Re: offtopic: rant about thoughtless enabling DMARC checks
On 11/02/2019 09:48, Michael A. Peters via dovecot wrote: > On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, > Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via > dovecot wrote: > > fixing mailman will be the fail, solve it by letting opendkim and opendmarc > not reject detected maillist will be solution, > > A general broad mailing list whitelist will be problematic, do work it needs > to look for specific list type hidden headers, spammers and nasties will > incorporate those headers into their trash that impersonates mailing lists > and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO Also, DMARC isn't really anti-spam technology, it's anti-spoof technology. Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier. I know your just nit picking but what the hell, I've got a few minutes before my meeting anti spoofing is also anti spam, most legit emailers dont spoof, bad guys love to, so anything that reduces noise in email can be considered "anti spam" postfix acl's dnsbl's milters, antivirus, spamassassin, spf, dkim, whatever ... they all work to reduce noise and thats all the end users care about. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: offtopic: rant about thoughtless enabling DMARC checks
On 11/02/2019 09:46, Michael A. Peters via dovecot wrote: However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header >and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO A hell of a lot do, though (this is pretty average percentages here) Accepted 70.07% Rejected 29.93% - Total 100.00% = 5xx Reject relay denied 4.27% 5xx Reject unknown user 7.93% 5xx Reject sender address 7.32% 5xx Reject unknown client host 52.44% 5xx Reject RBL 3.66% 5xx Reject milter 24.39% = Total 5xx Rejects 100.00% unknown client host was high as 95% up till about 10 years ago, so they are slowly learning. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF and ODF documents accepted, please do not send proprietary formatted documents
Re: offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:46 PM, Michael A. Peters via dovecot wrote: On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO Also, DMARC isn't really anti-spam technology, it's anti-spoof technology. Rather than fake mail list headers, spammers will just use domains w/o a DMARC policy. Much easier.
Re: offtopic: rant about thoughtless enabling DMARC checks
On 2/10/19 3:42 PM, Noel Butler via dovecot wrote: On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: fixing mailman will be the fail, solve it by letting opendkim and opendmarc not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. However the majority of spammers do not spam with a properly configured Reverse DNS - so detect the list header and skip DMARC if list headers are present AND Reverse DNS matched the HELO/EHLO
Re: offtopic: rant about thoughtless enabling DMARC checks
On 10/02/2019 12:49, Benny Pedersen via dovecot wrote: > fixing mailman will be the fail, solve it by letting opendkim and opendmarc > not reject detected maillist will be solution, A general broad mailing list whitelist will be problematic, do work it needs to look for specific list type hidden headers, spammers and nasties will incorporate those headers into their trash that impersonates mailing lists and voila, they pass. there is no quick and easy fix to the dmarc mess other than p=none aspf=s (DKIM is another one that gets narky at lists, and despite all the spf haters dreams, I've never had a problem with spf and lists, and we were an early beta adopter of spf) -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: How to backup maildir
On 2/10/19 8:21 AM, Christoph Haas wrote: Hello Robert, [... snip ...] of course I'm totally with you: asking other people for help, is often a good - if even not the only way to getting things done. It was not my intention to insult you! I hope this did not come in to your mind ... You did not insult me at all. I have taken stronger barbs over the years! Personally I would have a look at the mentioned Dovecot-backup-script as a start. It does really a very good job! Cudos to Klaus Tachtler! That is on top of my list. Thanks for the pointer. Another option could be, to sync your mail via mbsync/isync or offlineimap to your Notebook ... but as an alternative backup, it depends on how many users are on your Dovecot-server. I have 4 domains., 20+ users. Small stuff. I suspect that would only work for me, and I have my processes in place. In a second cycle, you can then extend or modify this script - as I have been doing. But you should bear in mind, that you should have at least 2-3 replicas of your data on different storage, for having a good backup. The local image is for 'fast' backup. This will then be rsynced to a server in my neighbor's house (we have ethernet between us. He lunches off my ISP connection, he hosts my 'offsite' backups). Cheers Christoph.
Re: How to backup maildir
Hello Robert, [... snip ...] of course I'm totally with you: asking other people for help, is often a good - if even not the only way to getting things done. It was not my intention to insult you! I hope this did not come in to your mind ... Personally I would have a look at the mentioned Dovecot-backup-script as a start. It does really a very good job! Cudos to Klaus Tachtler! Another option could be, to sync your mail via mbsync/isync or offlineimap to your Notebook ... but as an alternative backup, it depends on how many users are on your Dovecot-server. In a second cycle, you can then extend or modify this script - as I have been doing. But you should bear in mind, that you should have at least 2-3 replicas of your data on different storage, for having a good backup. Cheers Christoph. -- Christoph Haas bin3GRljaWbc1.bin Description: Öffentlicher PGP-Schlüssel pgpdeZ_qIsYCq.pgp Description: Digitale PGP-Signatur
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
> On 10 February 2019 at 00:28 "A. Schulze via dovecot" > wrote: > > > > > Am 09.02.19 um 19:56 schrieb Aki Tuomi via dovecot: > > I'll review the settings when we manage to upgrade to mailman3 > > Hello Aki, > > before updating to mailman3 consider an simpler update to latest mailman2. > > you're using 2.1.15, current mailman2 is 2.1.29 > Your missing an /significant amount/ of DMARC fixes! > > and: more off-topic: > while my messages *to* the dovecot list are sent using STARTTLS, > messages *from* wursti.dovecot.fi are sent without encryption. > any reason to stay on unencrypted SMTP? > > Andreas > Received: from talvi.dovecot.org (talvi.dovecot.org [94.237.25.159]) by mail.dovecot.fi (Postfix) with ESMTPS id 7EE3B2B3C9C; Sun, 10 Feb 2019 00:29:15 +0200 (EET) ESMTPS indicates that TLS was used. Also I took the trouble to check the maillogs from talvi to verify that your mail was delivered using TLS. Aki
Re: How to backup maildir
On 2/10/19 2:24 AM, Christoph Haas via dovecot wrote: Hello Robert, - Nachricht von Robert Moskowitz via dovecot - Datum: Sat, 9 Feb 2019 22:50:24 -0500 Von: Robert Moskowitz via dovecot Antwort an: Robert Moskowitz , Dovecot Mailing List Betreff: How to backup maildir An: Dovecot Mailing List I have been thinking, and reading, on how to back up my mailserver. I have not found any approach that seems ready to use. I have run years without any backup, but would really like to have something in place. you're a really lucky guy! - I've been struck in the past for such carelessness on the one or other machine with dataloss ;-) Absolute laziness. No real excuse. Also all users were POPing until 2 years ago. Finally got everyone on IMAP just in the last year. So a server loss would have been an inconvenience. For myself, almost nothing in the IMAP store, everything in local folders that I have a separate backup procedure. I figure I can attach a USB drive and backup to that, then from there rsync to something elsewhere. Further if that USB drive is a full mailserver image, I actually have a 'hot backup' where I only have to put the backup drive into a system and boot up at the last backup. But this means properly copying all of /home/vmail and probably /home/sieve plus the /var/lib/mysql Are you aware of the dovecot command "dsync"? (man dsync or https://wiki.dovecot.org/Tools/Doveadm/Sync) This could be an approach of using dsync: dsync backup -o plugin/quota= -f -u $user backup maildir:/mnt/USB/dovecot-backup/Maildir/$user/mail My search foo is weak. This is a long documented fact. I did spend a number of hours searching and reading before opening my mouth here, fully expecting to put more than my toes in. I will read up on dsync. Are there good tools that nicely does this? Or do I choose a time late at night (only I am sometimes in non-US timezones) to shut down all services and just use rsync? And stopping services itself is thought provoking. What if Dovecot, amavis, mysql, or whatelse is in the middle of writing out a mail file what happens to that file and restart. Just scary stuff and, in part, why I have never tackled this in the past. thanks for all feedback - Ende der Nachricht von Robert Moskowitz via dovecot - It really depends on how important your data is to you ... But you should really think about a general backup-strategy! "Mr. Google" can help you to get some ideas how YOUR backup-strategy could look like... Also there is much input for backing up dovecot with it's different mail storage flavours. - But you have to invest some effort on your own, to search, read, evaluate and finally choose what's fitting into YOUR setup! I have been and have been searching. Some hits, but so far nothing was hitting the spot. But, I will blame my dyslexia that my search foo is weak. But as an starting point: I'm using a for _MY setup_ modified and adopted version of Klaus Tachtler's dovecot-backup script: https://github.com/tachtler/dovecot-backup/blob/master/dovecot_backup.sh ... mixed it with Borg Backup: https://www.borgbackup.org/ ... some further encryption, cloud storage and ... and ... and other stuff. I will check both of these. But as above mentioned: YOU have to think about the grade of your paranoia level, how importand the data is to you in case of an data loss, time and money you are willing to invest and build upon this YOUR PERSONAL backup strategy. - Sadly there is no one-size-fits-all! If there was, we would not be here, I suspect. Last famous words: I've looked at your vita and was wondering about your post - you were writing RFCs, but have no clue about backing up your mail-data??? Strange ... MY mail is well backed up. Locally so that I can read on a plane and the like. I have been running one flavor or another of my own mail server since '95. I switched to dovecot 6 years ago. My home file server is backed up 4 ways around. And I have lost file servers and file server drives over the years. Upgrading my file server is the next project. But I write RFCs. I have been using geany for XML for a few years. I 'code' in English. I have not written computer code since probably the late 80s. I never coded in C, but I did use B for a while! These days I can write simple scripts when forced to. :) My 'spare' time these days is working with armv7 boards. I have been using Cubietech since '13, recently got an Odroid HC1 and that is what this server will be. For the most part you will find me on the Centos/Fedora lists and their arm lists. Occasionally I will put on my Kevlar suit and ask something basic on a product list. But as a result of doing this, recently there is a new SElinux policy for permitting Dovecot to access Mysql. It has already been patched into Fedora 28 and up. Sometimes it pays
