I came across a network that I need to communicate with where (not unlike the one in https://bsdly.blogspot.com/2018/02/a-life-lesson-in-mishandling-smtp.html) they perform the checks for SPF, DKIM and so forth in the wrong places in addition to on ingress.
Studying the headers at the receiving end it looks like one of the main problems is that they block DNS over TCP, which leads to the SPF, DKIM and DMARC queries all time out and their application proceeds on the assumption that the sending domain does not publish those kinds of information (despite what host -ttxt bsdly.net on a suitable system will tell you) and the messages do in fact turn up in the recipient's mailbox. As one would I have told them that they should look into their firewall setups and check that they pass 53/udp and 53/tcp both, but I have not heard back so far. Back in the day I suppose you could get a sort of working setup with UDP-only DNS, but this has me wondering, is there a quasi-rational historical reason for blocking 53/TCP? As in, was there at some point in time a 'ping of death'-like incident which I have either missed entirely or forgotten about? If there is, I look forward to some campfire time. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
