Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-10 Thread Franck Martin via mailop 
On Thu, Jun 9, 2016 at 2:59 PM, Laura Atkins 
wrote:

>
> > On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt 
> wrote:
> >
> > On 09.06.2016 18:20, Laura Atkins wrote:
> >>
> >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt 
> wrote:
> >>>
> >>> Header-From and Envelope-From are aligned, the sending domain does not
> >>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
> >>> not rolled out for all domains yet. The hosts in question do have
> proper
> >>> FCrDNS, i.e.
> >>>
> >>>
> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
> >>>
> >>> Anyone seeing the same? From outside it looks like Google has
> >>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
> >>> authenticated" previously done by Microsoft, but without the softfail.
> >>
> >> Yes. They have. They do not accept unauthenticated mail over v6. All
> you need to do is publish a SPF record and you should be good to go.
> >
> > Adding an SPF record for some remote understaffed downstream university
> > institute is not that easy if you don't know where their mail flows
> > might come from. Forcing SPF on them might do more harm than good.
>
> I didn’t notice it was a university. That I know how problematic it is to
> get control of a .edu domain and all the different campus servers and
> individual servers run by faculty and staff and such. Had I know I probably
> wouldn’t have recommended that.
>
>
Yes it is hard to know the IPs of where all the emails are coming from but
you can start by an SPF record with the IPs you know about and terminate it
by ~all. the ~all just says, if it does not pass it may be still ok.

You complete the SPF as you learn more about your infrastructure and what
is not working.

I don't think you need the gift of omniscience to get started with SPF.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-10 Thread Bernhard Schmidt 
Hi,

>> Not sure yet whether my testhost has ended up on a whitelist or
>> Google has reverted the behaviour.
> 
> There was a report earlier that Google was experiencing
> authentication problems on the inbound and a lot of mail was failing.
> I’m guessing what you saw was related to that and it’s been fixed
> now.

I guess you're talking about this one

https://www.google.com/appsstatus#hl=en=issue=1=0f5b953ffaa833f29d02c532e2faf79b

TimeDescription
6/9/16, 9:45 PM
The problem with Gmail should be resolved. We apologize for the
inconvenience and thank you for your patience and continued support.
Please rest assured that system reliability is a top priority at Google,
and we are making continuous improvements to make our systems better.
We have confirmed that this issue only affected messages sent to
consumer Gmail accounts, and that messages sent to Google Apps accounts
were not rejected.

6/9/16, 8:46 PM
We are continuing to investigate this issue. We will provide an update
by 6/9/16, 9:46 PM detailing when we expect to resolve the problem.
Some messages sent to consumer Gmail accounts are being rejected due to
authentication enforcement

6/9/16, 7:56 PM
We're investigating reports of an issue with Gmail. We will provide more
information shortly.

-- 
Bernhard Schmidt  Netzbetrieb / IPv6 / DNSSEC
Leibniz-Rechenzentrum   Leibniz Supercomputing Centre
Boltzmannstr. 1  D-85748 Garching b. Muenchen
Tel: +49 89 35831-7885 E-Mail/Jabber: bernhard.schm...@lrz.de



smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Laura Atkins 

> On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt  wrote:
> 
> On 09.06.2016 18:20, Laura Atkins wrote:
>> 
>>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt  
>>> wrote:
>>> 
>>> Header-From and Envelope-From are aligned, the sending domain does not
>>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
>>> not rolled out for all domains yet. The hosts in question do have proper
>>> FCrDNS, i.e.
>>> 
>>> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
>>> 
>>> Anyone seeing the same? From outside it looks like Google has
>>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
>>> authenticated" previously done by Microsoft, but without the softfail.
>> 
>> Yes. They have. They do not accept unauthenticated mail over v6. All you 
>> need to do is publish a SPF record and you should be good to go.
> 
> Adding an SPF record for some remote understaffed downstream university
> institute is not that easy if you don't know where their mail flows
> might come from. Forcing SPF on them might do more harm than good.

I didn’t notice it was a university. That I know how problematic it is to get 
control of a .edu domain and all the different campus servers and individual 
servers run by faculty and staff and such. Had I know I probably wouldn’t have 
recommended that.  

> I had experimented a bit this evening and was about to complain that an
> SPF record ending in ?all (and +all, but I expected that) did not help
> reverting to the previous behaviour, but all of the sudden all IPv6 mail
> seems to be accepted again. Even sending from hosts matching ~all or
> domains without SPF seem to be fine. They are properly tagged as
> spf=neutral or spf=softfail, but happily forwarded into the mailbox.
> 
> Not sure yet whether my testhost has ended up on a whitelist or Google
> has reverted the behaviour.

There was a report earlier that Google was experiencing authentication problems 
on the inbound and a lot of mail was failing. I’m guessing what you saw was 
related to that and it’s been fixed now. 

> For the record, I'm not against tighening the rules for email delivery.
> We have been plainly rejecting mails not only on missing PTR but also on
> mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6,
> and have been advocating this to others. Although I'm not happy about it
> I can also get and work around the Microsoft approach of tempfailing
> messages without DKIM/SPF, since I can get the mailer to retry on IPv4
> while we sort out domain by domain. But the Google approach of
> hard-rejecting these mails places a huge burden of those who still have
> to run the classic smarthost relays for hundreds of on-campus MTAs with
> their own domains and own management, leaving them effectively no choice
> but to completely disable IPv6 outbound until all possible sender
> domains are fixed.

That may be a solution. Route the bulk of your mail through your v4 IPs and 
then only move them to v6 as they are authenticated.

laura 

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Bernhard Schmidt 
On 09.06.2016 18:20, Laura Atkins wrote:
> 
>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt  wrote:
>>
>> Header-From and Envelope-From are aligned, the sending domain does not
>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
>> not rolled out for all domains yet. The hosts in question do have proper
>> FCrDNS, i.e.
>>
>> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
>>
>> Anyone seeing the same? From outside it looks like Google has
>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
>> authenticated" previously done by Microsoft, but without the softfail.
> 
> Yes. They have. They do not accept unauthenticated mail over v6. All you need 
> to do is publish a SPF record and you should be good to go.

Adding an SPF record for some remote understaffed downstream university
institute is not that easy if you don't know where their mail flows
might come from. Forcing SPF on them might do more harm than good.

I had experimented a bit this evening and was about to complain that an
SPF record ending in ?all (and +all, but I expected that) did not help
reverting to the previous behaviour, but all of the sudden all IPv6 mail
seems to be accepted again. Even sending from hosts matching ~all or
domains without SPF seem to be fine. They are properly tagged as
spf=neutral or spf=softfail, but happily forwarded into the mailbox.

Not sure yet whether my testhost has ended up on a whitelist or Google
has reverted the behaviour.

For the record, I'm not against tighening the rules for email delivery.
We have been plainly rejecting mails not only on missing PTR but also on
mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6,
and have been advocating this to others. Although I'm not happy about it
I can also get and work around the Microsoft approach of tempfailing
messages without DKIM/SPF, since I can get the mailer to retry on IPv4
while we sort out domain by domain. But the Google approach of
hard-rejecting these mails places a huge burden of those who still have
to run the classic smarthost relays for hundreds of on-campus MTAs with
their own domains and own management, leaving them effectively no choice
but to completely disable IPv6 outbound until all possible sender
domains are fixed.

Bernhard

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Franck Martin via mailop 
On Thu, Jun 9, 2016 at 11:48 AM, Michael Peddemors 
wrote:

> On 16-06-09 11:26 AM, Franck Martin via mailop wrote:
>
>> As people pointed out, an SPF record is easy to set and fast to solve
>> the issue, DKIM can come later...
>>
>
> Hehehe... 'easy' is a relative word, amazing how many poor SPF records are
> out there, and sometimes it is hard enough to get email operators to even
> have proper PTR records..
>
> There has been little pain so far, stupid things have happened and there
were barely any difference...
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Michael Peddemors 

On 16-06-09 11:26 AM, Franck Martin via mailop wrote:

As people pointed out, an SPF record is easy to set and fast to solve
the issue, DKIM can come later...


Hehehe... 'easy' is a relative word, amazing how many poor SPF records 
are out there, and sometimes it is hard enough to get email operators to 
even have proper PTR records..





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Franck Martin via mailop 
It is a M3AAWG best practice to not accept unauthenticated emails over
IPv6, Microsoft does it, we do it, Google too...
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf

It is also likely that bad stuff (less visible for the sender) is also
happening to unauthenticated emails over IPv4. There is only 3% of "good"
emails that are unauthenticated (true it is from the long tail of sending
domains but...):
https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html

As people pointed out, an SPF record is easy to set and fast to solve the
issue, DKIM can come later...

On Thu, Jun 9, 2016 at 9:38 AM, Bernhard Schmidt 
wrote:

> On 09.06.2016 18:18, Hugo Slabbert wrote:
>
> Hi,
>
> >> since around 13:00 UTC today all of the sudden we see massive rejects of
> >> mails towards Google when delivering on IPv6
> >>
> >> Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
> >> to=,
> >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
> >> delays=0.01/0/0.16
> >> /0.53, dsn=5.7.1, status=bounced (host
> >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
> >> message does not have authentication information or fails to pass
> >> 550-5.7.1 authentication checks. To best protect our users from spam,
> >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
> >> https://support.google.com/mail/answer/81126#authentication for m
> >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
> >> of DATA command))
> >>
> >> Header-From and Envelope-From are aligned, the sending domain does not
> >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
> >> not rolled out for all domains yet. The hosts in question do have proper
> >> FCrDNS, i.e.
> >>
> >>
> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
> >>
> >>
> >> Anyone seeing the same? From outside it looks like Google has
> >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
> >> authenticated" previously done by Microsoft, but without the softfail.
> >
> > ...hasn't this been the case for some time?  They want FCrDNS + at least
> > one of SPF or DKIM to accept delivery over v6:
> >
> > https://support.google.com/mail/answer/81126?hl=en#authentication
> >
> > Did they just defer previously?
>
> Mail was accepted just fine until three hours ago. There is a large
> difference between "The sending domain should pass either SPF check or
> DKIM check. Otherwise, mail might be marked as spam." and outright
> rejecting 100% of it.
>
> We've been working on SPF/DKIM for quite some time now. Unfortunately
> this is not that easy with hundreds of faculty-operated servers/domains,
> some of them not even on our nameservers. This has de-facto killed IPv6
> outbound completely for us. Microsoft tempfailing was annoying enough
> but manageable.
>
> Best Regards,
> Bernhard
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Bernhard Schmidt 
On 09.06.2016 18:18, Hugo Slabbert wrote:

Hi,

>> since around 13:00 UTC today all of the sudden we see massive rejects of
>> mails towards Google when delivering on IPv6
>>
>> Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
>> to=,
>> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
>> delays=0.01/0/0.16
>> /0.53, dsn=5.7.1, status=bounced (host
>> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
>> message does not have authentication information or fails to pass
>> 550-5.7.1 authentication checks. To best protect our users from spam,
>> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
>> https://support.google.com/mail/answer/81126#authentication for m
>> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
>> of DATA command))
>>
>> Header-From and Envelope-From are aligned, the sending domain does not
>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
>> not rolled out for all domains yet. The hosts in question do have proper
>> FCrDNS, i.e.
>>
>> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
>>
>>
>> Anyone seeing the same? From outside it looks like Google has
>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
>> authenticated" previously done by Microsoft, but without the softfail.
> 
> ...hasn't this been the case for some time?  They want FCrDNS + at least
> one of SPF or DKIM to accept delivery over v6:
> 
> https://support.google.com/mail/answer/81126?hl=en#authentication
> 
> Did they just defer previously?

Mail was accepted just fine until three hours ago. There is a large
difference between "The sending domain should pass either SPF check or
DKIM check. Otherwise, mail might be marked as spam." and outright
rejecting 100% of it.

We've been working on SPF/DKIM for quite some time now. Unfortunately
this is not that easy with hundreds of faculty-operated servers/domains,
some of them not even on our nameservers. This has de-facto killed IPv6
outbound completely for us. Microsoft tempfailing was annoying enough
but manageable.

Best Regards,
Bernhard

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Hugo Slabbert 


On Thu 2016-Jun-09 18:21:17 +0200, Sebastian Hagedorn  
wrote:

Hi,


since around 13:00 UTC today all of the sudden we see massive rejects of
mails towards Google when delivering on IPv6

Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
to=,
relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
delays=0.01/0/0.16
/0.53, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/answer/81126#authentication for m
ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
of DATA command))

Header-From and Envelope-From are aligned, the sending domain does not
have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
not rolled out for all domains yet. The hosts in question do have proper
FCrDNS, i.e.

http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af
f89.html

Anyone seeing the same? From outside it looks like Google has
implemented the "all mail delivered over IPv6 has to be DKIM/SPF
authenticated" previously done by Microsoft, but without the softfail.


FWIW: we deliver via IPv6 to Google, and we are currently not 
affected. We don't yet use DKIM, but we do have an SPF record that 
advertises both our IPv4 and our IPv6 subnets. Of course I don't know 
if that's the reason our mails are accepted.


Yes, it is.  It's right there in their policy:

https://support.google.com/mail/answer/81126?hl=en#authentication


Additional guidelines for IPv6

...

The sending domain should pass ***either*** SPF check or DKIM check.  
Otherwise, mail might be marked as spam.


(emphasis mine)



Cheers
Sebastian
--
Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02
Regionales Rechenzentrum (RRZK)
Universität zu Köln / Cologne University - Tel. +49-221-470-89578


--
Hugo

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Lyle Giese 

On 6/9/2016 11:21 AM, Sebastian Hagedorn wrote:

Hi,


since around 13:00 UTC today all of the sudden we see massive rejects of
mails towards Google when delivering on IPv6

Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
to=,
relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
delays=0.01/0/0.16
/0.53, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/answer/81126#authentication for m
ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
of DATA command))

Header-From and Envelope-From are aligned, the sending domain does not
have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
not rolled out for all domains yet. The hosts in question do have proper
FCrDNS, i.e.

http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af 


f89.html

Anyone seeing the same? From outside it looks like Google has
implemented the "all mail delivered over IPv6 has to be DKIM/SPF
authenticated" previously done by Microsoft, but without the softfail.


FWIW: we deliver via IPv6 to Google, and we are currently not 
affected. We don't yet use DKIM, but we do have an SPF record that 
advertises both our IPv4 and our IPv6 subnets. Of course I don't know 
if that's the reason our mails are accepted.


Cheers
Sebastian
--
Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02
Regionales Rechenzentrum (RRZK)
Universität zu Köln / Cologne University - Tel. +49-221-470-89578
Here, we have always had proper reverse entries for IPv4 and IPv6 and 
have been delivering to gmail for a couple of years over IPv6. And yes 
today we are also effected.  Looks like publishing an SPF record is 
enough to clear this issue.


Lyle Giese
LCR Computer Services, Inc.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Laura Atkins 

> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt  wrote:
> 
> Header-From and Envelope-From are aligned, the sending domain does not
> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
> not rolled out for all domains yet. The hosts in question do have proper
> FCrDNS, i.e.
> 
> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
> 
> Anyone seeing the same? From outside it looks like Google has
> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
> authenticated" previously done by Microsoft, but without the softfail.

Yes. They have. They do not accept unauthenticated mail over v6. All you need 
to do is publish a SPF record and you should be good to go.

laura

-- 
Having an Email Crisis?  800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Sebastian Hagedorn 

Hi,


since around 13:00 UTC today all of the sudden we see massive rejects of
mails towards Google when delivering on IPv6

Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
to=,
relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
delays=0.01/0/0.16
/0.53, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/answer/81126#authentication for m
ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
of DATA command))

Header-From and Envelope-From are aligned, the sending domain does not
have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
not rolled out for all domains yet. The hosts in question do have proper
FCrDNS, i.e.

http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af
f89.html

Anyone seeing the same? From outside it looks like Google has
implemented the "all mail delivered over IPv6 has to be DKIM/SPF
authenticated" previously done by Microsoft, but without the softfail.


FWIW: we deliver via IPv6 to Google, and we are currently not affected. We 
don't yet use DKIM, but we do have an SPF record that advertises both our 
IPv4 and our IPv6 subnets. Of course I don't know if that's the reason our 
mails are accepted.


Cheers
Sebastian
--
Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02
Regionales Rechenzentrum (RRZK)
Universität zu Köln / Cologne University - Tel. +49-221-470-89578

pgpiY09z_WZZe.pgp
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks

2016-06-09 Thread Hugo Slabbert 

On Thu 2016-Jun-09 18:06:30 +0200, Bernhard Schmidt  
wrote:


Hi,

since around 13:00 UTC today all of the sudden we see massive rejects of
mails towards Google when delivering on IPv6

Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
to=,
relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
delays=0.01/0/0.16
/0.53, dsn=5.7.1, status=bounced (host
gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
https://support.google.com/mail/answer/81126#authentication for m
ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
of DATA command))

Header-From and Envelope-From are aligned, the sending domain does not
have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
not rolled out for all domains yet. The hosts in question do have proper
FCrDNS, i.e.

http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html

Anyone seeing the same? From outside it looks like Google has
implemented the "all mail delivered over IPv6 has to be DKIM/SPF
authenticated" previously done by Microsoft, but without the softfail.


...hasn't this been the case for some time?  They want FCrDNS + at least
one of SPF or DKIM to accept delivery over v6:

https://support.google.com/mail/answer/81126?hl=en#authentication

Did they just defer previously?


Best Regards,
Bernhard


--
Hugo

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop