Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Chris via mailop]

On 2020-08-26 15:50, ml+mailop--- via mailop wrote:

On Wed, Aug 26, 2020, Michael Peddemors via mailop wrote:


There SHOULD be a URL associated with the domain ('mydomain.com') in the PTR..


Ah, the stuff you suggested on ietf-smtp and which got "rejected" by
pretty one every one who replied?


Having a standards group reject it isn't the same thing as best 
practices, and having a web site associated with your domain is 
considered "best" in many (at least informal) BCPs.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Mark Foster via mailop]

I think the option of forcing TLS within a closed community is fine. 

I think the option of forcing TLS on the wide-wide-internet is a
minefield for anyone who needs to communicate outside of a relatively
closed network... because Email supports fall-back-to-plain-text by
design, and it's hard to mandate that someone else adhere to an ideal
standard if they, at the end of the day, 'don't have to'. 

Or to put it another way, I have to work on the assumption that when it
leaves my controlled domain, it could wind up transiting a plain-text
communications link. Opportunistic TLS covers >99% of my email, but I
have to plan for the 1%.  There's no assurance. 

Until there is, because literally everyone can be assumed to have it. 

It might be a better win to start by using TLS transit as a spam scoring
mechanism... reduce the priority or deliverability of email that
originates from a non-TLS platform.. consequences that aren't the same
as a black-and-white refusal might be enough to compel a change in
behavior. 

Email for me is still a fundamentally untrusted information exchange
medium, if I have a real requirement for security i'm going to have to
add layers on top.  And because of that, I can officially 'not care'
about a failure to support STARTTLS, because I always assume that'll
probably be the case at some stage anyway. 

Regards,
Mark. 

On 2020-08-27 08:33, Scott Mutter via mailop wrote:

> Well, I really just wanted to see what the rest of the community was doing in 
> regards to this.  Seems the resounding answer is a "prefer TLS, but don't 
> disqualify if no TLS" or "opportunistic" TLS. 
> 
> However, experience has also taught me, if you don't force people to make 
> changes then they're not going to change.  In regards to that, maybe this 
> never becomes an issue.  But if the point is to go all TLS all the time, 
> you're going to have to publicly shame those that are dragging their feet or 
> just cut off communication with them entirely.  Maybe some of the 
> administrators to these mail servers don't realize that their mail servers 
> aren't handling STARTTLS and bringing awareness to that (in the form of their 
> users not receiving all of their emails) is a way to light a fire under them. 
> 
> I just wanted to gauge what other mail server administrators were doing in 
> regards to this.  The response is kind of what i expected, but the shift in 
> wanting TLS and encryption on every connection, kind of made me question what 
> the response would be. 
> 
> On Wed, Aug 26, 2020 at 3:02 PM Michael Orlitzky via mailop 
>  wrote: 
> 
>> On 2020-08-26 12:50, Scott Mutter via mailop wrote:
>>> I've been toying with the idea of forcing outbound SMTP connections to
>>> use TLS, but thought I'd take a quick look and see who might miss mail
>>> if this done. 
>> 
>> This sounds good at first but if you make a flow chart, all paths lead
>> to either "nothing changes" or "shoot yourself in the foot." There's no
>> scenario that I know of where forcing TLS (as opposed to "opportunistic"
>> TLS) improves anything.
>> 
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Tim Bray via mailop]

On 26/08/2020 21:33, Scott Mutter via mailop wrote:
I just wanted to gauge what other mail server administrators were 
doing in regards to this.  The response is kind of what i expected, 
but the shift in wanting TLS and encryption on every connection, kind 
of made me question what the response would be.


My mail admin is for a small corporate.

I did some work last year and at the start of this year to look at the 
mix of TLS favours and not TLS we get.


Majority of email using TLS1.2 or better.

We did find 3 or 4 regular customers and suppliers stuck with TLSv1.   
Usually onsite MS exchange servers.   We had a chat and they all 
upgraded pretty sharpish.  (not sure what their IT support people have 
been doing for the past many years)


Inbound, almost everything useful has some kind of TLS. Exceptions are a 
mailinglist a few people are subscribed to.


Outbound, less so.

I decided we would miss out on orders and enquiries if we mandated 
TLS1.2.   We publish MTA-STS.


I did wonder whether I could look at changing inbound subjects to 
`insecure` for email delivered with less than TLSv1.2


I'm not sure how much effort I want to put into contacting all our 
customers to tell them to sort their stuff out



My advice for everybody is to pop over to https://internet.nl/ and test 
your email domains. And your friends, customers, people you deal with.


Then test an inbound email at https://ssl-tools.net/mailservers

https://www.hardenize.com/ is pretty good as well.


--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] SNDS Request Access Problem

[Michael Wise via mailop]

You’re going to have to chat with your upstream provider about that, otherwise 
anyone I could point in your direction is going to say pretty much the same 
thing: Go thru the support funnel.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?

From: mailop  On Behalf Of Thiago Rodrigo F. 
Rodrigues via mailop
Sent: Wednesday, August 26, 2020 1:46 PM
To: mailop 
Subject: [EXTERNAL] [mailop] SNDS Request Access Problem

Hello Mailop.

I`m trying to register an IP range in SNDS but the request access page is not 
giving me the correct whois email for validation.

SNDS are parsing emails from the comment section of the whois for the CERT.br 
ranges. Anyone had a similar issue recently ?

Someone from MS could ping me off-list ?

Regards.

--
[http://allftp.allin.com.br/marketing/assinatura/logo-allin.png]

Thiago Rodrigues
Coordenador de Qualidade
+55 011 3544 0513 | 3544 0562
Email: trodrig...@allin.com.br
Skype: @thiago.rfr
[allin-facebook]
 [allin-instagram] 

  [allin-linkedin] 

  [allin-youtube] 

 
[http://www.linkedin.com/img/webpromo/btn_profile_bluetxt_80x15_pt_BR.png?locale=]
 



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] SNDS Request Access Problem

[Thiago Rodrigo F. Rodrigues via mailop]

Hello Mailop.

I`m trying to register an IP range in SNDS but the request access page is
not giving me the correct whois email for validation.

SNDS are parsing emails from the comment section of the whois for the
CERT.br ranges. Anyone had a similar issue recently ?

Someone from MS could ping me off-list ?

Regards.

-- 

Thiago Rodrigues
Coordenador de Qualidade
+55 011 3544 0513 | 3544 0562

*Email: trodrig...@allin.com.br Skype:
@thiago.rfr *
[image: allin-facebook]  [image:
allin-instagram]  [image:
allin-linkedin]  [image:
allin-youtube] 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Scott Mutter via mailop]

Well, I really just wanted to see what the rest of the community was doing
in regards to this.  Seems the resounding answer is a "prefer TLS, but
don't disqualify if no TLS" or "opportunistic" TLS.

However, experience has also taught me, if you don't force people to make
changes then they're not going to change.  In regards to that, maybe this
never becomes an issue.  But if the point is to go all TLS all the time,
you're going to have to publicly shame those that are dragging their feet
or just cut off communication with them entirely.  Maybe some of the
administrators to these mail servers don't realize that their mail servers
aren't handling STARTTLS and bringing awareness to that (in the form of
their users not receiving all of their emails) is a way to light a fire
under them.

I just wanted to gauge what other mail server administrators were doing in
regards to this.  The response is kind of what i expected, but the shift in
wanting TLS and encryption on every connection, kind of made me question
what the response would be.

On Wed, Aug 26, 2020 at 3:02 PM Michael Orlitzky via mailop <
mailop@mailop.org> wrote:

> On 2020-08-26 12:50, Scott Mutter via mailop wrote:
> > I've been toying with the idea of forcing outbound SMTP connections to
> > use TLS, but thought I'd take a quick look and see who might miss mail
> > if this done.
>
> This sounds good at first but if you make a flow chart, all paths lead
> to either "nothing changes" or "shoot yourself in the foot." There's no
> scenario that I know of where forcing TLS (as opposed to "opportunistic"
> TLS) improves anything.
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Liam Fisher via mailop]

Agreed - this is the road to escalations and suffering.



On 8/26/2020 4:02 PM, Michael Orlitzky via mailop wrote:

On 2020-08-26 12:50, Scott Mutter via mailop wrote:

I've been toying with the idea of forcing outbound SMTP connections to
use TLS, but thought I'd take a quick look and see who might miss mail
if this done.

This sounds good at first but if you make a flow chart, all paths lead
to either "nothing changes" or "shoot yourself in the foot." There's no
scenario that I know of where forcing TLS (as opposed to "opportunistic"
TLS) improves anything.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Michael Orlitzky via mailop]

On 2020-08-26 12:50, Scott Mutter via mailop wrote:
> I've been toying with the idea of forcing outbound SMTP connections to
> use TLS, but thought I'd take a quick look and see who might miss mail
> if this done. 

This sounds good at first but if you make a flow chart, all paths lead
to either "nothing changes" or "shoot yourself in the foot." There's no
scenario that I know of where forcing TLS (as opposed to "opportunistic"
TLS) improves anything.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[ml+mailop--- via mailop]

On Wed, Aug 26, 2020, Michael Peddemors via mailop wrote:

> There SHOULD be a URL associated with the domain ('mydomain.com') in the PTR..

Ah, the stuff you suggested on ietf-smtp and which got "rejected" by
pretty one every one who replied?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Jaroslaw Rafa via mailop]

Dnia 26.08.2020 o godz. 12:29:38 Michael Peddemors via mailop pisze:
> There SHOULD be a URL associated with the domain ('mydomain.com') in
> the PTR.. And that URL should reflect the organization that is
> responsible for activity related to that domain..

No, it is a nonsense requirement.
Mail is mail, web is web. Two COMPLETELY DIFFERENT SERVICES.
Period.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Jaroslaw Rafa via mailop]

Dnia 26.08.2020 o godz. 11:50:01 Scott Mutter via mailop pisze:
> I should note, forcing TLS is different from preferring TLS.  I think a lot
> of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate
> a STARTTLS session, but if that fails, then it will continue without TLS.

This is called "opportunistic TLS" and is currently default setting in pretty
much all MTAs. Should not be changed to mandatory TLS, because - as you
already noticed - there are still receiving servers that don't support TLS,
and you may lose mail deliverability if you use mandatory TLS on sending.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Deutsche Telekom rejects connections because of missing "provider identification"

[Michael Wise via mailop]

Shared infrastructure places ... like Office365 for instance, might find that 
problematic.

Also, some senders prefer for security reason, either "Privacy" or fear of 
DDOS, to hide behind the Infrastructure of Others.

Senders like Law Offices, certain corporations and such like.



Now if there's some other way to do that, I'm sure we'd be all ears.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Michael Peddemors via 
mailop
Sent: Wednesday, August 26, 2020 12:30 PM
To: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] Deutsche Telekom rejects connections because 
of missing "provider identification"



More and more companies are requiring transparency.



mail.mydomain.com



There SHOULD be a URL associated with the domain ('mydomain.com') in the

PTR.. And that URL should reflect the organization that is responsible

for activity related to that domain.. I will have to dig up that M3AAWG

Nest Practices document, but it is also enshrined in many Anti-Spam

legislation recommendations as well..



I remember years back when involved in the Canadian task force, that was

also a recommendation..



On 2020-08-26 12:06 p.m., ml+mailop--- via mailop wrote:

>> But it was enough to have the imprint visible for them just for the

>

> Sorry for a stupid question: What is "the imprint"?

> Does that mean you have to operate a web server with an "Impressum"

> (I guess that's the German word?) if you want to send mail?

>

> ___

> mailop mailing list

> mailop@mailop.org

> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C1c723cea10ef4a28a09608d849f6d93c%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637340671844813013sdata=Llv4T4rZkVyK3nnz29a4AJAR2i8bGimBBw78BjRIBOo%3Dreserved=0

>







--

"Catch the Magic of Linux..."



Michael Peddemors, President/CEO LinuxMagic Inc.

Visit us at 
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linuxmagic.com%2Fdata=02%7C01%7Cmichael.wise%40microsoft.com%7C1c723cea10ef4a28a09608d849f6d93c%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637340671844813013sdata=CHRKscMDKvUEJTQdzO5%2BQS5632UyqQp%2B%2Bu0WGV0vCbw%3Dreserved=0
 @linuxmagic

A Wizard IT Company - For More Info 
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wizard.ca%2Fdata=02%7C01%7Cmichael.wise%40microsoft.com%7C1c723cea10ef4a28a09608d849f6d93c%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637340671844813013sdata=AgUPZIlX8wA06CDAXsyKoOJMpfpD5IQr2hdfVY4gqVA%3Dreserved=0

"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.



604-682-0300 Beautiful British Columbia, Canada



This email and any electronic data contained are confidential and intended

solely for the use of the individual or entity to which they are addressed.

Please note that any views or opinions presented in this email are solely

those of the author and are not intended to represent those of the company.



___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C1c723cea10ef4a28a09608d849f6d93c%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637340671844813013sdata=Llv4T4rZkVyK3nnz29a4AJAR2i8bGimBBw78BjRIBOo%3Dreserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Michael Peddemors via mailop]

More and more companies are requiring transparency.

mail.mydomain.com

There SHOULD be a URL associated with the domain ('mydomain.com') in the 
PTR.. And that URL should reflect the organization that is responsible 
for activity related to that domain.. I will have to dig up that M3AAWG 
Nest Practices document, but it is also enshrined in many Anti-Spam 
legislation recommendations as well..


I remember years back when involved in the Canadian task force, that was 
also a recommendation..


On 2020-08-26 12:06 p.m., ml+mailop--- via mailop wrote:

But it was enough to have the imprint visible for them just for the


Sorry for a stupid question: What is "the imprint"?
Does that mean you have to operate a web server with an "Impressum"
(I guess that's the German word?) if you want to send mail?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[ml+mailop--- via mailop]

> But it was enough to have the imprint visible for them just for the

Sorry for a stupid question: What is "the imprint"?
Does that mean you have to operate a web server with an "Impressum"
(I guess that's the German word?) if you want to send mail?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Felix Zielcke via mailop]

Am Mittwoch, den 26.08.2020, 19:36 +0200 schrieb flo via mailop:
> Hi there
> 
> Have any of you had any bad experiences with Deutsche Telekom lately?
> They put one of my servers on their blacklist after an IP change with
> the reason that I have to provide an imprint on that machine.
> Have I missed something? Is this how it is done now?
> I have been running mail servers for years, both professionally and
> in
> my private life, never had problems of this kind before.
> I prefer not to put my private address unprotected on the internet.
> 
> Flo
> 

Hi Flo,

that's how it works now, if you want to send mails to them. I had that
problem too, when my server IP changed.
But it was enough to have the imprint visible for them just for the
short time until they approved it. And then I directly removed it
again.

Felix


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Bill Cole via mailop]

On 26 Aug 2020, at 12:50, Scott Mutter via mailop wrote:

How many mail operators out there are forcing outbound SMTP 
communications

to use TLS?  Is this a common practice now?


It is very uncommon.


I know secure everything and
TLS everywhere is a popular movement at this moment.


It certainly gets a lot of talk...

I've noticed that Constant Contact (constantcontact.com - at least the 
mail
server at 205.207.104.108) and yahoo.co.jp (67.195.204.74) don't 
appear to

be accepting STARTTLS.  Is that strange?


Strange, but only because they are relatively big names. There's still a 
lot of insecurity in the long tail.


[...]

I've been toying with the idea of forcing outbound SMTP connections to 
use
TLS, but thought I'd take a quick look and see who might miss mail if 
this
done.  It looks like most mail servers handle TLS, I haven't extended 
this
test to a lot of servers yet so it may just be that the mail servers I 
have

enacted this on are small volume senders.


You can get away with it if you do not have substantial volume and 
diversity in where you send mail to.


For example, it has been >6 months since my personal mail server has 
sent out a message not using TLS. However, that's just a couple hundred 
messages sent to a few dozen distinct mail systems. One of the systems I 
help administer handles about that volume daily, with about the same 
diversity, but it send in the clear multiple times per day because of a 
handful of specific business relationships between our customers and 
companies that happen to run shoddy mail systems. To this day there are 
still mail servers sitting behind firewalls that break TLS (e.g. 
PIX/ASA.)


I should note, forcing TLS is different from preferring TLS.  I think 
a lot
of MTAs (at least Exim, I think?) prefer TLS and will attempt to 
negotiate
a STARTTLS session, but if that fails, then it will continue without 
TLS.
By forcing TLS, I'm telling my server to close the connection if a 
STARTTLS
session can't be started.  Are any other mail server admins doing 
this?  Or

is it still too early to require this?


Too early for any mail system with diverse users who have normal service 
level expectations, unless you carefully examine  your actual mail 
stream and determine that none of your users routinely send mail to 
companies using poorly-administered mail servers or Cisco firewalls.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[flo via mailop]

Hi there

Have any of you had any bad experiences with Deutsche Telekom lately?
They put one of my servers on their blacklist after an IP change with
the reason that I have to provide an imprint on that machine.
Have I missed something? Is this how it is done now?
I have been running mail servers for years, both professionally and in
my private life, never had problems of this kind before.
I prefer not to put my private address unprotected on the internet.

Flo

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [E] STARTTLS - Constant Contact and yahoo.co.jp

[Marcel Becker via mailop]

On Wed, Aug 26, 2020 at 9:59 AM Scott Mutter via mailop 
wrote:

>
> yahoo.com
> 
> appears to handle STARTTLS but yahoo.co.jp
> 
> does not.  There may be other country/region specific Yahoo domains that
> don't.
>
>
Independent of the topic, note that Yahoo Japan is not run or owned by
Verizon Media which owns and runs Yahoo Mail. So we have no control over
what yahoo.co.jp does or doesn't do.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Michael Peddemors via mailop]

Too early yet.. (to enforce globally)

But start selectively forcing it for the bigger players known to support 
this..




On 2020-08-26 9:50 a.m., Scott Mutter via mailop wrote:
How many mail operators out there are forcing outbound SMTP 
communications to use TLS?  Is this a common practice now?  I know 
secure everything and TLS everywhere is a popular movement at this moment.


I've noticed that Constant Contact (constantcontact.com 
 - at least the mail server 
at 205.207.104.108) and yahoo.co.jp  (67.195.204.74) 
don't appear to be accepting STARTTLS.  Is that strange?


yahoo.com  appears to handle STARTTLS but yahoo.co.jp 
 does not.  There may be other country/region 
specific Yahoo domains that don't.


I'm just wondering if that is common.  Perhaps the administrators of 
these mail servers are unaware of this?  Constant Contact - whose 
primary purpose would seem to be to insure mail delivering - not 
accepting STARTTLS seems extremely strange.


I've been toying with the idea of forcing outbound SMTP connections to 
use TLS, but thought I'd take a quick look and see who might miss mail 
if this done.  It looks like most mail servers handle TLS, I haven't 
extended this test to a lot of servers yet so it may just be that the 
mail servers I have enacted this on are small volume senders.


I should note, forcing TLS is different from preferring TLS.  I think a 
lot of MTAs (at least Exim, I think?) prefer TLS and will attempt to 
negotiate a STARTTLS session, but if that fails, then it will continue 
without TLS.  By forcing TLS, I'm telling my server to close the 
connection if a STARTTLS session can't be started.  Are any other mail 
server admins doing this?  Or is it still too early to require this?


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Anthony Purcell via mailop]

Constant Contact sends mail. Not sure how that relates to their receiving 
practices. Have you looked into MTA-STS? It does not fulfill your desire, but 
gets you a lot closer. Log data should give you an idea of how much breakage 
you can expect with forcing TLS.


Thanks,


> On Aug 26, 2020, at 9:50 AM, Scott Mutter via mailop  
> wrote:
> 
> How many mail operators out there are forcing outbound SMTP communications to 
> use TLS?  Is this a common practice now?  I know secure everything and TLS 
> everywhere is a popular movement at this moment.
> 
> I've noticed that Constant Contact (constantcontact.com 
>  - at least the mail server at 205.207.104.108) 
> and yahoo.co.jp  (67.195.204.74) don't appear to be 
> accepting STARTTLS.  Is that strange?
> 
> yahoo.com  appears to handle STARTTLS but yahoo.co.jp 
>  does not.  There may be other country/region specific 
> Yahoo domains that don't.
> 
> I'm just wondering if that is common.  Perhaps the administrators of these 
> mail servers are unaware of this?  Constant Contact - whose primary purpose 
> would seem to be to insure mail delivering - not accepting STARTTLS seems 
> extremely strange.
> 
> I've been toying with the idea of forcing outbound SMTP connections to use 
> TLS, but thought I'd take a quick look and see who might miss mail if this 
> done.  It looks like most mail servers handle TLS, I haven't extended this 
> test to a lot of servers yet so it may just be that the mail servers I have 
> enacted this on are small volume senders.
> 
> I should note, forcing TLS is different from preferring TLS.  I think a lot 
> of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate a 
> STARTTLS session, but if that fails, then it will continue without TLS.  By 
> forcing TLS, I'm telling my server to close the connection if a STARTTLS 
> session can't be started.  Are any other mail server admins doing this?  Or 
> is it still too early to require this?
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] STARTTLS - Constant Contact and yahoo.co.jp

[Scott Mutter via mailop]

How many mail operators out there are forcing outbound SMTP communications
to use TLS?  Is this a common practice now?  I know secure everything and
TLS everywhere is a popular movement at this moment.

I've noticed that Constant Contact (constantcontact.com - at least the mail
server at 205.207.104.108) and yahoo.co.jp (67.195.204.74) don't appear to
be accepting STARTTLS.  Is that strange?

yahoo.com appears to handle STARTTLS but yahoo.co.jp does not.  There may
be other country/region specific Yahoo domains that don't.

I'm just wondering if that is common.  Perhaps the administrators of these
mail servers are unaware of this?  Constant Contact - whose primary purpose
would seem to be to insure mail delivering - not accepting STARTTLS seems
extremely strange.

I've been toying with the idea of forcing outbound SMTP connections to use
TLS, but thought I'd take a quick look and see who might miss mail if this
done.  It looks like most mail servers handle TLS, I haven't extended this
test to a lot of servers yet so it may just be that the mail servers I have
enacted this on are small volume senders.

I should note, forcing TLS is different from preferring TLS.  I think a lot
of MTAs (at least Exim, I think?) prefer TLS and will attempt to negotiate
a STARTTLS session, but if that fails, then it will continue without TLS.
By forcing TLS, I'm telling my server to close the connection if a STARTTLS
session can't be started.  Are any other mail server admins doing this?  Or
is it still too early to require this?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop