Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Slavko,

On Sat, 2024-01-27 at 08:10 +, Slavko via mailop wrote:
> Dňa 27. januára 2024 3:59:54 UTC používateľ Byung-Hee HWANG via
> mailop  napísal:
> 
> > 
> > Google Gmail accept such email: (source from soyeo...@gmail.com)
> > https://gitlab.com/soyeomul/Gnus/-/raw/d73303d3f304a275bb6f129c0d4934ce30680629/DKIM/gmail-forwarding-header-20240126.txt
> 
> AFAIK:
> 
> + standalone DKIM has no dependency on any email header
> + DMARC has option how strictly verify DKIM alignment
> 
> Thus, make sure proper settings and it should be ok (RFC compliant).
> 
> If some site will not accept that, it is its bug. To be sure, one can
> setup separate DMARC record for subdomain with separate
> rua= target defined and watch (inspect) reports for some time.
> 

These days, i'm reading RFC 8617 from time to time. Thanks for your
kind advice!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Oliver,

On Fri, 2024-01-26 at 22:06 +, Gellner, Oliver via mailop wrote:
> 
> > On 25.01.2024 at 16:29 Marco Moock via mailop wrote:
> > 
> > At work we are currently deploying DKIM.
> > 
> > Do people here have experience with messages from sub.example.org
> > signed with d=example.org?
> > That way is much easier to handle for us because we have a lot of
> > domains (machines sending with r...@hostname.example.org etc.).
> > 
> > Will Google accept such messages in the future?
> > I am aware that DMARC can control that, but how will Google handle
> > it?
> 
> Unfortunately I can’t say what Google or other third parties are
> planning to do in the future. At the moment DKIM signatures from a
> parent domain will pass DMARC checks as long as DKIM alignment is in
> relaxed mode.
> 

Google Gmail accept such email: (source from soyeo...@gmail.com)
https://gitlab.com/soyeomul/Gnus/-/raw/d73303d3f304a275bb6f129c0d4934ce30680629/DKIM/gmail-forwarding-header-20240126.txt


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Jörg,

On Fri, 2024-01-26 at 10:49 +0100, Jörg Backschues via mailop wrote:
> Am 25.01.24 um 23:58 schrieb Anne Mitchell via mailop:
> 
> > > On Jan 25, 2024, at 3:24 PM, Byron Lunz via mailop
> > >  wrote:
> > > 
> > > Or, you can use https://aboutmy.email/ - not affiliated, just a
> > > pleased user.
> > 
> > Yes, absolutely, aboutmy.email rocks!  And, is offered by a very
> > trusted source!
> 
> Sorry, but there are issues with AboutMy.email when using multiple
> DKIM 
> signatures e.g. RSA & Ed25519.
> 

As far as I know, both sites perform ed25519 verification.

*DNSWL* and *Protonmail*


And several debian developers also are using Ed25519 key.

 
Sincerley, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: MTA-STS: No TLS reports from Google since January 9th

[Byung-Hee HWANG via mailop]

Hellow Alex,

On Thu, 2024-01-25 at 19:55 +, Brotman, Alex via mailop wrote:
> I did start getting reports again, I haven't looked to see if they're
> consistently appearing
> 

Me too. Also i received again that reports from Google, today!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Extortion spam from OVH-hosted *.sbs domains

[Byung-Hee HWANG via mailop]

Hellow Jaroslaw,

On Thu, 2024-01-25 at 10:13 +0100, Jaroslaw Rafa via mailop wrote:
> Dnia 25.01.2024 o godz. 07:10:13 Hans-Martin Mosner via mailop pisze:
> > It's probably pointless to call for a general OVH boycott, as much
> > as I
> > would like to do that :-)
> 
> I would be the first to object to that, because my server is hosted
> at OVH :)

I agree. In the same vein, I cannot do anything that violates Google
Gmail policies. Because Gmail (soyeo...@gmail.com) is my final mailbox.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Marco,

On Thu, 2024-01-25 at 16:17 +0100, Marco Moock via mailop wrote:
> Hello!
> 
> At work we are currently deploying DKIM.
> 
> Do people here have experience with messages from sub.example.org
> signed with d=example.org?
> That way is much easier to handle for us because we have a lot of
> domains (machines sending with r...@hostname.example.org etc.).
> 
> Will Google accept such messages in the future?
> I am aware that DMARC can control that, but how will Google handle
> it?
> 

IMHO, there is no problem. You see here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] MTA-STS: No TLS reports from Google since January 9th

[Byung-Hee HWANG via mailop]

On Thu, 2024-01-25 at 15:26 +0100, Paul Menzel via mailop wrote:
> Dear mail operators,
> 
> 
> Am 17.01.24 um 10:04 schrieb Paul Menzel via mailop:
> 
> > Since January 9th, 2024 we have not received any (MTA-STS) TLS
> > reports 
> > from google.com (noreply-smtp-tls-report...@google.com). We still
> > get 
> > TLS reports from other organizations.
> > 
> > Does somebody know more?
> 
> I got one reply, confirming the issue.
> 
> No idea, if related to the report on this list, but since January
> 20th, 
> 2024 I receive the reports again. In contrast to Microsoft, the
> missing 
> reports have not yet been sent.

Hellow Paul,

Also i'm waiting for the reports, thanks for information.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Merry Christmas from Google?

[Byung-Hee HWANG via mailop]

> That depends on the setting of the forwarder. Some organizations use
> aliases for forwarding, Envelope-Sender won't change in that case
> unless other rulesets change it.

Yes, that is true:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539#88


Sincerely, Byung-Hee
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Noticed Google now suggests changing envelope sender for forwarding

[Byung-Hee HWANG via mailop]

> "no auth, no entry"

This is it, thanks!


Sincerely, Byung-Hee
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Microsoft Office365 not rejecting emails when instructed so by SPF recored?

[Byung-Hee HWANG via mailop]

> (...) 
> If you ask me - a better solution would be to do away with forwarding
> completely and incorporate POP checks, like Gmail does.  This alleviates
> all of the issues with forwarding mail in relation to SPF and DKIM.
> (...) 

There are sevral projects using forwarding. The Debian Project is it.
Also i use forwarding very heavy. All debian bug dist messages come to
me (soyeo...@doraji.xyz -> soyeomul+...@gmail.com) via forwarding. 

You check this[1]:
[1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/setup-policy.lua


Sincerely, Byung-Hee


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Forwarding mail originating from gmail via 3rd party to gmail

[Byung-Hee HWANG via mailop]

On Wed, May 17, 2023 at 05:25:36PM -0700, Brandon Long via mailop wrote:
> (...)
> 
> I know some mailing list software does modify messages in order to defeat
> the duplicate detection in
> Gmail.  The duplicate detection requires that the date, "clean" subject and
> messageid are identical.
> The "clean" subject is one that tries to remove various mailing list
> subject prefixes/suffixes and reply markers.
> Modifying the messageid of course would break the DKIM signature, but most
> mailing list software already does
> that.
> 

Dear Brandon,

Thanks for information. It is something i have been curious about for a
long time.

Sincerely, Byung-Hee

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Yahoo: SOA record per subdomain required?!

[Byung-Hee HWANG via mailop]

Ken Peng via mailop  writes:

> May 9, 2023 at 4:07 AM, "Gellner, Oliver via mailop"  
> wrote:
>
>
>> 
>> If a receiver only accepts emails from sender addressed domains for which MX
>> or A records exist (such checks are performed by many receiving servers), it
>> means a sender has to 1. set up a DNS zone and 2. create a MX or A record
>> within it.
>
>
> No. A DNS zone is not needed at all for sending email.
>
> My ex-employer is a Nasdaq listed company, whose business email is with 
> @staff.sina.com.cn. It has MX only, not a zone.
>
> $ dig staff.sina.com.cn soa +short
>
> $ dig staff.sina.com.cn mx +short
> 10 staffmx.sina.com.cn.
> 10 staffmx1.sina.com.cn.

I agree with these pattern, because nowdays people like easy setup via
Cloudflare, with no serious.

> Also, my policy in Postfix has setted up to reject messages from 
> unknow_sender_domain, which means if a domain has neither MX nor A, it would 
> be rejected by me. 
>
> smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, 
> reject_unknown_client_hostname, reject_unknown_sender_domain
>
>
> As you see, Postfix's reject_unknown_sender_domain validates only MX and A, 
> not SOA.
>
> regards.

Good comments, thanks!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] SPF behavior on email forwarding

[Byung-Hee HWANG via mailop]

Lou Katz via mailop  writes:

> On Fri, Apr 14, 2023 at 11:20:22AM -0400, John Levine via mailop wrote:
>> It appears that Jaroslaw Rafa via mailop  said:
>> >Dnia 14.04.2023 o godz. 14:11:49 Slavko via mailop pisze:
>> >> In other words, SPF check is not something what helps with SPAM
>> >> here, seems that spammers adapted to it...
>> >
>> >As far as I know, SPF was never meant as an anti-spam measure.
>> 
>> It was most definitely touted as an anti-spam measure.  Some of us were 
>> there.
>
> Absolutely. Spent time listening to Meng Wong talk about it, totally ignoring 
> the forwarding problem.

+1; INDEED.

Sincerely, Byung-Hee from South Korea

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] forwarding to gmail - problem

[Byung-Hee HWANG via mailop]

Byung-Hee HWANG via mailop  writes:

> ... snip ...
> Most emails arrive at INBOX (soyeo...@gmail.com), exactly.

There is only 0.1%'s email to spam folder.
99.9%'s emails settle down INBOX without error.

Another screenshot: (2022-05-03)
<https://gitlab.com/soyeomul/Gnus/-/commit/d367070a97d2a9b1fc8eb0a26d160fee4e272150>

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] forwarding to gmail - problem

[Byung-Hee HWANG via mailop]

Dear Geoff,

Geoff Mulligan via mailop  writes:

> (... thanks ...)
> If so, how is someone supposed to forward messages to gmail???

This is mine:

[0] https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/ss/87ilrewnoo@gnus.org
[1] 
https://gitlab.com/soyeomul/Gnus/-/blob/karma/DKIM/ss/Screenshot%202022-04-12%208.32.45%20PM.png
[2] 
https://gitlab.com/soyeomul/Gnus/-/blob/karma/DKIM/ss/Screenshot%202022-04-12%208.33.38%20PM.png

Forwarding to Gmail is good with me.

Most emails arrive at INBOX (soyeo...@gmail.com), exactly.

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Troubleshooting MTA-STS reports

[Byung-Hee HWANG via mailop]

> Google might not be sending inter-domain reports
> since your hosted there.

Maybe True. So Jesse is good with "jesse+someth...@mbuki-mvuki.org"
instead of "postmas...@mbuki-mvuki.org".

And this is mine:


Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Increase in virus activity this week @ MXroute (perhaps others?)

[Byung-Hee HWANG via mailop]

(... sorry for top-posting ...)

Dear Jarland,

In the whole story, i feel that you are NICE guy!
NICE(= faithful + technical + reasonable)

Thanks ^^^

Sincerely, Linux fan Byung-Hee

Jarland Donnell via mailop  writes:

> It's a good topic, and one I'm fairly passionate about. Obviously at
> small scale it's super easy to tell when anything is off from normal, 
> but as you grow it's more difficult to rely on eyes and ears. But that
> was kind of my dream: I want to be as present as though I'm one admin, 
> logged into one machine, merely watching it function and asking "Why?"
> when something unusual happens (CPU spike, queue higher than it's been 
> this year to date, a flood of connections from X IP, etc). I want to
> scale that, I want to scale me.
>
> So that's really what I do. I just scale me. If you were sitting in an
> SSH session tailing a log and just watching for anything that sets off
> a mental alarm, what would the things be that would trigger that
> mental alarm? I take the answer to that and have automated checks
> which then do one of two things:
>
> 1. Alert me for human review.
> 2. Perform the reaction that I would have performed if I were sitting
> there watching at the time.
>
> It can be kind of a mess but right now I'm at over 14,000 clients
> (exponentially more if counting customers of my customers) and growing 
> rapidly. Thus far I've been able to grow myself by way of coding
> checks and balances that operate like I think. That's pretty vague so
> I'll give an example.
>
> In rspamd I have this map configured:
>
> COMPD_RCPT {
>   type = "rcpt";
>   header = "subject";
>   filter = "email";
>   map = "${LOCAL_CONFDIR}/local.d/compd_rcpt.map";
>   symbol = "COMPD_RCPT";
>   prefilter = true;
>   action = "reject";
>   regexp = true;
> }
>
> Then I have this running on cron:
>
> https://paste.mxrouteapps.com/?6603394e7d823164#4r5qkNXATJTko55DWmwxjrrbTLCvJ9t5ry61cf5zfHE5
>
> Every morning I get up and I check /root/ALERT_RCPT.log and then open
> a ticket with the customer. This is where the next automation will be
> as the scale continues to grow, automatically targeting the user and 
> opening a ticket with them.
>
> Now what that map does, it lists the recipient emails used by specific
> spammers who send "test" emails to verify SMTP credentials before they 
> start a campaign. Most of them use the same recipient email every
> time, so all I have to do is look for it and know "That user's
> password is compromised."
>
> For even more fun, I have a basic HTML page hidden behind
> authentication which lists two columns. On one side, the top 15
> senders of this hour. On the other side, the top 15 senders of the
> last hour. Forcing yourself to be familiar with the top users of your
> platform by observing how much of your infrastructure they are
> utilizing creates a mental place where you can immediately recognize
> when something is off. Toss it on a monitor, have the entire abuse
> team just stare at it every time they glance away from their
> work. While you might think that would outgrow it's usefulness with
> scale, I've worked at large enough scale that I simply don't think it
> to be so. The top resource users on your platform will change over
> time, but the vast majority will always be too low utilization to be
> noteworthy.
>
> Even still, if it were to be outgrown, a good database system could
> keep track of senders enough to say "This person who only sent 1 email
> a day for the last year just sent 600, might be worth checking the
> logs to see if they're alright."
>
> And that's really where it all comes back to: What do I want to know?
> What would concern me to see? What would I do if I saw it? Then, quite 
> simply, turn that logic into code and make it work for you.
>
> Hope that wasn't too vague to be useful!
>
> Jarland

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

[Byung-Hee HWANG via mailop]

Dear Brandon,

Brandon Long via mailop  writes:

> Generally speaking,
> adding a dkim signature to your message adds a "source" anchor,
> something that ties a message to other messages.

INDEED, i love this statement so much!

Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

[Byung-Hee HWANG via mailop]

Henrik S via mailop  writes:

> (... thanks ...)
> does this DKIM have helps to the authorization of my outgoing messages?

The answer is "case by case".

And i'm doing that [^^^] for forwarding (to Gmail).

Sincerely, Linux fan Byung-Hee

[^^^] test screenshot with forwarding to gmail:


-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] FYI - Google/Gmail hard enforcing SPF presence

[Byung-Hee HWANG via mailop]

Dear Andre,

Andre van Eyssen via mailop  writes:

> (... thanks ...)
> A little testing shows that gmail appears to be rejecting all mail
> from domains with no SPF record. Having them create the SPF record
> returned their domains to deliverability in about an hour.

Well i have no SPF records. See [doraji.xyz]. And all incoming emails go
to Gmail(soyeo...@gmail.com) by forwarding. The Gmail is my final inbox
provider. Really there are no troubles, at least, to me...

Thanks!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] does ESP have the preference for email domains

[Byung-Hee HWANG via mailop]

Dear wilson,

wilson via mailop  writes:

> Hello
>
> some people told me not to use .xyz domain b/c it's more spammers liked.
> may I ask if the big ESP or the open antispam policies have the
> preference on domains? such as com/net/org is preferred, but
> xyz/top/pro is not.

Well i have no trouble with Gmail(Google Servers) and most mailing list
servers such as Debian Project, GNU Project, etc., ...

> Thanks

Thanks, too!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] [E] $GOOG

[Byung-Hee HWANG via mailop]

Al Iverson via mailop  writes:

> (... thanks ...)
> PPS- Don't send to Gmail over IPv6.

Very useful tip, to me!

Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best mailbox provider for personal domain?

[Byung-Hee HWANG via mailop]

Tara Natanson via mailop  writes:

> (...thanks...)
> (assuming I have no desire to run my own server) 
>
> Thanks in advance for any recommendations!

In this Earth, there is no free chagre for my own domain. Still Google
Workspace will be good value for money.

> Tara Natanson

Sincerely, Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop