Re: [mailop] Is forwarding to Gmail basically dead?

[Marco Moock via mailop]

Am Wed, 07 Feb 2024 20:51:15 -0600
schrieb Jarland Donnell via mailop :

> Is it time to throw in the towel on email forwarding?

I think so.
Every mechanism has its own disadvantages.

> Nearly 100% of users who forward email do so because they want it in
> Gmail.

Which type of users?
Due to privacy, forwarding to GMail is already a nightmare.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Is forwarding to Gmail basically dead?

[황병희]

Hellow Jarland,

2-07 at 20:51 -0600, Jarland Donnell via mailop wrote:
> (...)
> Is it time to throw in the towel on email forwarding? Nearly 100% of 
> users who forward email do so because they want it in Gmail. (...)

How about this?
https://gitlab.com/soyeomul/stuff/-/raw/7a68692f2a6f7c5b03f7a5fa04bb79167c04cab2/82963489e8bbeb08644aeba29f722...@mxroute.com


Sincerely, Byunghee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Is forwarding to Gmail basically dead?

[Jarland Donnell via mailop]

Aside from the question in the subject, because I see this brought up a 
lot on the mailing list in relation to email forwarding, would passing 
ARC signatures even matter when the problem is that Google is 
increasingly rejecting forwarded emails due to the DMARC policy of the 
original sender domain?


We've had great results for a long time just using SRS. I know how some 
of you feel about it, but using the tools in front of me, SRS has done 
the job. But now that Google is pushing DMARC harder, more and more 
domains are setting their DMARC policy to reject, and Google appears to 
at least be enforcing this more than before. From the look of it, we can 
no longer forward emails from Yahoo to Gmail:


550-5.7.26 Unauthenticated email from yahoo.com is not accepted due to 
domain's DMARC policy. Please contact the administrator of yahoo.com 
domain if this was a legitimate mail. To learn about the DMARC 
initiative, go to https://support.google.com/mail/?p=DmarcRejection 
ev25-20020a056808291900b003be1cb5a890si971207oib.250 - gsmtp


Is it time to throw in the towel on email forwarding? Nearly 100% of 
users who forward email do so because they want it in Gmail. POP3 fetch 
has it's own concerns (local to local mail imported over POP3 fails SPF 
on import and gets filtered to spam). I'm quite skeptical that ARC fixes 
anything but theory and how people wish it was (or hope for it to be) 
trusted.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: problem setting up open-dmarc

[Royce Williams via mailop]

On Wed, Feb 7, 2024 at 7:14 AM Marcel Becker via mailop 
wrote:

> On Wed, Feb 7, 2024 at 7:46 AM Royce Williams via mailop <
> mailop@mailop.org> wrote:
>
>> This only applies if your sending more than 5000 messages per day.
>>> Most smaller senders are still fine using only "SPF *or* DKIM" and do
>>> not *need* a DMARC record:
>>>
>>> https://support.google.com/a/answer/81126
>>> 
>>
>>
>> Unfortunately, this is not correct, despite the official documentation.
>> There are multiple reports on Reddit and other places of people getting the
>> explicit "authentication required" SMTP response at much lower volumes.
>> I've also experienced it directly myself, on domains that I directly
>> control that don't do 50 a day, let alone 5000.
>>
>
> "authentication required" means just that: authenticate your traffic with
> DKIM or SPF. That is required for everybody. DMARC is only required for
> bulk senders. Both the statement you replied to and the official
> documentation is correct.
>

Yep, I was incorrect - turns out my issue was a DKIM problem on my side,
*not* lack of DMARC. Apologies for the noise.

-- 
Royce
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Slavko via mailop]

Dňa 7. februára 2024 22:09:18 UTC používateľ Atro Tossavainen via mailop 
 napísal:

>Now if that was a problem and this private secret got out because of
>a query that was just done through Google a few minutes ago, we'd
>find out in no time at all because Spamhaus would shut this private
>secret down. I also expect we wouldn't have been the first ones to
>explore this "problem" if it was one.

DNS traffic is not encrypted, only encoded in public format, thus any
router/hop (in public net) can see yout DQS, or any other, key included
in query name. And without qname minimisation, you will share it
with root & TLD nameservers too (and with hops to them).

While i preffer do not share anything with google, IMO it doesn't
matter, as the key is not private by any way.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> ... but that does mean trusting 8.8.8.8 with your private secret.

From Spamhaus documentation:

"access to public mirrors requires the use of a non-public, non-shared DNS 
resolver (therefore excluding services like Google Public DNS), while DQS can 
use any DNS channel"

https://docs.spamhaus.com/datasets/docs/source/70-access-methods/data-query-service/010-dqs-differences.html

Now if that was a problem and this private secret got out because of
a query that was just done through Google a few minutes ago, we'd
find out in no time at all because Spamhaus would shut this private
secret down. I also expect we wouldn't have been the first ones to
explore this "problem" if it was one.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Andrew C Aitchison via mailop]

On Wed, 7 Feb 2024, Atro Tossavainen via mailop wrote:


Otherwise you need to stop using Spamhaus -- even if you sign-up,
perhaps because of the query volume, you still must query them
directly not via a public resolver.


This is not true.

One of the main points of DQS is that the DNS service you use no
longer matters. They don't need to block the server - if you misused
the DQS (whatever the definition of misuse might be), they can simply
block *you* from accessing the data, not *all users of the same DNS
infrastructure*.


... but that does mean trusting 8.8.8.8 with your private secret.


[atossava@x ~]$ nslookup

server 8.8.8.8

Default server: 8.8.8.8
Address: 8.8.8.8#53


2.0.0.127.zen.spamhaus.org

Server: 8.8.8.8
Address:8.8.8.8#53

** server can't find 2.0.0.127.zen.spamhaus.org: NXDOMAIN

2.0.0.127.[DQS zone].zen.dq.spamhaus.net

Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.2
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.10
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.4

--
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> Otherwise you need to stop using Spamhaus -- even if you sign-up,
> perhaps because of the query volume, you still must query them
> directly not via a public resolver.

This is not true.

One of the main points of DQS is that the DNS service you use no
longer matters. They don't need to block the server - if you misused
the DQS (whatever the definition of misuse might be), they can simply
block *you* from accessing the data, not *all users of the same DNS
infrastructure*.

[atossava@x ~]$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

> 2.0.0.127.zen.spamhaus.org
Server: 8.8.8.8
Address:8.8.8.8#53

** server can't find 2.0.0.127.zen.spamhaus.org: NXDOMAIN
> 2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.2
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.10
Name:   2.0.0.127.[DQS zone].zen.dq.spamhaus.net
Address: 127.0.0.4

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, https://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

> On Wed, Feb 7, 2024, 4:55AM Andreas S. Kerber via mailop 
> wrote:
> 
> > Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> > > For outgoing, Google requires that you have DMARC record set up. So if
> > you
> > > are sending anything to Google, you need that.
> >
> > This only applies if your sending more than 5000 messages per day.
> > Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> > *need* a DMARC record:
> >
> > https://support.google.com/a/answer/81126
> 
> Unfortunately, this is not correct, despite the official documentation.
> There are multiple reports on Reddit and other places of people getting the
> explicit "authentication required" SMTP response at much lower volumes.
> I've also experienced it directly myself, on domains that I directly
> control that don't do 50 a day, let alone 5000.

I've seen this multiple times with newly onboarded clients who were 
having these exact problems with their previous providers -- once our 
systems generate the needed keys and DNS records for SPF, DKIM, and 
DMARC, their delivery problems cease.

In my opinion, all mail systems should be using SPF with DKIM, and 
senders should also publish a DMARC "p=reject" policy as this will 
help most mail servers stop forgeries before reaching any queues.

On a few rare occasions we received reports from users who forwarded 
copies of SMTP 5yz rejections because the sender didn't have their 
SPF records configured correctly, and we've made internal whitelist 
exceptiosn for those (that will eventually expire, and our users know 
this and have informed their senders of the deadlines).

I greatly value the SPF/DKIM/DMARC mechanisms because it means my 
clients don't get forgeries that look like they came from their 
co-workers.  (In a few cases, some of those forgeries included 
attachments of old documents dated from times of past security 
breaches, which tend to appear more credible to recipients.)

-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Randolf Richardson, Postmaster via mailop]

What's in the configuration file now?  If you could share what the 
settings are (with comments stripped out and any sensitive 
information removed -- you'll need to manually inspect for any 
passwords, etc., that you don't want to reveal and redact them).

Do you have the milter configuration aspect covered in sendmail?

> Thanks a lot, I am using sendmail as my mta.
> 
> On Wed, 07 Feb 2024 00:39:41 -0500,
> Randolf Richardson, Postmaster via mailop wrote:
> > 
> > Which mail server software and OS are you using?  Are you receiving 
> > some error messages (e.g., in syslog)?
> > 
> > I'm using Postfix on Debian, and I'd be happy to try to help you get 
> > things working no matter which software you're using.
> > 
> > The OpenDMARC package supports running as a milter, which is 
> > supported by most technologies.
> > 
> > If you can use a UNIX Domain socket you'll get better performance, 
> > but the permissions can be a bit of a challenge (which is why a lot 
> > of administrators set it up to listen on 127.0.0.1 and use TCP 
> > sockets instead -- I prefer UNIX Domain sockets because there's 
> > slightly less overhead than with TCP, but overall there generally 
> > won't really be a noticeable performance hit).
> > 
> > For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> > default settings, most of which I didn't need to alter.  Adding one 
> > line to /etc/postfix/main.cf got it all working after I made sure the 
> > permissions were where they needed to be for the UNIX Domain socket:
> > 
> > smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> > 
> > This is the order that may be helpfult you that works well fo rme:
> > 
> > smtpd_milters =
> >  unix:/var/run/opendkim/opendkim.sock
> >  unix:/var/run/opendmarc/opendmarc.sock
> >  unix:/var/run/clamav/clamav-milter.ctl
> > 
> > Feel free to share a comment-stripped copy of your opendmarc.conf 
> > file here (and make sure you don't have any passwords in it; there 
> > shouldn't be, but do check it first before attaching to be sure), and 
> > I (and I'm sure other MailOp members as well) will be happy to help.
> > 
> > > Hi.  I am trying to make sure my mail server is properly
> > > authenticated, and I have spf and dkim set up -- seemingly correctly
> > > -- but I am not sure about dmarc.  I have downloaded and installed the
> > > open-dmarc package and I have the text record I will have to put in
> > > the zone,  but I don't know what to put in
> > > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > > sure what I really need in it.
> > > 
> > > Thanks in advance for any suggestions.
> > > 
> > > -- 
> > > Your life is like a penny.  You're going to lose it.  The question is:
> > > How do
> > > you spend it?
> > > 
> > >  John Covici wb2una
> > >  cov...@ccs.covici.com
> > > ___
> > > mailop mailing list
> > > mailop@mailop.org
> > > https://list.mailop.org/listinfo/mailop
> > 
> > 
> > -- 
> > Postmaster - postmas...@inter-corporate.com
> > Randolf Richardson, CNA - rand...@inter-corporate.com
> > Inter-Corporate Computer & Network Services, Inc.
> > Vancouver, Beautiful British Columbia, Canada
> > https://www.inter-corporate.com/
> > 
> > 
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> > 
> 
> -- 
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
> 
>  John Covici wb2una
>  cov...@ccs.covici.com
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, Beautiful British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Levine via mailop]

It appears that Royce Williams via mailop  said:
>Unfortunately, this is not correct, despite the official documentation.
>There are multiple reports on Reddit and other places of people getting the
>explicit "authentication required" SMTP response at much lower volumes.

You definitely will if you're sending over IPv6.

Considering that it takes about two minutes to publish an SPF record, even
though it's not very useful, there's no reason not to have one.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Levine via mailop]

According to Bill Cole via mailop :
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>On 2024-02-07 at 05:40:50 UTC-0500 (Wed, 7 Feb 2024 12:40:50 +0200)
>Taavi Eomäe via mailop 
>is rumored to have said:
>
>[Snip. Quoting Michael P.]
>>> Unless you are a big budget email sender, don't stress to much.  Maybe 
>>> tomorrow we will need something like DMARC,
>but thankfully not yet today.
>> You need it right now if you want to protect your communication against 
>> forgeries.
>
>Not so much. DKIM and SPF are adequate for most senders. Arguably, SPF would 
>suffice for most sending domains if it
>were not for transparent forwarding.

You might as well publish a p=none DMARC record anyway so you can
collect the reports. Some of them can be quite amusing. I agree that
p=reject is of no value unless you are big enough or famous enough to
be a phish target.

R's,
John
-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] Re: problem setting up open-dmarc

[Marcel Becker via mailop]

On Wed, Feb 7, 2024 at 7:46 AM Royce Williams via mailop 
wrote:

> This only applies if your sending more than 5000 messages per day.
>> Most smaller senders are still fine using only "SPF *or* DKIM" and do not
>> *need* a DMARC record:
>>
>> https://support.google.com/a/answer/81126
>> 
>
>
> Unfortunately, this is not correct, despite the official documentation.
> There are multiple reports on Reddit and other places of people getting the
> explicit "authentication required" SMTP response at much lower volumes.
> I've also experienced it directly myself, on domains that I directly
> control that don't do 50 a day, let alone 5000.
>

"authentication required" means just that: authenticate your traffic with
DKIM or SPF. That is required for everybody. DMARC is only required for
bulk senders. Both the statement you replied to and the official
documentation is correct.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Andreas S. Kerber via mailop]

Am Wed, Feb 07, 2024 at 06:41:48AM -0900 schrieb Royce Williams via mailop:
> There are multiple reports on Reddit and other places of people getting the
> explicit "authentication required" SMTP response at much lower volumes.
> I've also experienced it directly myself, on domains that I directly
> control that don't do 50 a day, let alone 5000.

Can you confirm that these domains had a valid SPF record? Would you mind 
sharing the exact value of the SPF?
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Al Iverson via mailop]

Doesn't matter how small your server is, or isn't. Spamhaus blocks
public queries, but does it a bit imperfectly, so it's the kind of
thing where you can get away with it for a while, then something
changes, and they find a new way to lock it down a bit better.  Look
at the response code.

Sign up for Spamhaus DQS and implement the proper DNS zone query with
your DQS key embedded, as one does.

That'll fix this. Full stop. That's the problem, that's the solution.

Learn:
https://www.spamresource.com/2021/11/howto-query-spamhaus-safely.html

"Spamhaus is even blocking Gmail" is a dead giveaway:
https://www.spamresource.com/2022/11/spamhaus-is-not-blocking-gmail.html

Spamhaus closing loopholes for public/unfettered DNS querying:
https://www.spamresource.com/2022/10/spamhaus-to-block-queries-from-aws.html
https://www.spamresource.com/2024/02/spamhaus-blocking-queries-from-digital.html
https://www.spamresource.com/2022/01/querying-spamhaus-via-cloudflare-dns.html

Bad news:
https://www.spamresource.com/2021/10/be-careful-using-spamhaus-with-open.html

They've been warning us for three years now:
https://www.spamresource.com/2021/02/spamhaus-warns-watch-for-new-error.html

No, almost five years!
https://www.spamresource.com/2019/10/spamhaus-blacklist-changes.html

Cheers,
Al Iverson




--

Al Iverson / Deliverability blogging at https://www.spamresource.com
Subscribe to the weekly newsletter at https://ml.spamresource.com
DNS Tools: https://xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Royce Williams via mailop]

On Wed, Feb 7, 2024, 4:55 AM Andreas S. Kerber via mailop 
wrote:

> Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> > For outgoing, Google requires that you have DMARC record set up. So if
> you
> > are sending anything to Google, you need that.
>
> This only applies if your sending more than 5000 messages per day.
> Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> *need* a DMARC record:
>
> https://support.google.com/a/answer/81126


Unfortunately, this is not correct, despite the official documentation.
There are multiple reports on Reddit and other places of people getting the
explicit "authentication required" SMTP response at much lower volumes.
I've also experienced it directly myself, on domains that I directly
control that don't do 50 a day, let alone 5000.

Royce
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Odhiambo Washington via mailop]

On Wed, Feb 7, 2024 at 6:05 PM Mark Milhollan 
wrote:

> On Tue, 6 Feb 2024, Odhiambo Washington wrote:
> >On Wed, Feb 7, 2024 at 12:53 AM Mark Milhollan <
> lists-mai...@milhollan.com> wrote:
> >>On Tue, 6 Feb 2024, Odhiambo Washington wrote:
>
> >>>Today morning I woke up to all emails being rejected as I was using
> >>>zen.spamhaus.org in my dnslists.
>
> >>Are you using your own resolver (like BIND, Knot Resolver, or Unbound)
> >>rather than a public resolver (like Cloudflare, Google, or Quad9)?
>
> >I have my local instance of unbound resolver.
>
> I should have mentioned that it must not use a forwarder, it must
> query Spamhaus directly.


Right. I don't use any forwarders.


> What results do you obtain if you query for 127.0.0.1, e.g., ''dig
> 1.0.0.127.zen.spamhaus.org''?  If the result is that there are no

records (NXDOMAIN) then the problem isn't use of an open resolver.  But if
> the result is 127.255.255.254 then you are using
> an open resolver and you must find a way to stop doing so -- if you
> must use a forwarder then be sure to specify that for zen.spamhaus.org it
> should not.


wash@gw:~$ dig 1.0.0.127.zen.spamhaus.org

; <<>> DiG 9.18.3 <<>> 1.0.0.127.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22423
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;1.0.0.127.zen.spamhaus.org.IN  A

;; AUTHORITY SECTION:
zen.spamhaus.org.   3100IN  SOA need.to.know.only.
hostmaster.spamhaus.org. 2402071511 3600 600 432000 10

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Feb 07 18:21:44 EAT 2024
;; MSG SIZE  rcvd: 119


> Otherwise you need to stop using Spamhaus -- even if you sign-up, perhaps
> because of the query volume, you still must query them
> directly not via a public resolver.
>

My server is a low-volume sender.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Bill Cole via mailop]

On 2024-02-07 at 05:40:50 UTC-0500 (Wed, 7 Feb 2024 12:40:50 +0200)
Taavi Eomäe via mailop 
is rumored to have said:

[Snip. Quoting Michael P.]
>> Unless you are a big budget email sender, don't stress to much.  Maybe 
>> tomorrow we will need something like DMARC, but thankfully not yet today.
> You need it right now if you want to protect your communication against 
> forgeries.

Not so much. DKIM and SPF are adequate for most senders. Arguably, SPF would 
suffice for most sending domains if it were not for transparent forwarding.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire


signature.asc
Description: OpenPGP digital signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Mark Milhollan via mailop]

On Tue, 6 Feb 2024, Odhiambo Washington wrote:

On Wed, Feb 7, 2024 at 12:53 AM Mark Milhollan  
wrote:

On Tue, 6 Feb 2024, Odhiambo Washington wrote:



Today morning I woke up to all emails being rejected as I was using
zen.spamhaus.org in my dnslists.



Are you using your own resolver (like BIND, Knot Resolver, or Unbound)
rather than a public resolver (like Cloudflare, Google, or Quad9)?



I have my local instance of unbound resolver.


I should have mentioned that it must not use a forwarder, it must query 
Spamhaus directly.  What results do you obtain if you query for 
127.0.0.1, e.g., ''dig 1.0.0.127.zen.spamhaus.org''?  If the result is 
that there are no records (NXDOMAIN) then the problem isn't use of an 
open resolver.  But if the result is 127.255.255.254 then you are using 
an open resolver and you must find a way to stop doing so -- if you must 
use a forwarder then be sure to specify that for zen.spamhaus.org it 
should not.  Otherwise you need to stop using Spamhaus -- even if you 
sign-up, perhaps because of the query volume, you still must query them 
directly not via a public resolver.



/mark
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Support contact for Shaw.ca

[Scott Undercofler via mailop]

I never was good at goodbye. 

> On Feb 7, 2024, at 6:10 AM, Jaroslaw Rafa via mailop  
> wrote:
> 
> Dnia  6.02.2024 o godz. 15:26:33 Aric Archebelle-Smith via mailop pisze:
>> Beginning in late January, we received user reports that mail was not
>> being delivered to Shaw.ca addresses.  Users did not receive a
>> non-delivery notification, but our logs show the following rejection:
>> `status=sent (250 2.0.0 xxx...@pobox.com sender rejected.)`
> 
> Wonderful nonsense. Status code 250 and "sender rejected".
> -- 
> Regards,
>   Jaroslaw Rafa
>   r...@rafa.eu.org
> --
> "In a million years, when kids go to school, they're gonna know: once there
> was a Hushpuppy, and she lived with her daddy in the Bathtub."
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus SBL listing fonts.googleapis.com

[Andreas Schamanek via mailop]

On Wed, 7 Feb 2024, at 08:32, Lichtinger, Bernhard via mailop wrote:

The IP addresses for "fonts.googleapis.com" are: 142.250.217.106 
2607:f8b0:400a:800::200a


The IPs of "fonts.googleapis.com" got listed on SBL because these 
IPs are also used to serve "firebasestorage.googleapis.com". Last 
time i checked the IPs with https://check.spamhaus.org/ it told me 
the listing was because of malware hosted on some 
"firebasestorage.googleapis.com" URLs.


Thanks for pointing this out. Already yesterday I came to the 
conclusion that the whole thing is essentially related to how the 
Spamhaus' DQS plugin for SpamAssassin operates. My bug report, though, 
was quickly closed saying it was a "a listing issue". Understandably, 
such issues are not disputed in the dqs plugin issue tracker.


In the meantime, your reply, Bernhard, helped me understand better 
what's going on. So, I added a comment, also crediting you, 
re-iterating that the core problem is not that (presumably not all 
but) some IPs are SBL listed:


https://github.com/spamhaus/spamassassin-dqs/issues/68#issuecomment-1932189548

--
-- Andreas

 :-)

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Jaroslaw Rafa via mailop]

Dnia  7.02.2024 o godz. 14:41:02 Andreas S. Kerber via mailop pisze:
> 
> This only applies if your sending more than 5000 messages per day.

That is a "MUST" in RFC sense ;), because otherwise they reject mails from
you.

But if you read their sender guidelines, they say since long ago (long
before they start enforcing the limit above) that *every* sender
(regardless of volume they send) SHOULD (again, in RFC sense ;)) have SPF,
DKIM *and* DMARC set up.

If you have a delivery issue with Google (eg. like in my case when my mails
are constanly filed to recipients' Spam folders) they require you to fulfill
all the mentioned guidelines (including having DMARC set up) before you
submit an issue to them (which usually doesn't get resolved anyway... :()

> Most smaller senders are still fine using only "SPF *or* DKIM" and do not
> *need* a DMARC record:

My experience says otherwise.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Andreas S. Kerber via mailop]

Am Wed, Feb 07, 2024 at 02:20:25PM +0100 schrieb Jaroslaw Rafa via mailop:
> For outgoing, Google requires that you have DMARC record set up. So if you
> are sending anything to Google, you need that.

This only applies if your sending more than 5000 messages per day.
Most smaller senders are still fine using only "SPF *or* DKIM" and do not 
*need* a DMARC record:

https://support.google.com/a/answer/81126

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Thomas Walter via mailop]

On 07.02.24 14:20, Jaroslaw Rafa via mailop wrote:

For outgoing, Google requires that you have DMARC record set up. So if you
are sending anything to Google, you need that.


"If you send 5,000 messages a day or more..."

Regards,
Thomas Walter

--
Thomas Walter
Datenverarbeitungszentrale

FH Münster
- University of Applied Sciences -
Corrensstr. 25, Raum B 112
48149 Münster

Tel: +49 251 83 64 908
Fax: +49 251 83 64 910
www.fh-muenster.de/dvz/


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Jaroslaw Rafa via mailop]

Dnia  6.02.2024 o godz. 15:13:47 Michael Peddemors via mailop pisze:
> Some days.. it's like F* DMARC.. hehehe..
> 
> Anything that created a multi-million dollar industry of consultants
> on how to set up DMARC, well.. email should NOT be that difficult..
> 
> I still remember when email administrators didn't know how to set up
> DNS correctly.. (oh wait, some still do)
> 
> You went the path of SPF, and even went a step farther with DKIM.. I
> would not sweat DMARC yet.. (next it will be the rest of the ARC
> stuff)
> 
> I know, probably not a popular opinion on this list but.. IMHO
> 
> Unless you are a big budget email sender, don't stress to much.
> Maybe tomorrow we will need something like DMARC, but thankfully not
> yet today.

Are you talking about incoming or outgoing mail?

For outgoing, Google requires that you have DMARC record set up. So if you
are sending anything to Google, you need that.

For incoming, I agree, you don't have to bother with DMARC (In fact, I don't
check also SPF nor DKIM on incoming mail - DNSBL, manual blacklists and
content filtering are completely enough to filter out spam).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Support contact for Shaw.ca

[Jaroslaw Rafa via mailop]

Dnia  6.02.2024 o godz. 15:26:33 Aric Archebelle-Smith via mailop pisze:
> Beginning in late January, we received user reports that mail was not
> being delivered to Shaw.ca addresses.  Users did not receive a
> non-delivery notification, but our logs show the following rejection:
> `status=sent (250 2.0.0 xxx...@pobox.com sender rejected.)`

Wonderful nonsense. Status code 250 and "sender rejected".
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Slavko via mailop]

Dňa 7. februára 2024 9:27:50 UTC používateľ Bjoern Franke via mailop 
 napísal:

>host whoami.akamai.net

There are multiple services doing that, some even IPv6
capable, but if you know any IP which doesn't run DNS server
(or blocks it), you can do connect/syn scan to its port 53/tcp
too, if redirected you will see it as open...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[Taavi Eomäe via mailop]

Anything that created a multi-million dollar industry of consultants 
on how to set up DMARC, well.. email should NOT be that difficult.. 


If you use even a relatively modern email stack then it's quite trivial 
through rspamd for example. Some have it (and more) even built-in, like 
Stalwart or Maddy.



Unless you are a big budget email sender, don't stress to much.  Maybe 
tomorrow we will need something like DMARC, but thankfully not yet today. 
You need it right now if you want to protect your communication against 
forgeries.





smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

OK, thanks.  I did this all because of problems sending to some places
managed by Google.

On Tue, 06 Feb 2024 18:12:14 -0500,
Alan Hodgson via mailop wrote:
> 
> [1  ]
> [1.1  ]
> On Tue, 2024-02-06 at 17:46 -0500, John Covici via mailop wrote:
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly
> > correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed
> > the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> 
> You don't need to do anything with opendmarc to send authenticated
> mail. It's used to check incoming email from other people.
> 
> [1.2  ]
> [2  ]
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] problem setting up open-dmarc

[John Covici via mailop]

Thanks a lot, I am using sendmail as my mta.

On Wed, 07 Feb 2024 00:39:41 -0500,
Randolf Richardson, Postmaster via mailop wrote:
> 
>   Which mail server software and OS are you using?  Are you receiving 
> some error messages (e.g., in syslog)?
> 
>   I'm using Postfix on Debian, and I'd be happy to try to help you get 
> things working no matter which software you're using.
> 
>   The OpenDMARC package supports running as a milter, which is 
> supported by most technologies.
> 
>   If you can use a UNIX Domain socket you'll get better performance, 
> but the permissions can be a bit of a challenge (which is why a lot 
> of administrators set it up to listen on 127.0.0.1 and use TCP 
> sockets instead -- I prefer UNIX Domain sockets because there's 
> slightly less overhead than with TCP, but overall there generally 
> won't really be a noticeable performance hit).
> 
>   For my installation, /etc/opendmarc.conf has roughly half-a-dozen 
> default settings, most of which I didn't need to alter.  Adding one 
> line to /etc/postfix/main.cf got it all working after I made sure the 
> permissions were where they needed to be for the UNIX Domain socket:
> 
>   smtpd_milters = unix:/var/run/opendmarc/opendmarc.sock
> 
>   This is the order that may be helpfult you that works well fo rme:
> 
>   smtpd_milters =
>unix:/var/run/opendkim/opendkim.sock
>unix:/var/run/opendmarc/opendmarc.sock
>unix:/var/run/clamav/clamav-milter.ctl
> 
>   Feel free to share a comment-stripped copy of your opendmarc.conf 
> file here (and make sure you don't have any passwords in it; there 
> shouldn't be, but do check it first before attaching to be sure), and 
> I (and I'm sure other MailOp members as well) will be happy to help.
> 
> > Hi.  I am trying to make sure my mail server is properly
> > authenticated, and I have spf and dkim set up -- seemingly correctly
> > -- but I am not sure about dmarc.  I have downloaded and installed the
> > open-dmarc package and I have the text record I will have to put in
> > the zone,  but I don't know what to put in
> > /etc/openmarc/opendmarc.conf -- its quite a large file and I am not
> > sure what I really need in it.
> > 
> > Thanks in advance for any suggestions.
> > 
> > -- 
> > Your life is like a penny.  You're going to lose it.  The question is:
> > How do
> > you spend it?
> > 
> >  John Covici wb2una
> >  cov...@ccs.covici.com
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
> 
> 
> -- 
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, Beautiful British Columbia, Canada
> https://www.inter-corporate.com/
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici wb2una
 cov...@ccs.covici.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Odhiambo Washington via mailop]

On Wed, Feb 7, 2024 at 12:40 PM Bjoern Franke via mailop 
wrote:

> Hi,
>
> >
> > Hmm. How do I check that?
> > Running nslookup defaults to my local resolver instance.
>
> you can run
>
> host whoami.akamai.net
>
> which responds with IP of the used resolver.
>

Perfecto!

It returns the IP of my server.

Learnt something new :)

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Bjoern Franke via mailop]

Hi,



Hmm. How do I check that?
Running nslookup defaults to my local resolver instance.


you can run

host whoami.akamai.net

which responds with IP of the used resolver.

Regards
Bjoern


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Atro Tossavainen via mailop]

> Hmm. How do I check that?
> Running nslookup defaults to my local resolver instance.

If it happens silently at the ISP's end, you can't check it - except
indirectly. What are the return codes that you get from your Spamhaus
Zen queries?

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Matus UHLAR - fantomas via mailop]

Dňa 7. 2. o 7:29 Odhiambo Washington via mailop napísal(a):
> I have my local instance of unbound resolver.



On Wed, Feb 7, 2024 at 11:32 AM Slavko via mailop  wrote:

It can be not enough. Some time ago i noticed, taht my ISP intercepts
(and redirects) all my DNS requests. Check carefully...


On 07.02.24 12:07, Odhiambo Washington via mailop wrote:

Hmm. How do I check that?
Running nslookup defaults to my local resolver instance.

adminfoobar@gw:~$ nslookup

yahoo.com

Server: 127.0.0.1
Address:127.0.0.1#53


try querying for:
1.0.0.127.zen.spamhaus.org - should return NXDOMAIN
2.0.0.127.zen.spamhaus.org - should return some listings

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Odhiambo Washington via mailop]

On Wed, Feb 7, 2024 at 11:32 AM Slavko via mailop  wrote:

> Dňa 7. 2. o 7:29 Odhiambo Washington via mailop napísal(a):
>
> > I have my local instance of unbound resolver.
>
> It can be not enough. Some time ago i noticed, taht my ISP intercepts
> (and redirects) all my DNS requests. Check carefully...
>

Hmm. How do I check that?
Running nslookup defaults to my local resolver instance.

adminfoobar@gw:~$ nslookup
> yahoo.com
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   yahoo.com
Address: 74.6.231.21
Name:   yahoo.com
Address: 74.6.143.25
Name:   yahoo.com
Address: 98.137.11.163
Name:   yahoo.com
Address: 98.137.11.164
Name:   yahoo.com
Address: 74.6.231.20
Name:   yahoo.com
Address: 74.6.143.26
Name:   yahoo.com
Address: 2001:4998:24:120d::1:1
Name:   yahoo.com
Address: 2001:4998:124:1507::f001
Name:   yahoo.com
Address: 2001:4998:124:1507::f000
Name:   yahoo.com
Address: 2001:4998:24:120d::1:0
Name:   yahoo.com
Address: 2001:4998:44:3507::8000
Name:   yahoo.com
Address: 2001:4998:44:3507::8001
>

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
 In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Spamhaus SBL listing fonts.googleapis.com

[Lichtinger, Bernhard via mailop]

> 
> The IP addresses for "fonts.googleapis.com" are:
> 142.250.217.106
> 2607:f8b0:400a:800::200a

The IPs of "fonts.googleapis.com" got listed on SBL because these IPs are also 
used to serve "firebasestorage.googleapis.com".
Last time i checked the IPs with https://check.spamhaus.org/ it told me the 
listing was because of malware hosted on some "firebasestorage.googleapis.com" 
URLs.


-- 
regards,

Bernhard Lichtinger
Leibniz-Rechenzentrum
Boltzmannstr. 1, D-85748 Garching 



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] zen.spamhaus.org

[Slavko via mailop]

Dňa 7. 2. o 7:29 Odhiambo Washington via mailop napísal(a):


I have my local instance of unbound resolver.


It can be not enough. Some time ago i noticed, taht my ISP intercepts 
(and redirects) all my DNS requests. Check carefully...


regards

--
Slavko

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop