
> That would be remarkably weak on their part. SPF is just a DNS
> TXT record that starts with 'v=spf1' and you can have one for any
> name in DNS. You have MX records for ccs.covici.com, so surely
> you can add a TXT record for is.
> 
> > 
> > On Tue, 17 Jan 2023 21:08:18 -0500,
> > Jarland Donnell via mailop wrote:
> >> 
> >> One very obvious one I hit right away. You seem to be sending
> >> from @ccs.covici.com, and it has no SPF record:
> >> https://www.whatsmydns.net/#TXT/ccs.covici.com
> >> 
> >> A good, solid SPF record is a bare minimum these days. Google is
> >> requiring it more than ever, and while the message they're giving
> >> you isn't the one I'm used to seeing for that, every negative
> >> point about the email you send is a mark against you which means
> >> every aspect you can improve on is relevant.
> >> 
> >> On 2023-01-17 18:03, John Covici via mailop wrote:
> >>> OK, well, now I can't send even to a single gmail address.  What is
> >>> mail-tester.com  --I have never used it?  Is it a website?
> >>> 
> >>> 
> >>> On Tue, 17 Jan 2023 18:20:09 -0500,
> >>> Jarland Donnell via mailop wrote:
> >>>> 
> >>>> On 2023-01-17 17:06, John Covici via mailop wrote:
> >>>>> Still broke for me.
> >>>> 
> >>>> I believe your issue was different from the one in this thread
> >>>> and best summarized by your message in that separate thread:
> >>>> 
> >>>> On 2023-01-17 10:31, John Covici via mailop wrote:
> >>>>> Hi.   For some reason this morning, I am having problems
> >>>>> sending to
> >>>>> gmail addresses.  I get the following error for each:
> >>>>> 
> >>>>> <<< 550-5.7.1 [166.84.7.93  12] Our system has detected
> >>>>> that this
> >>>>> message is
> >>>>> <<< 550-5.7.1 likely unsolicited mail. To reduce the amount
> >>>>> of spam
> >>>>> sent to Gmail,
> >>>>> <<< 550-5.7.1 this message has been blocked. Please visit
> >>>>> <<< 550-5.7.1
> >>>>> https://support.google.com/mail/?p=UnsolicitedMessageError
> >>>>>  Now I have had no problems sending to gmail, but this message was
> >>>>>  send to maybe 40 users or so -- is this my problem, or am I doing
> >>>>>  something else wrong?
> >>>>> 
> >>>>> Thanks in advance for any suggestions.
> >>>> 
> >>>> It's arguable which is worse, but this is definitely different
> >>>> than spam folder delivery. I would argue your situation is better
> >>>> because I'd rather know it wasn't delivered than tell someone to
> >>>> check their spam folder, because people just don't and you have
> >>>> little clear insight into the fact that they absolutely need to
> >>>> look there. That said, I just performed a log audit and I do not
> >>>> see a recent increase in these error messages from our side. I'm
> >>>> not Google, obviously, but we process enough email that I feel
> >>>> like polling my logs can easily indicate a trend of lack thereof.
> >>>> 
> >>>> My first instinct in your position would be to use something like
> >>>> mail-tester.com to get a basic check over your headers, DNS,
> >>>> etc. I know it's not wildly popular on this list but in a world
> >>>> where the average user still runs to mxtoolbox, mail-tester.com
> >>>> is exponentially better in it's assessments.
> >>>> ___
> >>>> mailop mailing list
> >>>> mailop@mailop.org
> >>>> https://list.mailop.org/listinfo/mailop
> >>>> 
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://list.mailop.org/listinfo/mailop
> >> 
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

hmmm, I have one for covici.com -- does this not cover the subdomain?
I don't even think my registrar can have an spf for a subdomain.

On Tue, 17 Jan 2023 21:08:18 -0500,
Jarland Donnell via mailop wrote:
> 
> One very obvious one I hit right away. You seem to be sending
> from @ccs.covici.com, and it has no SPF record:
> https://www.whatsmydns.net/#TXT/ccs.covici.com
> 
> A good, solid SPF record is a bare minimum these days. Google is
> requiring it more than ever, and while the message they're giving
> you isn't the one I'm used to seeing for that, every negative
> point about the email you send is a mark against you which means
> every aspect you can improve on is relevant.
> 
> On 2023-01-17 18:03, John Covici via mailop wrote:
> > OK, well, now I can't send even to a single gmail address.  What is
> > mail-tester.com  --I have never used it?  Is it a website?
> > 
> > 
> > On Tue, 17 Jan 2023 18:20:09 -0500,
> > Jarland Donnell via mailop wrote:
> >> 
> >> On 2023-01-17 17:06, John Covici via mailop wrote:
> >> > Still broke for me.
> >> 
> >> I believe your issue was different from the one in this thread
> >> and best summarized by your message in that separate thread:
> >> 
> >> On 2023-01-17 10:31, John Covici via mailop wrote:
> >> > Hi.   For some reason this morning, I am having problems sending to
> >> > gmail addresses.  I get the following error for each:
> >> >
> >> > <<< 550-5.7.1 [166.84.7.93  12] Our system has detected that this
> >> > message is
> >> > <<< 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
> >> > sent to Gmail,
> >> > <<< 550-5.7.1 this message has been blocked. Please visit
> >> > <<< 550-5.7.1
> >> > https://support.google.com/mail/?p=UnsolicitedMessageError
> >> >  Now I have had no problems sending to gmail, but this message was
> >> >  send to maybe 40 users or so -- is this my problem, or am I doing
> >> >  something else wrong?
> >> >
> >> > Thanks in advance for any suggestions.
> >> 
> >> It's arguable which is worse, but this is definitely different
> >> than spam folder delivery. I would argue your situation is better
> >> because I'd rather know it wasn't delivered than tell someone to
> >> check their spam folder, because people just don't and you have
> >> little clear insight into the fact that they absolutely need to
> >> look there. That said, I just performed a log audit and I do not
> >> see a recent increase in these error messages from our side. I'm
> >> not Google, obviously, but we process enough email that I feel
> >> like polling my logs can easily indicate a trend of lack thereof.
> >> 
> >> My first instinct in your position would be to use something like
> >> mail-tester.com to get a basic check over your headers, DNS,
> >> etc. I know it's not wildly popular on this list but in a world
> >> where the average user still runs to mxtoolbox, mail-tester.com
> >> is exponentially better in it's assessments.
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://list.mailop.org/listinfo/mailop
> >> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

OK, well, now I can't send even to a single gmail address.  What is
mail-tester.com  --I have never used it?  Is it a website?


On Tue, 17 Jan 2023 18:20:09 -0500,
Jarland Donnell via mailop wrote:
> 
> On 2023-01-17 17:06, John Covici via mailop wrote:
> > Still broke for me.
> 
> I believe your issue was different from the one in this thread
> and best summarized by your message in that separate thread:
> 
> On 2023-01-17 10:31, John Covici via mailop wrote:
> > Hi.   For some reason this morning, I am having problems sending to
> > gmail addresses.  I get the following error for each:
> > 
> > <<< 550-5.7.1 [166.84.7.93  12] Our system has detected that this
> > message is
> > <<< 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
> > sent to Gmail,
> > <<< 550-5.7.1 this message has been blocked. Please visit
> > <<< 550-5.7.1
> > https://support.google.com/mail/?p=UnsolicitedMessageError
> >  Now I have had no problems sending to gmail, but this message was
> >  send to maybe 40 users or so -- is this my problem, or am I doing
> >  something else wrong?
> > 
> > Thanks in advance for any suggestions.
> 
> It's arguable which is worse, but this is definitely different
> than spam folder delivery. I would argue your situation is better
> because I'd rather know it wasn't delivered than tell someone to
> check their spam folder, because people just don't and you have
> little clear insight into the fact that they absolutely need to
> look there. That said, I just performed a log audit and I do not
> see a recent increase in these error messages from our side. I'm
> not Google, obviously, but we process enough email that I feel
> like polling my logs can easily indicate a trend of lack thereof.
> 
> My first instinct in your position would be to use something like
> mail-tester.com to get a basic check over your headers, DNS,
> etc. I know it's not wildly popular on this list but in a world
> where the average user still runs to mxtoolbox, mail-tester.com
> is exponentially better in it's assessments.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail putting most messages into Spam

[John Covici via mailop]

Still broke for me.

On Tue, 17 Jan 2023 17:22:02 -0500,
Jarland Donnell via mailop wrote:
> 
> Just a +1 report for the sake of data. The only legitimate emails
> I have in my spam folder at Gmail are from Inno Supps and
> healthcare.gov. Inno Supps I get because of their products and,
> therefore, their language is quite similar to standard spam
> campaigns. Healthcare.gov I get because, legitimate as they may
> be, they sure are spammy little shits.
> 
> I have not seen an increase in customer complaints about emails
> landing in Gmail folders. If anything, compared to the growth
> over the last holiday season, the complaints are fewer and
> farther between relative to the number of customers we have.
> 
> I can absolutely say without question though that I have
> repeatedly witnessed since 2011 (when my work in the field began)
> users who found benefit in purchasing new domains to increase
> their chances of landing in inboxes. EIther because of a past
> history of intentional abuse (being sorry doesn't fix filters),
> their domains using TLDs that were inherently more highly
> associated with abuse (Why does .monster even exist if not for
> spam?), or their domains used keywords that were very common in
> spam like "health" or "healthcare" (huge increase in the years
> following ACA passage in the US).
> 
> On 2023-01-17 07:16, Paul Gregg via mailop wrote:
> > Heads up in case anyone else is experiencing this.
> > 
> > We are aware of a recent change in behaviour of gmail.com where
> > most email is placed directly into Spam folder.
> > 
> > So far we have dozens of customers reporting this.
> > Tested myself with full SPF, DKIM and DMARC with p=reject - which gmail
> > itself marks as passing all tests. The mail was also delivered
> > over TLS.
> > Mails go to Spam.
> > 
> > We're trying to reach out to google, but so far have no response.
> > 
> > We don't think it is just 'us', as reddit r/msp has others reporting
> > same from O365 direct to gmail.
> > 
> > PG
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem sending messages to gmail

[John Covici via mailop]

Still getting the problem -- I could not even send to my own gmail
account!

On Tue, 17 Jan 2023 11:59:28 -0500,
Paul Gregg via mailop wrote:
> 
> On Tue, Jan 17, 2023 at 11:31:22AM -0500, John Covici via mailop wrote:
> >  Hi.   For some reason this morning, I am having problems sending to
> >  gmail addresses.  I get the following error for each:
> > 
> >  <<< 550-5.7.1 [166.84.7.93  12] Our system has detected that this
> >  message is
> >  <<< 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
> >  sent to Gmail,
> >  <<< 550-5.7.1 this message has been blocked. Please visit
> >  <<< 550-5.7.1
> >  https://support.google.com/mail/?p=UnsolicitedMessageError
> >   Now I have had no problems sending to gmail, but this message was
> >   send to maybe 40 users or so -- is this my problem, or am I doing
> >   something else wrong?
> > 
> >  Thanks in advance for any suggestions.
> 
> Yes, we also started seeing these in the past 60 or so hours. In this
> case, the message is rejected (and not delivered to the user) and
> (likely) and NDR is sent back.
> 
> I should note that within the past hour - things look to be
> significantly improved. Mail is making it to Inboxes - and seeing
> significantly fewer 550-5.7.1 responses.
> 
> PG
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] problem sending messages to gmail

[John Covici via mailop]

Hi.   For some reason this morning, I am having problems sending to
gmail addresses.  I get the following error for each:

<<< 550-5.7.1 [166.84.7.93  12] Our system has detected that this
message is
<<< 550-5.7.1 likely unsolicited mail. To reduce the amount of spam
sent to Gmail,
<<< 550-5.7.1 this message has been blocked. Please visit
<<< 550-5.7.1
https://support.google.com/mail/?p=UnsolicitedMessageError
 Now I have had no problems sending to gmail, but this message was
 send to maybe 40 users or so -- is this my problem, or am I doing
 something else wrong?

Thanks in advance for any suggestions.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] The oligopoly has won.

[John Covici via mailop]

Me too, I have my own mta and I use a vps and have spf.  As yet, I
don't have dkim and mark, but things still seem to work.

On Wed, 14 Sep 2022 06:29:35 -0400,
Mark Foster via mailop wrote:
> 
> 
> On 14/09/2022 9:24 pm, Renaud Allard via mailop wrote:
> > 
> > 
> > On 9/14/22 10:57, Alessandro Vesely via mailop wrote:
> >>  * Stop blackholing.
> > 
> > That one is the absolute worst of the worst of the
> > worst. Blackholing is something that _MUST NOT_ be done, ever,
> > for whatever reason. There is never and has never been a good
> > reason for blackholing. If you don't like a mail, give it a 5XX
> > error, never accept it. When you have accepted a mail you MUST
> > deliver it.
> > 
> > Even "spam folder" is a bad idea. If it's spam, reject it with
> > 5XX. You can never be sure people will look in the spam
> > folder. And if they do check it, why should it be there in the
> > first place, email could as well land in inbox, that's one less
> > action to take to see your mails.
> 
> As much as I dislike quarantine, the reality is that the big
> players aren't the ones who care when your important email is
> miscategorised as spam.
> 
> Just this week it was only through the due-diligence of a local
> (New Zealand) company that I didn't lose an in-service domain
> name... my anti-spam platform was dutifully issuing 5xx 'this is
> spam' errors (and refusing delivery) of domain validation
> requests coming from OpenSRS.  OpenSRS just kept trying, as if
> repeated attempts with the same non-delivery result were somehow
> going to change the outcome.  They (OpenSRS) did nothing useful
> with the 5xx error and the consequence would've been very
> disruptive for a service I have a strong interest in, if the
> registrar had decided that I was unresponsive as a result and
> suspended my service.
> (I was first to create an explicit allow policy for the sender,
> and ask my (local) vendor to initiate another attempt, which I
> then received).
> No doubt OpenSRS deal with thousands of non-delivery
> notifications, and don't feel like unpicking every single
> one. It's up to a Registrant to be contactable via registered
> details, right? The consequence of getting it wrong was very much
> mine, not theirs.
> 
> Yes my anti-spam vendor was miscategorising the email as spam, no
> doubt due to poorly implemented automation reacting to 'this is
> spam' feedback from people receiving unsolicited domain-related
> correspondence for domains (perhaps not realising that doing so
> is creating new heuristics that'll negatively impact anyone else
> consuming the same engines if they get it wrong. But anti-spam
> measures are imperfect.  Blindly expecting 5xx for all spam
> reports is not realistic IMO... quarantines and spam-folders are
> a reasonable compromise that gives the end-user some ability to
> influence the real-world consequences of getting it wrong.
> 
> Perhaps a good time to remind some mailing list participants that
> there's more to the Internet than ATT, Verizon and Microsoft ;-)
> Especially when we remember the Internet extends beyond North
> America.
> 
> From someone still valiantly running their own personal MTA, as a
> VPS, and with a little help from third-party anti-spam tooling
> and mail relay services on occasion. Generally successfully, and
> still strongly disinclined to hand my email environment to an
> oligopoly operator.  But it's a near thing sometimes.
> 
> Mark.
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail changes today?

[John Covici via mailop]

I sent a mail which got rejected --  it was a plain text Email with
one link and it was rejected.  I put a space in the link somewhere and
it was accepted.

On Thu, 09 Jun 2022 10:47:18 -0400,
Otto J. Makela via mailop wrote:
> 
> On 08/06/2022 21.25, Brandon Long via mailop wrote:
> 
> > so the false positive rate for the new rule is better.  It doesn't
> > even need to be a new rule, maybe your reputation just decreased
> > slightly and it now is below the threshold.
> 
> I know of a couple of similar cases -- to me it seems Google's Bayesian
> heuristic (if there is such a thing) was over-zealous or something.
> It did not seem to matter if the outgoing messages passed SPF tests and/or
> had a correct DKIM signature: dsn=5.0.0, stat=Service unavailable.
> 
> However, I haven't seen those today.
> 
> Brandon, can you please look if your reject rates were suddenly up for
> a while, I'm sure there are statistics available?
> 
> -- 
>/* * * Otto J. Makela  * * * * * * * * * */
>   /* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
>  /* Mail: Mechelininkatu 26 B 27,  FI-00100 Helsinki */
> /* * * Computers Rule 0100 01001011 * * * * * * */
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Where to ask questions about Rich Communication Services (RCS)?

[John Covici via mailop]

What do you mean by  RCS?  What kind of services are you talking
about?

On Fri, 30 Jul 2021 15:26:24 -0400,
Fernando Cassia via mailop wrote:
> 
> [1  ]
> [1.1  ]
> Sorry for the off-topic question but I figure someone in here might know if
> there is a forum or mailing list to ask questions about RCS provisioning?
> 
> I decided to ask here because I guess many of the companies with big email
> infrastructure might also happen to be telecomms firms and cellcos in
> particular, highly likely also implementing RCS for its customers.
> 
> Again, my apologies for this slightly ot question. Off-list replies
> welcome.
> 
> FC
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] When RBLs go bad

[John Covici via mailop]

Its 70.109.53.110 .

On Sun, 14 Feb 2021 16:10:35 -0500,
Peter Nicolai Mathias Hansteen wrote:
> 
> [1  ]
> 
> > 14. feb. 2021 kl. 21:58 skrev John Covici via mailop :
> > 
> > It seems that bsdly.net is not working. I cannot ping or connect to
> > the website mentioned.
> 
> That is a odd, and perhaps a cause of concern.
> 
> If you give me the IP address you would have come from (or range) I can check 
> things at this end.
> 
> All the best,
> Peter
> 
> ―
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> 
> 
> 
> 
> [2 Message signed with OpenPGP ]
> No public key for E64D61D26596F680 created at 2021-02-14T16:10:35-0500 using 
> RSA

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] When RBLs go bad

[John Covici via mailop]

It seems that bsdly.net is not working. I cannot ping or connect to
the website mentioned.

On Sun, 14 Feb 2021 14:00:51 -0500,
Peter Nicolai Mathias Hansteen via mailop wrote:
> 
> [1  ]
> [1.1  ]
> [1.1.1  ]
> Just to add to the datapoints of services ‘gone bad’ ― I suspect the story 
> behind several of these episodes is that whoever actually knew how their 
> systems worked left the organization, and whoever is left to take over is not 
> actually up to the task, and bad things happen.
> 
> I’m fairly convinced that was what happened in this case from a few years 
> back 
> https://bsdly.blogspot.com/2017/08/twenty-plus-years-on-smtp-callbacks-are.html
>  
> .
>  It is anyway fairly clear that whoever did great labour in an effort to 
> avoid actually answering questions did not have a clue how any of this 
> actually works.
> 
> Another frequent problem is that the list maintainers are not too transparent 
> about the actual mechanisms of getting on or off the lists.
> 
> I would advise that any listing service that does not clearly document 
> inclusion criteria should not be trusted.
> 
> I slant in the direction that inclusion criteria should be as simple as 
> possible, but even complex ones should be documented to whatever detail 
> feasible and available to the general public.
> 
> Just as a random example, here is my inclusion criteria document ― short and 
> sweet ― for my known spam sources list: 
> https://www.bsdly.net/~peter/traplist_ethics.shtml 
> . In addition, my system 
> generates a few other blacklists, summarized in this blog post: 
> https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html 
> 
> 
> I hope this is vaguely useful to one or more somebodies out there.
> 
> All the best,
> Peter
> 
> ―
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> 
> 
> 
> 
> [1.1.2  ]
> [1.2 Message signed with OpenPGP ]
> No public key for E64D61D26596F680 created at 2021-02-14T14:00:51-0500 using 
> RSA
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Suggestions for mailops.org website - forum?

[John Covici via mailop]

I definitely agree with this, I go through my email, but hardly ever
log on to forums, its just too much of a pita.  Forms are useful, but
mailing lists are better unless you get replies to replies ... too to
many levels.

On Tue, 18 Feb 2020 05:00:24 -0500,
Bjoern Franke via mailop wrote:
> 
> > 
> >  From past experience of technical mailing lists changing to forums, I'd 
> > expect participation in a forum to drop dramatically. Mailing list 
> > messages get pushed to members, forums require you to go and look. Even 
> > if new posted messages are emailed to members, then it still requires 
> > the member to click on a link, login etc before replying. From 
> > experience, fewer people will do that. I was in a very active mailing 
> > list with multiple messages daily. It changed to a forum a couple of 
> > years ago. Now, it's unusual for there to be as many as one message a month.
> 
> This is the same experience I had with a community which tried to switch
> to a Discourse forum. Discourse is even capable of sending mails with
> List-ID / References in the header, but still has some issues.
> 
> And mailinglist mails can be read even by a client on a mobile phone and
> have only SMTP/IMAP traffic and no overhead for loading several stuff
> from CDNs etc.
> 
> Regards
> Bjoern
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

On Sat, 25 Jan 2020 07:39:30 -0500,
Johann Klasek via mailop wrote:
> 

OK, that clarifies  things, but since I have to connect with many
servers and they are not all up to 1.2, I will keep things as they are
for now.

Thanks.


-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

On Fri, 24 Jan 2020 20:30:36 -0500,
John Covici via mailop wrote:
> 
> Sorry, this went privately so I am sending to the list.
> 
> On Fri, 24 Jan 2020 16:10:57 -0500,
> Johann Klasek wrote:
> > 
> > Hi John,
> > 
> > On Fri, Jan 24, 2020 at 06:33:26PM +0100, ml+mailop--- via mailop wrote:
> > > Usually I don't reply to top-posted mails...
> > > 
> > > 1. Try with
> > > openssl s_client -connect other.host:25 -state -debug -crlf -starttls 
> > > smtp ...
> > > and add parameters to match your sendmail setup.
> > > 
> > > 2. See cf/README how to set the option in your mc file:
> > > confCIPHER_LIST   CipherList  [undefined] Cipher list for TLS.
> > > 
> > > 3. If you post changes you made, then post real data,
> > > not something like
> > > tls_srv_features  CipherList=...
> > > because that doesn't tell someone else whether you used the
> > > right key(s).
> > > 
> > > 4. you can use the same openssl command against your server
> > > to see whether your config changes actually have the desired
> > > effect.
> > > 
> > > 5. If the problem persist, you need to provide more data,
> > > e.g., real hostnames, your .mc file, and so on.
> > > 
> > [..]
> > 
> > did you already worked out this list?
> 
> I first want to thank everyone who has been helping me on this
> problem.  Well, I found something interesting, when using openssl
> connect to the host which is (one of them) ukiah.firemountain.net  I
> got the following output:
> 
> SSL_connect:before SSL initialization
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS read server hello
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = 
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify error:num=66:EE certificate key too weak
> verify return:1
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = 
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = 
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify return:1
> SSL_connect:SSLv3/TLS read server certificate
> SSL3 alert write:fatal:handshake failure
> SSL_connect:error in error
> 140589450400896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too 
> small:../ssl/statem/statem_clnt.c:2150:
> CONNECTED(0003)
> ---
> Certificate chain
>  0 s:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
>i:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> MIICzzCCAjgCCQCA5lXYLCT/ITANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMC
> VVMxETAPBgNVBAgTCE1hcnlsYW5kMQ8wDQYDVQQHEwZTcGFya3MxHTAbBgNVBAoT
> FEZpcmUgb24gdGhlIE1vdW50YWluMQwwCgYDVQQLEwNvcHMxHzAdBgNVBAMTFnVr
> aWFoLmZpcmVtb3VudGFpbi5uZXQxKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJA
> ZmlyZW1vdW50YWluLm5ldDAeFw0xMTA3MDcxODE5NTJaFw0yMTA3MDQxODE5NTJa
> MIGrMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAcTBlNw
> YXJrczEdMBsGA1UEChMURmlyZSBvbiB0aGUgTW91bnRhaW4xDDAKBgNVBAsTA29w
> czEfMB0GA1UEAxMWdWtpYWguZmlyZW1vdW50YWluLm5ldDEqMCgGCSqGSIb3DQEJ
> ARYbcG9zdG1hc3RlckBmaXJlbW91bnRhaW4ubmV0MIGfMA0GCSqGSIb3DQEBAQUA
> A4GNADCBiQKBgQDKrJVfXAoOwHmr+MA1BLZjQEdFKqlYJQurmGBSfNrDRtNdayow
> ov3YalNrBdDnGoRNrIFcZBzLsmryDikWCHcTGdf4OdDgTAX3gSqy0IIDSkfARyjA
> 8Um/bNofWkOW7ZDSeTsDQaXaCiaO9SmYFAaELjQjOzF4s/vh3iFniQc55QIDAQAB
> MA0GCSqGSIb3DQEBBAUAA4GBAHO9usD3EfVUoAaXlzPn38DMRG1HG5qEDzbPGR+L
> 46fMS+4Ikwa9E9EezVWlOjJheC6FOBwewBrGHgUvP8cz+R+4wfliju+Ji1iJosaT
> u8K9n5Hf1IQT9EkhkZKhn9r6tkOZW9gMIMbbTW6aTL7ig690cKKUJ7Tm9C0nA1S3
> +xeP
> -END CERTIFICATE-
> subject=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = 
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> 
> issuer=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> 
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1893 bytes and written 354 bytes
> Verification error: self signed certificate
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Comp

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

This went privately, so I am resending to the list.

On Fri, 24 Jan 2020 16:10:57 -0500,
Johann Klasek wrote:
> 
> Hi John,
> 
> On Fri, Jan 24, 2020 at 06:33:26PM +0100, ml+mailop--- via mailop wrote:
> > Usually I don't reply to top-posted mails...
> > 
> > 1. Try with
> > openssl s_client -connect other.host:25 -state -debug -crlf -starttls smtp 
> > ...
> > and add parameters to match your sendmail setup.
> > 
> > 2. See cf/README how to set the option in your mc file:
> > confCIPHER_LIST CipherList  [undefined] Cipher list for TLS.
> > 
> > 3. If you post changes you made, then post real data,
> > not something like
> > tls_srv_featuresCipherList=...
> > because that doesn't tell someone else whether you used the
> > right key(s).
> > 
> > 4. you can use the same openssl command against your server
> > to see whether your config changes actually have the desired
> > effect.
> > 
> > 5. If the problem persist, you need to provide more data,
> > e.g., real hostnames, your .mc file, and so on.
> > 
> [..]
> 
> did you already worked out this list?
> 
> 
> Johann
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

Sorry, this went privately so I am sending to the list.

On Fri, 24 Jan 2020 16:10:57 -0500,
Johann Klasek wrote:
> 
> Hi John,
> 
> On Fri, Jan 24, 2020 at 06:33:26PM +0100, ml+mailop--- via mailop wrote:
> > Usually I don't reply to top-posted mails...
> > 
> > 1. Try with
> > openssl s_client -connect other.host:25 -state -debug -crlf -starttls smtp 
> > ...
> > and add parameters to match your sendmail setup.
> > 
> > 2. See cf/README how to set the option in your mc file:
> > confCIPHER_LIST CipherList  [undefined] Cipher list for TLS.
> > 
> > 3. If you post changes you made, then post real data,
> > not something like
> > tls_srv_featuresCipherList=...
> > because that doesn't tell someone else whether you used the
> > right key(s).
> > 
> > 4. you can use the same openssl command against your server
> > to see whether your config changes actually have the desired
> > effect.
> > 
> > 5. If the problem persist, you need to provide more data,
> > e.g., real hostnames, your .mc file, and so on.
> > 
> [..]
> 
> did you already worked out this list?

I first want to thank everyone who has been helping me on this
problem.  Well, I found something interesting, when using openssl
connect to the host which is (one of them) ukiah.firemountain.net  I
got the following output:

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL3 alert write:fatal:handshake failure
SSL_connect:error in error
140589450400896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too 
small:../ssl/statem/statem_clnt.c:2150:
CONNECTED(0003)
---
Certificate chain
 0 s:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, CN 
= ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
   i:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, CN 
= ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
---
Server certificate
-BEGIN CERTIFICATE-
MIICzzCCAjgCCQCA5lXYLCT/ITANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE1hcnlsYW5kMQ8wDQYDVQQHEwZTcGFya3MxHTAbBgNVBAoT
FEZpcmUgb24gdGhlIE1vdW50YWluMQwwCgYDVQQLEwNvcHMxHzAdBgNVBAMTFnVr
aWFoLmZpcmVtb3VudGFpbi5uZXQxKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJA
ZmlyZW1vdW50YWluLm5ldDAeFw0xMTA3MDcxODE5NTJaFw0yMTA3MDQxODE5NTJa
MIGrMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAcTBlNw
YXJrczEdMBsGA1UEChMURmlyZSBvbiB0aGUgTW91bnRhaW4xDDAKBgNVBAsTA29w
czEfMB0GA1UEAxMWdWtpYWguZmlyZW1vdW50YWluLm5ldDEqMCgGCSqGSIb3DQEJ
ARYbcG9zdG1hc3RlckBmaXJlbW91bnRhaW4ubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDKrJVfXAoOwHmr+MA1BLZjQEdFKqlYJQurmGBSfNrDRtNdayow
ov3YalNrBdDnGoRNrIFcZBzLsmryDikWCHcTGdf4OdDgTAX3gSqy0IIDSkfARyjA
8Um/bNofWkOW7ZDSeTsDQaXaCiaO9SmYFAaELjQjOzF4s/vh3iFniQc55QIDAQAB
MA0GCSqGSIb3DQEBBAUAA4GBAHO9usD3EfVUoAaXlzPn38DMRG1HG5qEDzbPGR+L
46fMS+4Ikwa9E9EezVWlOjJheC6FOBwewBrGHgUvP8cz+R+4wfliju+Ji1iJosaT
u8K9n5Hf1IQT9EkhkZKhn9r6tkOZW9gMIMbbTW6aTL7ig690cKKUJ7Tm9C0nA1S3
+xeP
-END CERTIFICATE-
subject=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net

issuer=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, 
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net

---
No client certificate CA names sent
---
SSL handshake has read 1893 bytes and written 354 bytes
Verification error: self signed certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID: 
Session-ID-ctx: 
Master-Key: 
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1579904838
Timeout   : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---

Here  is a longer excerpt from the log if that will help:
Jan 24 17:21:41 debian-2 sm-mta[9779]: STARTTLS=client, error: connect
failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jan 24 17:21:41 debian-2 sm-mta[9779]: ruleset=tls_server,
arg1=SOFTWARE, relay=ukiah.firemountain.net, reject=403 4.7.0 TLS
handshake failed.
Jan 24 17:21:41 debian-2 

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

That is what I was thinking, but the first reply suggested it was the
far end.  Very strange indeed.

On Fri, 24 Jan 2020 13:07:30 -0500,
Bill Cole via mailop wrote:
> 
> [NOTE: There's no need to send me copies of messages off-list. I
> do read replies on-list]
> 
> On 24 Jan 2020, at 12:09, John Covici via mailop wrote:
> 
> > Yep, looks good.  But does that help if its the far end that is
> > the problem?
> 
> Not if that message is your Sendmail/OpenSSL complaining about
> the far end offering too small a key, but I'm not 100% certain
> that this is what that log line indicates. The lack of a "relay="
> element identifying the far end host suggests that this is an
> entirely local problem.
> 
> 
> > On Fri, 24 Jan 2020 11:47:12 -0500,
> > Bill Cole via mailop wrote:
> >> 
> >> On 23 Jan 2020, at 18:01, John Covici via mailop wrote:
> >> 
> >>> Hi.  I am using sendmail from my own server and using a virtual
> >>> machine in the cloud as a relay.  That machine all of a
> >>> sudden several
> >>> days ago keeps getting a message saying
> >>> Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client,
> >>> error: connect
> >>> failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> >>> 
> >>> Now, in my sendmail.mc (included from starttls.m4 I have
> >>> define(`confDH_PARAMETERS',
> >>> `/etc/mail/tls/sendmail-common.prm')dnl
> >>> # <= EDIT and I made sure that the file was regenerated with
> >>> 2046 bits
> >>> by doing
> >>> openssl dhparam -out  /etc/mail/tls/sendmail-common.prm  2048
> >>> So, what the heck is happening, wnhy do at least some sites
> >>> say the dh
> >>> key is too small?
> >>> 
> >>> Thanks in advance for any suggestions.
> >> 
> >> In case you have not done so already, actually LOOK at that
> >> file. It should be a PEM-format file containing:
> >> 
> >> -BEGIN DH PARAMETERS-
> >> [6x64-character lines of Base64, last line partial]
> >> -END DH PARAMETERS-
> >> 
> >> Also check the size (424 bytes) permissions (must be readable by
> >> whatever user Sendmail runs as) and if you're using SELinux, make
> >> sure it has the correct file context label. And make sure that
> >> name is right: did you actually use the ".prm" filename extension
> >> in creating it and in your sendmail.mc?
> >> 
> >> Often the problem with arcane technical issues is actually in the
> >> simplest external details...
> >> 
> >> -- 
> >> Bill Cole
> >> b...@scconsult.com or billc...@apache.org
> >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> >> Not For Hire (currently)
> >> 
> >> ___
> >> mailop mailing list
> >> mailop@mailop.org
> >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> >> 
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > 
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

Yep, looks good.  But does that help if its the far end that is the problem?
On Fri, 24 Jan 2020 11:47:12 -0500,
Bill Cole via mailop wrote:
> 
> On 23 Jan 2020, at 18:01, John Covici via mailop wrote:
> 
> > Hi.  I am using sendmail from my own server and using a virtual
> > machine in the cloud as a relay.  That machine all of a sudden several
> > days ago keeps getting a message saying
> > Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error: connect
> > failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> > 
> > Now, in my sendmail.mc (included from starttls.m4 I have
> > define(`confDH_PARAMETERS',   `/etc/mail/tls/sendmail-common.prm')dnl
> > # <= EDIT and I made sure that the file was regenerated with 2046 bits
> > by doing
> > openssl dhparam -out  /etc/mail/tls/sendmail-common.prm  2048
> > So, what the heck is happening, wnhy do at least some sites say the dh
> > key is too small?
> > 
> > Thanks in advance for any suggestions.
> 
> In case you have not done so already, actually LOOK at that
> file. It should be a PEM-format file containing:
> 
> -BEGIN DH PARAMETERS-
> [6x64-character lines of Base64, last line partial]
> -END DH PARAMETERS-
> 
> Also check the size (424 bytes) permissions (must be readable by
> whatever user Sendmail runs as) and if you're using SELinux, make
> sure it has the correct file context label. And make sure that
> name is right: did you actually use the ".prm" filename extension
> in creating it and in your sendmail.mc?
> 
> Often the problem with arcane technical issues is actually in the
> simplest external details...
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not For Hire (currently)
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

I just checked and I have CipherString = DEFAULT@SECLEVEL=2
in my /etc/ssl/openssl.conf.  I can't think of anything else right
now.

On Fri, 24 Jan 2020 09:55:36 -0500,
Johann Klasek wrote:
> 
> On Fri, Jan 24, 2020 at 07:00:04AM -0500, John Covici via mailop wrote:
> > Thanks a lot for responding.
> > hmmm, I put the cipherlists you mentioned in my access database using
> > tls_clt_features CipherList= ... and I even put tls_server_features
> 
> Better put it in the configuration file, .mc/.cf.
> 
> > with those ciphers but no joy.  My openssl version is 1.1.1d-0+deb10u2
> > and has not been updated since October.
> 
> Maybe they raised the lower limit of acceptable ciphers. Found some
> posting around they recommend to set CipherString = DEFAULT@SECLEVEL=2
> in /etc/ssl/openssl.cnf
> 
> (like in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788)
> 
> Johann
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

Thanks for responding.  I don't see a place in my .mc file to put the
ciphers, maybe I am missing something.  I will see if changing the
openssl config helps any.

On Fri, 24 Jan 2020 09:55:36 -0500,
Johann Klasek wrote:
> 
> On Fri, Jan 24, 2020 at 07:00:04AM -0500, John Covici via mailop wrote:
> > Thanks a lot for responding.
> > hmmm, I put the cipherlists you mentioned in my access database using
> > tls_clt_features CipherList= ... and I even put tls_server_features
> 
> Better put it in the configuration file, .mc/.cf.
> 
> > with those ciphers but no joy.  My openssl version is 1.1.1d-0+deb10u2
> > and has not been updated since October.
> 
> Maybe they raised the lower limit of acceptable ciphers. Found some
> posting around they recommend to set CipherString = DEFAULT@SECLEVEL=2
> in /etc/ssl/openssl.cnf
> 
> (like in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907788)
> 
> Johann
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

Thanks a lot for responding.
hmmm, I put the cipherlists you mentioned in my access database using
tls_clt_features CipherList= ... and I even put tls_server_features
with those ciphers but no joy.  My openssl version is 1.1.1d-0+deb10u2
and has not been updated since October.


On Fri, 24 Jan 2020 00:06:18 -0500,
ml+mailop--- via mailop wrote:
> 
> On Thu, Jan 23, 2020, John Covici via mailop wrote:
> 
> > Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error: connect
> > failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> 
> AFAICT it's the key from "the other side" that openssl is complaining
> about -- did you recently upgrade it?
> 
> You could disable the DHE ciphers, e.g. something like this
> (note: you have to "match" this with your openssl version
> and the ciphers it supports):
> 
> O 
> CiphersList=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA
> 
> Note that that must be one very long line.
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] suddenly sendmail cannot make tls connections

[John Covici via mailop]

Hi.  I am using sendmail from my own server and using a virtual
machine in the cloud as a relay.  That machine all of a sudden several
days ago keeps getting a message saying
Jan 23 17:51:33 debian-2 sm-mta[7625]: STARTTLS=client, error: connect
failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1

Now, in my sendmail.mc (included from starttls.m4 I have
define(`confDH_PARAMETERS',   `/etc/mail/tls/sendmail-common.prm')dnl
# <= EDIT and I made sure that the file was regenerated with 2046 bits
by doing
openssl dhparam -out  /etc/mail/tls/sendmail-common.prm  2048
So, what the heck is happening, wnhy do at least some sites say the dh
key is too small?

Thanks in advance for any suggestions.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Can someone write me a prescription for a sane MTA? I'm allergic to Postfix.

[John Covici via mailop]

OK, thanks.  I will look into those, but it seems I am not using them
as they were designed to be used.

On Tue, 10 Dec 2019 18:52:43 -0500,
Stuart Henderson wrote:
> 
> On 2019/12/10 08:31, John Covici via mailop wrote:
> > So, what would be an appropriate replacement for procmail,  I think in
> > my distro its a hard dependency of sendmail, but maybe there is
> > something better?
> 
> If you use software which already implements Sieve (Dovecot and Cyrus
> are probably the most common), it's often convenient to just use that.
> 
> If not, there are other programs which act as stand-alone delivery agents
> - the ones I know of are maildrop (which is normally used with Courier mail
> server but can also work standalone), and fdm (which is mostly used as a
> pop3/imap fetcher but you can also configure an "stdin" account type
> which you can use as a standard delivery agent).
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Can someone write me a prescription for a sane MTA? I'm allergic to Postfix.

[John Covici via mailop]

So, what would be an appropriate replacement for procmail,  I think in
my distro its a hard dependency of sendmail, but maybe there is
something better?

On Tue, 10 Dec 2019 02:08:10 -0500,
Stuart Henderson via mailop wrote:
> 
> On 2019/12/09 14:16, Jaroslaw Rafa via mailop wrote:
> > Well... I'd rather do such things in procmail
> 
> Be aware, procmail's last maintainer said, "the code is not safe and
> should not be used as a basis for any further work".
> 
> https://marc.info/?l=openbsd-ports=141634350915839=2
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Reasons to add plain text alternative to email?

[John Covici via mailop]

Yes, keep the plain text alternative -- I need it to be accessible and
plain text is better that way.  If you need to have a link or two,
just paste them in there, but the html mail is usually totally
unnecessary anyway, this is Email after all and it was not designed
for html.  It seems much safer to me as well, no beacons or anything
like that in a plain text email.

On Mon, 09 Dec 2019 03:50:14 -0500,
Maarten Oelering via mailop wrote:
> 
> Multipart messages with html and text alternatives are generally considered 
> best practice. Senders with html templates should add a text version is the 
> common believe.
> 
> But it's almost 2020, and we were wondering if there's still a good reason 
> for adding plain text to a html message. Is there a significant audience 
> reading in plain text? Is plain text important for accessibility? Because 
> SpamAssassin says so?
> 
> Would be great to get feedback from this diverse and knowledgable community.
> 
> Thanks,
> Maarten Oelering
> Postmastery
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop