Re: Letsencrypt/OpenSSL test - Verify return code: 21
On 11/04/2021 01:04, @lbutlr wrote: > On 10 Apr 2021, at 12:57, Juri Haberland wrote: >> On 10/04/2021 19:52, @lbutlr wrote: >>> On 10 Apr 2021, at 09:55, B Shea wrote: >>>> OpenSSL (Ubuntu default/repo version): 1.1.1f 31 Mar 2020 >>> >>> There have been a few critical patches to open SSL in the last year, >>> including a very important one to 1.1.1k just recently. >>> >>> Not to do with your issue, but I suspect updating both openssl and Dovecot >>> are good first steps. >> >> That is the version as distributed by Ubuntu with security fixes >> backported as usual for most Linux distributions... > > If the date is May 2020, then no, it hasn't. > > As I said, there have been many patches since then, including one very > important one very recently (end of march, beginning of April). > $ lsb_release --description Description:Ubuntu 20.04.2 LTS $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ dpkg -l | grep openssl ii openssl1.1.1f-1ubuntu2.3 amd64Secure Sockets Layer toolkit - cryptographic utility $ zcat /usr/share/doc/openssl/changelog.Debian.gz | head -n 16 openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium * SECURITY UPDATE: NULL pointer deref in signature_algorithms processing - debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c. - debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm. - debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t. - debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c. - CVE-2021-3449 -- Marc Deslauriers Mon, 22 Mar 2021 07:37:17 -0400 So yes, it is up-to-date. Cheers, Juri
Re: Letsencrypt/OpenSSL test - Verify return code: 21
On 10/04/2021 19:52, @lbutlr wrote: > On 10 Apr 2021, at 09:55, B Shea wrote: >> OpenSSL (Ubuntu default/repo version): 1.1.1f 31 Mar 2020 > > There have been a few critical patches to open SSL in the last year, > including a very important one to 1.1.1k just recently. > > Not to do with your issue, but I suspect updating both openssl and Dovecot > are good first steps. That is the version as distributed by Ubuntu with security fixes backported as usual for most Linux distributions... Kind regards, Juri
Re: DMARC problems with some emails from the list
On 09.03.21 17:00, Benny Pedersen wrote: > ARC test can be skipped if ORIGINATING dkim signed DKIM signature gives > PASS > > your mail here gives DKIM PASS in perl Mail::DKIM > > but > > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; > d=dovecot.org; > s=arc; t=1615272934; > h=from:from:reply-to:subject:subject:date:date:message-id:message-id: > to:to:cc:mime-version:mime-version:content-type:content-type: > content-transfer-encoding:content-transfer-encoding: > in-reply-to:in-reply-to:references:references:dkim-signature; > > is with double headers sign in ARC :( > > is owners listen here ? Again, there is and should be no problem with double header signing. And even if there would be a problem with it, the ARC-Message-Signature will be ignored by 99% of mail handling applications... I really don't get your point and it seems to me you didn't understand the OP's problem. Cheers, Juri
Re: DMARC problems with some emails from the list
On 08.03.21 11:38, Benny Pedersen wrote: > On 2021-03-08 10:34, Juri Haberland wrote: > checked your dkim signing, it have signed 2 Date headers, 2 From, 2 > Subject, solve this :=) Benny, it's not about *my* DKIM signature. And it is perfectly legal and has a special purpose to double sign some headers, called oversigning. > and you have simple in C= tag, please check double signed headers > > it does not dkim pass in perl Mail::DKIM test in spamassassin If my signature didn't verify at your end, then it might be a problem at your end as my DKIM signature verified at the mailing list host (as you can see from from the ARC-Authentication-Results header and it still verified at my host when it came back from the list (both Spamassassin and OpenDKIM). OTOH if more people have problems with my DKIM signature then I'd like to hear that. >> The problem of these specific mails is the fact, that they sign one or >> more >> of the following headers: >> - Reply-To >> - Sender >> - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, >> List-Owner, List-Archive > > this comes from dkim signing ALL mails not just ORIGINATED emails, > maillist should really stop sign emails, and only do the ARC sealing and > ARC sign it This has nothing to do with it! The problem arises at the OP's end... > if maillist send ORIGINNATING emails it should be signed as dkim and not > ARC sealed > > its common sense imho > > too many headers signed makes dkim break Yes, that is the problem here, but that cannot be fixed by the people running the ML, only be the original authors, as it concerns the DKIM signatures of the original authors. >> Of course these headers *will* be altered by most list software out >> there, >> so the senders have to change the way they sign their mails. > > altering will happend hopefully AFTER ARC sealing, so it still can be > verify from ARC that the originated email did pass or fail in someway, > in that case it works as designed IMHO altering/adding those headers will happen *before* ARC signing or else the ARC signature will break immediately and will be useless... >> Your only option is to either trust the ARC-headers or to whitelist all >> amil from this mailing list. > > tell dmarc to not test maillists, but it should pass so no need ??? Regards, Juri
Re: DMARC problems with some emails from the list
On 08.03.21 07:43, Ángel L. Mateo wrote: > Hello, > > I'm having problems with some emails from the list, been classified as > SPAM in my system because of DMARC failures. I'm not sure but this may > be a problem with the list configuration. > > > I attach the log for the failures in the last week. I have looked at some of the mails that you flagged as problematic and yes, those mails failed the DKIM check, even though this list seams to work without invalidating DKIM signatures. The problem of these specific mails is the fact, that they sign one or more of the following headers: - Reply-To - Sender - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails. Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list. Cheers, Juri
Re: Dovecot v2.3.13 released
On 04/01/2021 13:02, Aki Tuomi wrote: > We are pleased to release v2.3.13. Please find it from locations below: > > https://dovecot.org/releases/2.3/dovecot-2.3.13.tar.gz > https://dovecot.org/releases/2.3/dovecot-2.3.13.tar.gz.sig > Binary packages in https://repo.dovecot.org/ > Docker images in https://hub.docker.com/r/dovecot/dovecot While trying to rebuild packages for Ubuntu Bionic (18.04) for i386 I noticed that the size and checksum for dovecot_2.3.13-2+ubuntu18.04.debian.tar.xz was wrong as reported in the dovecot-Ubuntu_18.04.dsc file as well as the checksum for dovecot-pigeonhole_2.3.13-2+ubuntu18.04.debian.tar.xz as reported in the dovecot-pigeonhole-Ubuntu_18.04.dsc file, so I had to manually change the *.dsc files. I had the same problem with the last release 2.3.11.3 so it seems there is something wrong in your release process of Ubuntu packages. Cheers, Juri
Re: Dovecot v2.3.13 released
On 04/01/2021 13:02, Aki Tuomi wrote: > We are pleased to release v2.3.13. Please find it from locations below: > Binary packages in https://repo.dovecot.org/ Hi Aki, is it on purpose that there is no build for Ubuntu Xenial 16.04 or is it just an oversight? Kind regards, Juri
Re: Very slow mail download/notification with dovecot 2.3.7 and Thunderbird
On 28/12/2020 09:44, Matthias Fechner wrote: > Am 27.12.2020 um 16:11 schrieb Juri Haberland: >> I can't help you with your performance problem, but for Thunderbird to >> check all folders, you need to set "mail.check_all_imap_folders_for_new" >> to 'true' in the Thunderbird config editor. > > I think the setting is: > mail.server.default.check_all_folders_for_new;true Both settings exist, but you are right, my setting is deprecated: From http://kb.mozillazine.org/Checking_for_new_messages_in_other_folders_%28Thunderbird%29#IMAP: > Thunderbird used to support setting mail.check_all_imap_folders_for_new > to true to make it check every remote folder for new mail. The downside was > there is no way to exclude a specific folder (such as a junk mail folder). > However, that setting was replaced in version 5.0 with server-specific ones. > Set mail.server.default.check_all_folders_for_new to true instead to make it > effective for all accounts using the Config Editor. Regards, Juri
Re: Very slow mail download/notification with dovecot 2.3.7 and Thunderbird
On 27/12/2020 15:11, ml_dove...@thorsten-reichelt.de wrote: > And it seems that some folders are never updated in TB. In example I > sort all messages from this list into a "INBOX.Mailinglists.ML-Dovecot" > subfolder by using a simple sieve rule. But even after 10 minutes TB > thinks that there are no new messages. As soon as I click on the > ML-Dovecot folder I see in the /var/log/dovecot-info.log file that TB > logs on to the server and then displays hundreds, of new messages. I > checked twice but I have subscribed to all 228 folders. I can't help you with your performance problem, but for Thunderbird to check all folders, you need to set "mail.check_all_imap_folders_for_new" to 'true' in the Thunderbird config editor. Regards, Juri
Re: Dovecot and thunderbird authentication issue?
On 19.04.20 23:44, David Mehler wrote: > I'm using Dovecot 2.2, Postfix 3.5, and am atempting to get the latest > version of Thunderbird to work. I tried account autoconfig which did > not work, so I had to manually enter information and correct other > information. On my server dovecot supports plane and login > authentication methods but only over starttls i've got a letsencrypt > certificate. My thunderbird configuration looks good, right hosts for > incoming and outgoing mail, right ports, 143 starttls, and 587 smtp > submission, and thunderbird has the authentication method set for > normal password. This I interpreted to mean thunderbird is going to > starttls then send the username and password. Thunderbird is giving me > this error: > > imap server does not support the selected authentication method > > I realize this is vague, any suggestions? What about showing what dovecot logged at that moment? Output from "doveconf -n" would be helpful, too. Even though I don't use Thunderbird with STARTTLS (but with SSL/TLS on port 993) I'm pretty sure this should work. Best, Juri
Re: Disable Dovecot LDA
On 02/04/2020 15:18, Adam Raszkiewicz wrote: > Desired flow looks like: > > Dovecot -> Postfix --> Relay Server -┐ > Dovecot <-- LMTP/LDA <-- Postfix <-┘ This mail flow cannot work with one Postfix instance. Either Postfix knows that "localdomain.com" is local and should be delivered to the LDA, in which case it won't be forwarded to the relay server, or Postfix does not know that "localdomain.com" is a local address and therefor forwards it the relay server, but than it will do that anytime it sees "localdomain.com". Only possibility is to run two instances of Postfix. The real question is: Why do you want this mail flow? Where is the benefit in sending a local mail out to a relay server only to get it back and deliver it? Cheers, Juri
Re: lmtp and recipient_delimiter
On 15/03/2020 21:26, GMX Account wrote: > have a look at this: > > http://www.postfix.org/postconf.5.html#recipient_delimiter > > [...]When the recipient_delimiter [1] set contains multiple characters > (Postfix 2.11 and later), a user name or .forward file name is > separated from its extension by the first character that matches the > recipient_delimiter [1] set.[...] Uhm, yes, I know what this option should do, but what happens, if I already have a user with e.g. a hyphen (-) in its name (e.g. foo-bar) and I set recipient_delimiter to "-"? Will this character become a somewhat illegal character for usernames in the user database? Cheers, Juri
Re: lmtp and recipient_delimiter
On 15/03/2020 20:26, Peter wrote: > Poorly documented, imo, but you want lmtp_save_to_detail_mailbox = yes: Thanks, tried it, but no, that's not what I want and it doesn't help in my case. To recap: If I set recipient_delimiter to "+-" (or "-" alone), having a user named "foo-bar" won't work anymore, because Dovecot always tries to deliver to user "foo" and never tries "foo-bar", even though it exists. My question would be: Is this due to a misconfiguration somewhere? Is this the intended behavior? Or is this a bug? Cheers, Juri
Re: lmtp and recipient_delimiter
On 12/03/2020 08:04, Jean-Daniel wrote: > > >> Le 11 mars 2020 à 19:32, Juri Haberland a écrit : >> >> Hi list, >> >> I have a small problem with recipient_delimiters contained in usernames. >> Recently I have extended recipient_delimiter from "+" to "+-" in both >> Postfix and Dovecot (using lmtp) and now any user that have a '-' in it's >> username can't receive mail anymore, because lmtp truncates the localpart >> after the '-' and of course can't find the first half in the user database. >> >> To illustrate: given an account "foo-...@example.com", I get the following >> log entry from postfix: >> Mar 9 09:31:43 batleth postfix/lmtp[6196]: 9A7BA33E005B: >> to=, >> relay=batleth.sapienti-sat.org[private/dovecot-lmtp], delay=20, >> delays=20/0.01/0.01/0.08, dsn=5.1.1, status=bounced (host >> batleth.sapienti-sat.org[private/dovecot-lmtp] said: 550 5.1.1 >> User doesn't exist: f...@example.com (in reply to RCPT >> TO command)) >> Is there any way to tell lmtp to first look for >> and if that fails look for only (the >> reverse order would be ok, too)? >> > > This is already what they do AFAIK. I’m using ‘-‘ as delimiter for a long > time and didn’t have any issue with my mails. > I think this postfix error only reflects the last attempt, and not all the > resolution attempts. Try increasing the log (either in postfix or LMTP) to > see what append exactly. I turned debugging on in both programs and could see the conversation between Postfix and Dovecot via LMTP. Setting recipient_delimiter to +- in Postfix doesn't make the delivery break so I left it at this. Only recipient_delimiter=+- in Dovecot makes the difference. In both cases Postfix ask Dovecot for a user named "" and with "-" included in Dovecot's recipient_delimiter option Dovecot replies with: 550 5.1.1 User doesn't exist: f...@sapienti-sat.org On the Dovecot side I see a single database lookup for "f...@sapienti-sat.org". So Postfix doesn't care and hands the complete mail address off to Dovecot, which in turn either looks up the full email address (in case of "-" excluded) or looks up the truncated mail address only in case of "-" included. My question would be: Is this due to a misconfiguration somewhere? Is this the intended behavior? Or is this a bug? Cheers, Juri PS: here are the logs (from two different but identical tests) for the case where both Dovecot and Postfix have recipient_delimiter = +- Mar 15 17:57:06 batleth postfix/lmtp[5077]: smtp_connect_unix: trying: private/dovecot-lmtp... Mar 15 17:57:06 batleth postfix/lmtp[5077]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 220 batleth.sapienti-sat.org Dovecot ready. Mar 15 17:57:06 batleth dovecot: lmtp(5154): Connect from local Mar 15 17:57:06 batleth postfix/lmtp[5077]: > batleth.sapienti-sat.org[private/dovecot-lmtp]: LHLO batleth.sapienti-sat.org Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250-batleth.sapienti-sat.org Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250-8BITMIME Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250-CHUNKING Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250-ENHANCEDSTATUSCODES Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250-PIPELINING Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250 STARTTLS Mar 15 17:57:06 batleth postfix/lmtp[5077]: server features: 0x17 size 0 Mar 15 17:57:06 batleth postfix/lmtp[5077]: Using LMTP PIPELINING, TCP send buffer size is 212992, PIPELINING buffer size is 4096 Mar 15 17:57:06 batleth postfix/lmtp[5077]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 15 17:57:06 batleth postfix/lmtp[5077]: > batleth.sapienti-sat.org[private/dovecot-lmtp]: MAIL FROM: Mar 15 17:57:06 batleth postfix/lmtp[5077]: > batleth.sapienti-sat.org[private/dovecot-lmtp]: RCPT TO: Mar 15 17:57:06 batleth postfix/lmtp[5077]: > batleth.sapienti-sat.org[private/dovecot-lmtp]: DATA Mar 15 17:57:06 batleth postfix/lmtp[5077]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 250 2.1.0 OK Mar 15 17:57:06 batleth postfix/lmtp[5077]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 15 17:57:06 batleth postfix/lmtp[5077]: < batleth.sapienti-sat.org[private/dovecot-lmtp]: 550 5.1.1 User doesn't exist: f...@sapienti-sat.org Mar 15 17:57:06 batleth
lmtp and recipient_delimiter
Hi list, I have a small problem with recipient_delimiters contained in usernames. Recently I have extended recipient_delimiter from "+" to "+-" in both Postfix and Dovecot (using lmtp) and now any user that have a '-' in it's username can't receive mail anymore, because lmtp truncates the localpart after the '-' and of course can't find the first half in the user database. To illustrate: given an account "foo-...@example.com", I get the following log entry from postfix: Mar 9 09:31:43 batleth postfix/lmtp[6196]: 9A7BA33E005B: to=, relay=batleth.sapienti-sat.org[private/dovecot-lmtp], delay=20, delays=20/0.01/0.01/0.08, dsn=5.1.1, status=bounced (host batleth.sapienti-sat.org[private/dovecot-lmtp] said: 550 5.1.1 User doesn't exist: f...@example.com (in reply to RCPT TO command)) Is there any way to tell lmtp to first look for and if that fails look for only (the reverse order would be ok, too)? Thanks in advance, Juri doveconf -n: # 2.3.10 (0da0eff44): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (bf8ef1c2) # OS: Linux 4.4.0-174-generic x86_64 Ubuntu 16.04.6 LTS ext4 # Hostname: batleth.sapienti-sat.org auth_default_realm = sapienti-sat.org first_valid_uid = 115 imap_idle_notify_interval = 29 mins last_valid_uid = 115 mail_location = maildir:/srv/vmail/%Ld/%Ln managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { autoexpunge = 180 days special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { autoexpunge = 365 days special_use = \Trash } prefix = INBOX. separator = . } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap lmtp sieve" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service imap-login { inet_listener imap { address = 127.0.0.1 ::1 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3 { port = 0 } } ssl_cert =
Re: Server administration
On 04/09/2019 15:26, @lbutlr via dovecot wrote: > A lot of mail that is not spam when it arrives WILL be spam when it is > forwarded as it will fail SPF, Fail DKIM, and any header checks will flag the > mail as suspicious. > > The only way to safely forward mail is to enclose it as an attachment, and > this is something users do not want. IMO this is wrong. A classic forwarding (e.g. by .forward or by a MLM that does not alter Subject and/or body) will *not* break DKIM. Therefore it will pass e.g. DMARC... Just have a look at the postfix-users mailing list as a good example... Just my 2¢. Juri
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 20:13, Michael A. Peters via dovecot wrote: > On 2/9/19 10:48 AM, Juri Haberland via dovecot wrote: >> Most people use OpenDMARC and there are patches to mark certain hosts as >> mailing lists senders, so it is possible. > > can you please let me know where to find those patches? https://sourceforge.net/p/opendmarc/tickets/180/ Also have a look at http://batleth.sapienti-sat.org/projects/opendmarc/. I have an Ubuntu-PPA where you can get a package with all of the above patches (https://launchpad.net/~haberland/+archive/ubuntu/opendmarc). Cheers, Juri
Re: offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 19:56, Aki Tuomi via dovecot wrote: >> On 09 February 2019 at 20:48 Juri Haberland via dovecot < >> dovecot@dovecot.org >> <mailto:dovecot@dovecot.org>> wrote: >> Most people use OpenDMARC and there are patches to mark certain hosts as >> mailing lists senders, so it is possible. > Wonder how many would do this though? Yeah, unfortunately not enough... >> And everyone using p=reject should think about it as well - as I said, >> DMARC does not play well with mailing lists, so setting p=reject on a >> domain used to participate on mailing lists is not wise, to say the least. >> You should not follow Yahoo and AOL - you know, why they did it, don't you? > Unfortunately this is usually required by many common providers such as > microsoft and google, otherwise they refuse your mail. That is definitely not true. They might require you to have DKIM and/or SPF and maybe even a DMARC policy, but they definitely don't require p=reject! Most of my domains have p=none and our mails are accepted by all major providers... > Hope you understand . Understood. Had to write that mail anyway ;-) Juri
offtopic: rant about thoughtless enabling DMARC checks [was: Re: Bounces?]
On 09/02/2019 10:44, Aki Tuomi via dovecot wrote: > For some reason mailman failed to "munge from" for senders with dmarc policy > ;( > > It's now configured to always munge to avoid this again. I'd say, let Mailman throw all people off the list that have enabled DMARC checking without using exceptions for the lists they are on. It's a known fact that DMARC does not cope well with mailing lists. Blindly enabling DMARC checks without thinking about the consequences for themselves should not be the problem of other well behaving participants. Most people use OpenDMARC and there are patches to mark certain hosts as mailing lists senders, so it is possible. And everyone using p=reject should think about it as well - as I said, DMARC does not play well with mailing lists, so setting p=reject on a domain used to participate on mailing lists is not wise, to say the least. You should not follow Yahoo and AOL - you know, why they did it, don't you? And Aki, please go back to "munge only if needed" - munging all messages leads to a really bad "user experience". Thanks. Back to lurking, Juri
Re: ot: LE server conf setup/ iPhone 'expired cert' message
On 22/07/18 16:35, arthurjohns...@verizon.net wrote: > Remember to restart your webserver. > > The following is my hook for Certbot in Apache. > > == > #!/bin/sh > service postfix restart > service dovecot restart > service apache2 restart > = A "postfix restart" is not necessary - see Viktor Dukhovni's post (co-developer of Postfix) on the Postfix ML: http://postfix.1071664.n5.nabble.com/Letsencrypt-tip-tp92584p92604.html Cheers, Juri
Re: DMARC mailing list rejections
On 2018-01-16 06:23, Daniel Miller wrote: I get about a half dozen rejection messages from various servers when I post to this list. Is there something I need to configure differently in my DMARC record to be better compliant? What about adding a DKIM signature to your outgoing mails before enabling DMARC? Juri
Re: dmarc report faild ?
On 24.08.2017 21:05, Ivan Warren wrote: > In the same vein, > > I am receiving forensic DMARC reports from mx01.nausch.org. > It's odd, because the actual report tells me both DKIM and SPF (in the > the of a DMARC report) pass... > > Here is what I am getting : > Authentication-Results: mx01.nausch.org; dmarc=fail header.from=vmfacility.fr > Authentication-Results: mx1.nausch.org; > dkim=pass (2048-bit key) header.d=vmfacility.frheader.i=@vmfacility.fr > header.b="oHXeoWbW" > Note that the first part says authentication failed, but the second part > (which is the mail headers for a legit DMARC aggregate report sent to > the published DMARC rua for nausch.org) passes all the tests - both DKIM > and SPF. > > I am also getting forensic reports from this MTA when posting to the list. > > So my guess is some...@nausch.org on this mailing list might have a > misbehaving DMARC responder/filter. Yes, I've seen this, too. I already mailed them, but never got a reaction. Most likely they run an old version of Postfix which has some problems with milters adding headers not seen by later milters... Juri
Re: Messages on this list are often marked as spam.
On 09.02.2017 12:13, Steven Mainor wrote: > Well for other mailing lists I have noticed that a lot of lists add text to > the body or subject saying what list the email is from which would cause the > signature not to match. > > But the dovecot list doesn't do that so that's why I found it strange that so > many emails fail dkim. But it uses MimeDel, presumably to delete the HTML part of some messages thus invalidating the DKIM signature... Juri
Re: Messages on this list are often marked as spam.
On 06.02.2017 23:39, Steven Mainor wrote: > Hello, > > It seems that I get several emails a week from this list in my spam > folder. Usually because the DKIM signature fails. Has anyone else > noticed this problem or is it just me? No, it's not just you. There are some people that have a DMARC policy but fail to add a DKIM signature or people that use a gmail.com address but do not relay their outgoing mail through GMail, hence missing the GMail DKIM signature... There is a third category that has a DKIM signature but this fails to verify for whatever reason... Juri
Re: Redirect indicator issue in Maildir flag seems to be an issue [missing?]
On 23.04.2016 20:27, Andrew McGlashan wrote: > Hi, Hi Andrew, > I've got an issue with the latest Thunderbird, although I'm not sure > this is when the problem started (version 45.0) it has an add-on > "mailredirect (version 0.8.7)". > > In the past I've been able to redirect mail (bounce them) and I get a > nice little green arrow like indicator (in TB) to show that I > redirected the particular email. I use the redirect mail plugin as well, even though with currently with Thunderbird 38.6.0 on Linux (Ubuntu) together with Dovecot 2.2.23 and I don't see this problem. The only thing that I see is that with Squirrelmail I never get this little green arrow (or a 'b' at the end of the filename (using maildir)). So it's either the new Thunderbird, or the old Dovecot... Isn't much of a help, but a data point at least... Cheers, Juri