On 2020-10-27 13:15, Gert Doering wrote:
Hi,
On Tue, Oct 27, 2020 at 01:00:59PM +0100, Jeroen Massar wrote:
Making sure one only egress mail that one is supposed to send
(SPF/DKIM/DMARC/ARC) is the only way to do that and would mean being a
good citizen on the Internet,
Much easier said than done...
Of course it is easily said, this is a mailinglist, not a big slide deck
or a huge howto how to run a mailserver. Needs quite some experience that ;)
For many folks on this list, SPF came, then DKIM, then DMARC, then ARC
and their installations started supporting them one by a time, thus
evolution is easy.
Starting from 0, not so much.
But, SwiNOG is here to help. If people have setup questions, we can
answer them here, another good citizen on the internet is a win for
everybody.
which is why lists like UCEProtect exist:
if you configure your stuff correctly, you won't end up on them.
You totally miss the "you have a contract with the customer to run their
mail for them, so of course you accept the mail, and then they mess up
their SPF records in DNS" part.
And then your whole mail server is blocked.
Yes, what UCEProtect does in 'one fail and you are out' is a bit over
aggressive. That is completely out of your control. Rejecting the mail
would be good enough indeed, as the collateral damage is too much.
(Would be fun if they listed Google + MS MXs though, will quickly stop
people using those kind of lists... and considering the amount of spam
originating through google, though with valid SPF/DKIM etc... should
happen at one point :) -- maybe it a threshold "X mails out Y bad, then
block", and a low volume sender then gets blocked quicker than a high
volume spammer...
One variant: as the domain needs also DKIM + SPF, and if the customer is
not as tech savvy: always take over domain hosting...
And/or monitoring DKIM/SPF records that they are valid for your setup
and warning the customer that you stop relaying their messages as their
setup is wrong.
Greets,
Jeroen
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
