Re: [mailop] Best strategy to prune address list

[Rolf E. Sonneveld via mailop]

Hi, Steve,

On 23-11-19 20:18, Steve Atkins via mailop wrote:


On 23/11/2019 19:05, Tom Ivar Helbekkmo via mailop wrote:

"Rolf E. Sonneveld via mailop"  writes:


What would be a good strategy for this customer to update his list of
contacts?


If it's old enough that they're asking the question, and are afraid of 
the impact of even a single "Hey, still interested?" email then toss 
the list and start over. Whatever process they go through to clean it 
up is going to leave it as still a junk list.


If some of it is "old" (6+ months, say) then that applies to the old 
segment. Newer email addresses are likely recoverable.


If there aren't any signup or last-mailed dates on the list then it's 
all old.


To be honest, I don't know how old the list is, but thanks for your 
advise, seems a good strategy to me.





In the olden days, one would simply write a script, using expect(1) or
similar, to go through the addresses, connect to the target MTAs, and do
an SMTP VRFY on the recipient address.  Today, I suspect that most MTAs
will refuse to service a VRFY request.

Anyone know if that assumption is good?


You're a couple of decades out of touch with email to even consider 
that approach.


More usually a list owner who is really convinced they can save a bad 
list would buy list cleaning services from one of the companies that 
offer them. They'll use a variety of approaches to categorize the 
email addresses on a list into deliverable vs not.


There are relatively reputable companies who offer email address 
validation or scoring, typically aiming at real-time validation at 
signup and similar situations. These are not the companies you go to 
for list cleaning.


They're generally pretty inaccurate, and in ethics / respect for the 
email ecosystem only a step or two removed from professional spammers. 
If that.


How can I distinguish one (list cleaning services) from the other 
(address validation/scoring)? Do you have some examples of reputable 
list cleaning services?


Thanks,
/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Best strategy to prune address list

[Rolf E. Sonneveld via mailop]

Hi,

over the years, one of my customers has built up a list of contacts 
(mail addresses). He didn't use the list for quite some time and now he 
wants to prune the list by checking the existence/validity of the 
addresses and remove the addresses that no longer exists. Simply sending 
a verification mail to 100,000 addresses will have negative impact on 
the reputation of his domain/addresses/egress mail servers, wouldn't it? 
What would be a good strategy for this customer to update his list of 
contacts?


Thanks,
/rolf

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Question on presence of sender certificate in an enveloped-data S/MIME bodypart

[Rolf E. Sonneveld]

All,

can anyone enlighten me on the following two questions, related to S/MIME:

1. does an S/MIME message with a bodypart labelled
   application/pkcs7-mime and smime-type=enveloped-data
   always/usually/never carry the certificate of the sender?
2. I tried to extract the certificates from the bodypart using:

   openssl pkcs7 -in  -inform DER -print_certs

   I get no errors, but zero output as well. Not sure what I'm doing
   wrong. When trying the following:

   openssl smime -in  -pk7out -out msg.pk7
   openssl asn1parse -in msg.pk7

   I get the ASN1 structure, showing two certificates, one root and one
   intermediate. Can I be sure that the bodypart doesn't carry the
   sender's certificate, or does it depend on the inner structure of
   the .p7m blob?

Thanks,

/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GDPR and SMTP in general

[Rolf E. Sonneveld]

Hi, Paul,

On 25-05-18 11:46, Paul Smith wrote:
I've been going through some GDPR stuff. Amongst other things, we 
provide SMTP relay services to some customers, so are a 'Data 
Processor' under GDPR. In itself, that's OK as our own operations are 
GDPR compliant.


But, how it interacts with email, it all seems to get very horrible. I 
suspect the *intention* is OK, but I'm struggling with the actual 
regulations.


If someone sends a message from the UK to someone in the USA, by 
definition, we must send that email outside of the EU. When we send 
the email, we are sending personal data (eg usually the name/email 
address of the sender never mind the content which could be anything 
(outside our control)). That causes issues for GDPR.


When we send the outgoing message to another mail server, that other 
server's operator is also a Data Processor. According to Article 28 of 
GDPR, we have to get prior approval of the Data Controller before 
using them, and a responsibility to check that they are GDPR 
compliant. Obviously that isn't going to happen in any feasible way...


Then there's the question about whether Internet connectivity/Wifi 
hotspt providers are also Data Processors as they potentially have 
access to the message data (including personal data) and could be 
classed as 'processing' it.


Also, if a user is on holiday in the USA and downloads email to their 
phone or in an Internet cafe, we are 'sending it outside the EU', so 
again, GDPR has issues.



I thought it was all OK, but one of our customers asked us to sign a 
contract for GDPR which prevents us from sending data outside of the 
UK and from sending it to any other companies without prior written 
permission. I've pointed out the problems to them, but wondered if 
anyone else had come across this.


Yes, dealing with exactly the same kind of problem(s). One of my 
customers asks me to sign for the fact that mail is encrypted when 
handling it. However, using standard MTA software, messages that are in 
the queue waiting to get delivered, are unencrypted. Am I forced to use 
disk encryption?


/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Gmail & TLS SNI

[Rolf E. Sonneveld]

On 16-04-18 21:39, Brandon Long via mailop wrote:

[...]

I think this is an interesting stance, and I'm sure you've heard the
objections to
this before.  You don't have to trust every CA, you certainly don't need to
trust every
CA for every host, and there are other tools to be used here such as cert
transparency.

Also, maybe at some point the popular DNS providers will have point & click
DNSSEC
and DANE configuration, until then, I believe it's much easier for end
users to use MTA-STS.
Note that at our last look, none of the popular providers allowed users to
specify a TXT record
large enough for a 2k DKIM key, for example.


Here in the Netherlands many if not most providers offer DNSSEC for 
their customers and most of them who do, offer a web based management 
interface to add TLSA records. The .nl zone is the fourth largest ccTLD 
with over 5.5 million registered domainnames [1] and some 50 percent of 
it are DNSSEC secured.


/rolf

[1] https://stats.sidnlabs.nl/#/home


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Message Store on NFS in a high available setup

[Rolf E. Sonneveld]

Hi, Luis, William, Steve, Noel, Kurt, Andris and all others who 
responded off-list,


many thanks for answering my mail. Apologies for my late reply, I've 
been quite busy trying to pinpoint a mail server/storage problem, see below.


Steve wrote:


In this situation NFS is more of a delivery method than anything to do with 
high availability, as it has no requirement to do any more than share a single 
copy of the data.

Maybe a clustered file system - glusterfs for example - is what you're looking 
for.


Correct, I used the term 'NFS' but what I meant to say was NFS to access 
the message store, where the backend for this message store has a HA 
architecture.


On 28-09-17 02:57, W Kern wrote:



We are huge GlusterFS fans. It is easy to setup, trivial to admin and 
very reliable if you don't get too fancy. Biggest issue is 'growing' 
it as you have to be precise in how you add additional bricks.


However, historically the small-file performance on Gluster has not 
been very good, though they are working on it.


Thus a Maildir based system would not (yet) be a good fit on Gluster, 
especially with lots of customers who leave tens of thousands of 
individual messages in a particular Folder.


Other OpenSource 'white box' HA options are

1) Ceph
2) MooseFS/LizardFS
3) A big NFS server with DRBD as a failover.

Each of those would have its challenges as you get into the millions 
of busy accounts stage, but there are work arounds for each.


The mail server for which I was looking for this storage solution has a 
maildir based format. Actually, we used GlusterFS with the FUSE client 
but got some serious problems with GlusterFS, where index files (and 
some other files) got lost due to some problem in GFS. Redhat claimed 
there was 'some client process' removing these files. But we were able 
to reproduce the problem in a test environment and we could demonstrate 
that the problem was solved, when replacing the FUSE client with the 
plain vanilla NFS client that comes with Redhat (against the NFS 
interface of GFS). However, GFS does not provide a HA NFS solution 
without Ganesha and we didn't like to build another layer of complexity 
on top of GFS to solve the problems in GFS. Hence my question on this 
list. Redhat warned us that GFS is not ideal for handling lots of small 
files (where they mentioned everything under 1 Mbyte as being small), 
but we had to use GFS as that was the only HA shared storage service 
available at this customer; no NAS was present nor any intention to 
purchase a NAS for this purpose. But things may change now.


Noel Butler wrote:


FFS, do NOT use virtual machines :)


I think I fully agree with you :-) but as I need figures and facts I'd 
like to ask you: can you elaborate on why not? Of course physical 
hardware has major advantages re. speed etc., but as everything these 
days get virtualized, virtualizing shared storage (as we did with GFS) 
has it's advantages too (scaling, provisioning etc.)


Regards,
/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Message Store on NFS in a high available setup

[Rolf E. Sonneveld]

Hi,

is there anyone working in a larger/'more demanding' environment, using 
NFS for his/her message store, where there is a business requirement of 
High Availability? If so, what commercial or open source storage 
solution is used? I have a similar requirement for a project and am 
looking for suggestions/options for what storage to use.


Regards,
/rolf

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] What are "printing ASCII characters" RFC 850/2822 (was: Re: Lotus Notes and "250 2.6.0 Bad message, but will be delivered anyway"))

[Rolf E. Sonneveld]

On 09-06-17 18:19, Johann Klasek wrote:

On Fri, Jun 09, 2017 at 04:22:56PM +0200, Benoit Panizzon wrote:
[..]

So I'm trying to figure out, if lotus notes is wrong, or amavis being
too picky? Not so easy... If I browse the RFC regarding Message ID and
SMTP, I basically get the not so clear definition, that "all printable
ASCII characters" can be used in the message ID.

Well § is a printable character, but it is above the first 127 bytes
(8-bit). So is ASCII defined as being only the first 127 characters, or
is ASCII the full 255 character set, and the upper 127 ones containing
certain control characters and some localized code-table specific
characters. But from my understanding § definitely is the same in all
code tables and printable :-)

The header must not contain 8-bit characters, such one which needs 8 bits
to represent.
For incoming external messages this is nearly impossible to rely on 7-
bit headers. Even our very heterogenous intranet traffic burdened us
with ongoing complaints of sticky headers.
We had several internal Lotus Notes servers (or clients?) which
constantly generating 8-bit characters in the Date: header with
translated month names for the local language. However, these might be
out-dated installations ...

It would be great if all developers of MUAs, MTAs and other message
generating stuff test their software against an Amavis environment
before they start distributing it ...


or even better: read the standards when implementing their software. 
Like https://tools.ietf.org/html/rfc2047.


/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Lotus Notes and "250 2.6.0 Bad message, but will be delivered anyway"

[Rolf E. Sonneveld]

Hi, Benoit,

On 09-06-17 09:30, Benoit Panizzon wrote:

Hello

We have a 'challenging' problem between two companies sending each other
emails.

The sender keeps getting notifications, that his emails to the
recipient are delayed. But this is not true. Analyzing the email
headers the recipient sent me I can confirm, the emails take about two
seconds! from sender to the recipient.

The sender, if I got that right from the headers, uses Lotus Notes and
is relaying messages via the SMTP server of his ISP, which relays it to
our postfix server.

I suspect the message "250 2.6.0 Bad message, but will be delivered
anyway" is somehow generated by lotus notes or an intermediary email
scanner and lotus notes translates this to 'your message could not be
delivered and is being delayed, the server will continue to try to
deliver the email'

The recipient uses an exchange server behind a postfix based email
scanner service. After sniffing the connections and looking at the logs,
I am pretty sure, the "250 2.6.0 Bad message, but will be delivered
anyway" is not generated from our postfix server, or from our
customer's exchange server.

But the sender tells me, that this message only shows, when he is
sending an email to our customer.

Has anyone seen such a message and has any clue what causes it, and
also what causes lotus notes to send an DSN telling the sender the
message could not be delivered, despite the message being delivered
perfectly in time?

Google tells me that "250 2.6.0 Bad message, but will be delivered
anyway" is an error message generated by ISPConfig. But as far as I
found out, no server relaying the email uses this mailer.


any firewall performing 'smtp content inspection' between sender and 
recipient? Firewalls performing smtp content inspection are pretty nasty 
and usually cause all sorts of problems...


/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Blacklisting IPs

[Rolf E. Sonneveld]

On 17-11-16 20:25, Ken O'Driscoll wrote:

Hi Bastiaan,

Other data centres have the same challenge as you. Hosting providers have
historically had a bad reputation because a spammer can use a stolen or
pre-paid card to sign up and start sending emails in less than an hour. If
you offer shared hosting, a customer can upload an in-secure script and
turn the server into a snow shoe spam relay. The list just goes on. I think
it understandable that some mailbox providers choose not to automatically
trust unallocated and unassigned IP ranges from hosting providers.

But, I'm wondering if it's actually a problem for you? You're not providing
ready to run email servers. If people want to send email then they should
know how to set up an Internet email server and get their specific IP
address white-listed.

Couldn't this be solved with a knowledge base article? Because users will
also have to create SPF records etc. if they expect any type of reasonable
deliverability.

I say this because we're customers of Hetzner. And we run a mail server on
a dedicated server in your data centre. When we commissioned that server,
one of the steps we took was to get the IP white-listed by Microsoft. The
process took under one hour. Now, perhaps if we didn't know what we were
doing it might have taken longer. We have had zero deliverability problems
with them since then. Probably because we don't relay spam or engage in
opt-out marketing etc.

Ken.


+1 here, we run mail services on Hetzner and have no delivery problems 
with Microsoft, nor with other recipients (except for one small domain 
of which the owner is on this list).


/rolf



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] So, about this iOS10 unsubscribe feature...

[Rolf E. Sonneveld]

On 15-09-16 22:55, valdis.kletni...@vt.edu wrote:

On Thu, 15 Sep 2016 16:47:15 -0400, Josh Nason said:


What if a sender doesn't have list-unsubscribe enabled?

Then they should get with the program. The RFC is from last century.


you mean: last millenium? ;-)

/rolf


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DMARC question

[Rolf E. Sonneveld]

Hi, Terry,

On 24-06-16 09:14, Terry Barnum wrote:
I've been checking our newly configured DMARC status on the 
(excellent) dmarcian.com  site. We're being 
joe jobbed every 2 weeks so I'm hoping DMARC severely cuts into that 
spammer's delivery success. I still hate getting all the undeliverable 
bounce notices though.


I'm curious if someone can explain why a few sites have a 
"local_policy" that overrides our DMARC settings. The reporting 
Providers for these are 126.com and 163.com. It's only 8 messages or 
so in the last 4 days so not a huge deal but I'm curious. 


[...]

because DMARC still is only an advise on what to do with mail that 
doesn't pass a DMARC check. At the end of the day, it is still the 
'receiver' that decides what to do with mail that doesn't pass DMARC 
verification (but may still be legitimate, solicited mail). You may want 
to have a look at 
https://datatracker.ietf.org/doc/draft-ietf-dmarc-interoperability/ to 
see why...


/rolf
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Migration of mail client profiles from one system to another

[Rolf E. Sonneveld]

Hi, Graeme,

> On 23 Feb 2016, at 13:52, Rolf E. Sonneveld
> <r.e.sonnev...@sonnection.nl> wrote:
> > In the past something like ACAP was developed to aid in these types
> > of situations, but AFAIK Outlook does not support ACAP and ACAP
> > itself is more or less dead? Has anyone a suggestion to:
> > 
> > a) use multiple test accounts (a few dozens) AND
> > b) be able to deploy these test accounts easily on other systems?
> 
> Have a read up Outlook PRF files - they exist for this exact reason.
> They may or may not still be functional in modern versions of
> Outlook (for some version of "modern") but we used them at
> $workplace to preconfigure accounts on our pre-Exchange system some
> years back with great success. They're a bit opaque, but very
> useful.

thanks a lot for this pointer! Is it (in principle) possible to use these PRF 
files without having Admin rights? If I read the docs correctly Admin is only 
required to use the Office Customization Tool and it is possible to use the PRF 
file (once created) by any user, correct?

/rolf

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop