Re: [mailop] Roundcube client IPs → dovecot, postfix
On 2021-12-30 11:00, Nicolas JEAN via mailop wrote: Il 29/12/2021 07:05, Slavko via mailop ha scritto: I am not sure if that matters. IMO , when dovecot's auth policy will reject the later (with real RIP), the roundcube's content will be empty (at least i hope), and client's IP will be blocked by fail2ban soon or latter. Or i am wrong? From my understanding and tests, the first IMAP login attempt forwarded to dovecot is the actual login to roundcube. Therefore all later IMAP connections happen if and only if the first one was successful (legitimate user, or breach -- password found by attacker). So I really want dovecot to know the originating IP for the first login attempt. Because brute-force and other attacks are going to fail at the roundcube login phase... until they've tried enough times to guess user passwords. In order to stop attackers from guessing passwords on roundcube, I need dovecot to know the originating IPs at roundcube login phase. Then when some IP has failed X times to log in to roundcube, dovecot will block it. Why not just fail2ban roundcube plugin? Brute-force protection can also be achieved by fail2ban, as mentioned by others. But there are scenarios of attackers trying to evade brute-force detection by making password guesses only once in a while, e.g. every 30 minutes in my experience, from many IPs (botnet). See for example this story [1]. Current strategy is for the bot farms to spread out the requests quite a bit, 5268 in the case below. Blocking t=28800 r=1 b=11 p=3 u=2 l=1 [ablk] [Aa123456] 3,1 attempts in 5268,0 seconds 87.87.1.230/32 0 I look back 24 hours for the same IP address trying multiple username and multiple passwords. p=3 u=2 Works well. Pending: 1292, Blocked: 2067 In such cases of fail2ban bypassing, having a second banning mechanism can bring additional security, or peace of mind -- at least it does for me. Cheers, Nico Links: -- [1] https://security.stackexchange.com/questions/174405/someone-is-trying-to-brute-force-my-private-mail-server-very-slowly ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google and IPv6, was Recommendation for inbox provider?
On 2021-09-07 14:20, John Levine wrote: It appears that John Capo via mailop said: The only IPv6 issues I have seen, other than transit only via HE, is delivering to Google. Google seems to assume that mail via IPv6 is spam. The same mail flow via IPv4 is OK with Google. Proper DNS and all that stuff, of course. Google has clearly said that IPv6 mail has to be authenticated. Add DKIM signatures and you'll have a lot more success. Signed with the MTA domain and with the customer's domain. Like many other people here, I send lots of mail to Google via my IPv6 HE tunnel with no trouble. Some is OK, some is not, YMMV. John Capo ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Recommendation for inbox provider?
On 2021-09-06 23:58, Philip Paeps via mailop wrote: On 2021-09-07 08:54:51 (+0800), Andre van Eyssen via mailop wrote: On Tue, 7 Sep 2021, Neil Jenkins via mailop wrote: Obviously I'm biased, but our service Fastmail sounds exactly like what you are looking for. We have setup wizards for custom domains to guide the user through what they need to do to ensure SPF/DKIM is set up correctly, and a real-life support team to contact if they need further assistance. Hah! I was just going to reply -- what about Fastmail? If I was ever going to quit hosting my own mail, I'd be looking at Fastmail. I quit hosting my own mail and moved to Fastmail earlier this year. Happy customer. The only complaint I have is that they don't support IPv6 at all. I understand the argument against running IPv6 on MXes (although I disagree with it) but in 2021, IMAP and submission should really be available on IPv6. The only IPv6 issues I have seen, other than transit only via HE, is delivering to Google. Google seems to assume that mail via IPv6 is spam. The same mail flow via IPv4 is OK with Google. Proper DNS and all that stuff, of course. A Postfix DNS reply filter fixes the Googgle problem: /^\S+\.google.com\.\s+\S+\s+\S+\s+\s+/ IGNORE Fastmail is the first on the list that I recommend to customers for migration. Tuffmail is shutting down. John Capo ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] sbcgobal.net/prodigy.net misconfigured server?
On 2021-07-19 19:27, Ken Johnson via mailop wrote: An email I tried to send there returned with: : host al-ip4-mx-vip2.prodigy.net[144.160.235.144] said: 550 5.7.1 Connections not accepted from servers without a valid sender domain.alph752 Fix reverse DNS for 173.228.157.53 (in reply to MAIL FROM command) Been like that for well over a year. Easy to fix with Postfix. I got tired of telling customers to send it again and it will be accepted. smtp_reply_filter = pcre:/usr/local/etc/postfix/maps/smtp-reply-filter # Busted DNS server at SBCGlobal/Bellsouth/Prodidy and friends /^550 \d.\d.\d (Connections not accepted from servers without a valid sender domain.*)/ 450 4.7.1 $1 Second try hits a different server in their cluster. John Capo Ex Tuffmail.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] No SNDS data since 2021/06/17
On 2021-06-22 04:08, Joel Golliet via mailop wrote: Hi everyone and outlook/hotmail team especially We can't get our IP address data from the SNDS since June 17th. I think we are not the only ones (?). Same here. John Capo Soon to re-retire and go sailing ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)
On Thu, April 8, 2021 05:38, Lukas Tribus via mailop wrote: > On Thu, 8 Apr 2021 at 10:27, Jaroslaw Rafa via mailop > wrote: > >> >> Dnia 7.04.2021 o godz. 17:26:45 John Capo via mailop pisze: >> >>> >>> These are the same folks that required that reverse DNS for my >>> unused, unassigned, not assigned to an interface, not reachable, IP >>> addresses, be to their >>> liking before they would accept mail from my new address space. >>> unassigned.irbs.net was not an >>> acceptable name. >> >> Just out of curiosity: if that address was unreachable and unconnected, how >> did they learn about it at all? > > By checking adjacent addresses, the entire assignment or the entire > allocation I would guess. That would be my guess also. John Capo ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DKIM+DMARC at t-online.de (Deutsche Telekom's ISP branche)
On 2021-04-07 11:09, John Levine via mailop wrote: It appears that Laura Atkins via mailop said: Forcing alignment across all 3 entities (5321.from, 5322.from and the d=) breaks a lot of current implementations. Many ESPs and a ton of small businesses are going to be scrambling to get this implemented. It's also specifically contrary to the DMARC specification. As you say, it doesn't interoperate with anyone else. Hopefully, Florian can answer some of my questions about the double signature and clarify what they’d like. I'd like to understand whether they just misunderstand what DMARC says, or if they are deliberately inventing their own "more secure" version and expecting the world to change. I'd bet on the latter. These are the same folks that required that reverse DNS for my unused, unassigned, not assigned to an interface, not reachable, IP addresses, be to their liking before they would accept mail from my new address space. unassigned.irbs.net was not an acceptable name. And yes, the addresses that actually send mail had proper forward and reverse DNS. John Capo ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Paging Barracuda/EmailReg
On Sat, April 3, 2021 11:59, Jim Popovitch via mailop wrote: > Paging someone from Barracuda or EmailReg. EmailReg.org has been > offline for a while now. A year at least, maybe more. John Capo > > https://www.barracudacentral.org/about/emailreg > > > -Jim P. > > > ___ > mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] GMail 550 5.1.1?
On Tue, December 15, 2020 16:36, William Kern via mailop wrote: > Our customers are beginning to see these today. It seems to come in bursts. We are ignoring the 550 and queuing. Earlier nothing was queued and now about 500 messages are in the queue but some new mail is being accepted. John Capo Tuffmail.com > > > When I looked at > > > https://www.google.com/appsstatus#hl=en=status > > > earlier this morning Gmail didn't acknowledge it > > but I now see they are admitting to having a problem again as of a few > minutes ago. > > William Kern > > > PixelGate Networks. > > > > Arrival-Date: Wed, 16 Dec 2020 05:22:29 +0800 (PST) > > > Final-Recipient: rfc822;x...@gmail.com > Action: failed > Status: 5.1.1 > Remote-MTA: dns; gmail-smtp-in.l.google.com > Diagnostic-Code: smtp; 550-5.1.1 The email account that you tried to reach > does > not exist. Please try 550-5.1.1 double-checking the recipient's email address > for typos or > 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 > https://support.google.com/mail/?p=NoSuchUser a9si16895otl.46 - gsmtp > > > > > > On 12/14/2020 11:12 PM, Samuel Chang via mailop wrote: > >> Same here, we saw this as well. >> >> >> On Mon, Dec 14, 2020 at 9:27 PM Tara Natanson via mailop >> wrote: >> >>> Looking at logs it seems this is clearing up. >>> >>> >>> Now to cleanup all the false positive non-existent bounces!! >>> >>> >>> Cheers, >>> >>> >>> Tara Natanson >>> Constant Contact >>> >>> >>> >>> On Mon, Dec 14, 2020 at 7:52 PM Thomas Walter via mailop >>> wrote: >>> Hey, On 15.12.20 01:13, Jay Hennigan via mailop wrote: > Many Google services including Gmail, Google Drive, and YouTube have > been having issues today according to Outages mailing list. Though some > are reporting > restoration this could be lingering problems. https://www.google.com/appsstatus#hl=en=status GMail is still listed as having issues: "We're investigating reports of an issue with Gmail. We will provide more information shortly." Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop >>> ___ >>> mailop mailing list mailop@mailop.org >>> https://list.mailop.org/listinfo/mailop >>> >> ___ >> mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop >> > ___ > mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] New server email being treated as spam by Google
On Thu, November 19, 2020 09:47, Al Iverson via mailop wrote: > Test forcing your MTA to send to Gmail over IPv4 instead of IPv6. > Gmail's filtering is much more harsh on IPv6. This has actually bit me > before in the past. !00% agree. Easy to do with Postfix and probably other MTAs. John Capo Tuffmail.com > > Cheers, > Al Iverson > > > On Thu, Nov 19, 2020 at 8:11 AM Stuart Henderson via mailop > wrote: > >> >> On 2020/11/19 13:47, Paul Waring via mailop wrote: >> >>> On Thu, Nov 19, 2020 at 01:29:48PM +, Chris Woods wrote: >>> I dropped the TTL on the MX, SPF, DKIM and DMARC records to 300 about 36 hours before starting the migration, and published the new DKIM key as well. I left the records at 300 for about 72 hours after the migration and then moved them up to 3600. Correct the PTR, it's currently "romana.vs.mythic-beasts.com". >>> >>> I'm not sure what's wrong about the PTR? >>> >>> >>> 1. The hostname of the machine is romana.vs.mythic-beasts.com >>> >>> >>> 2. The hostname used in HELO is romana.vs.mythic-beasts.com >>> >>> >>> 3. The MX record for xk7.net is romana.vs.mythic-beasts.com >>> >>> >>> 4. romana.vs.mythic-beasts.com has an A record and record >>> >>> >>> 5. The IP addresses in the A & records have PTR records to >>> romana.vs.mythic-beasts.com >>> >>> Isn't that the correct way to have things? >>> >> >> That all looks right. >> >> >> No idea how things work in gmail with keys, but it may be better to >> use the original DKIM key? That would provide some kind of continuity >> original from th server/IP >> to the new one, whereas now you have new IP *and* new key at the same time. >> >> >> If you're sending into them over v6 I would disable that too, >> most of the common open source MTAs have a feature to prevent sending over >> v6 exactly because of >> gmail. >> >> ___ >> mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop >> > > > > -- > Al Iverson // Wombatmail // Chicago > Song a day! https://www.wombatmail.com > Deliverability! https://spamresource.com > And DNS Tools too! https://xnnd.com > ___ > mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Optimum Online contact
On Fri, October 9, 2020 17:15, Cameron Henry via mailop wrote: > Hi All, > > > I just wanted to check if there is anyone from Optimum online in these > threads, or if anyone has > a good contact there for some help with some blocks. Good luck. I've been trying for 18 months. Please share if you do. John Capo Tuffmail.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] SNDS 'No data for specified IPs on this date' for the last 3 days
On Fri, October 9, 2020 10:44, Stefano Bagnara via mailop wrote: > for the past 3 days SNDS show "No data for specified IPs on this date": does > it work for you? (I > can see data for the previous days) Ditto. John Capo Tuffmail.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] t-online.de outage?
On Tue, June 9, 2020 08:30, Jon Morby \(Fido\) via mailop wrote: > Well they've responded, but weren't very helpful ... I don't think they > see a problem :( I don't doubt that. They blocked my new IP space because my unassigned, unused, not pingable, nobody home yet addresses did not have a reverse name format that they approved of. > It certainly looks like a misconfiguration to me tbh Ditto. > Michael Rathbun via mailop wrote on 09/06/2020 03:59: > >> On Tue, 09 Jun 2020 04:35:40 +0200, Ralph Seichter via mailop >> wrote: >> >> > 554 IP=47.190.44.19 - A problem occurred. (Ask your postmaster for > help or to contact t...@rx.t-online.de to clarify.) (BL) Connection > closed by foreign host. > >>> I remember seeing this particular error code when setting up new mail >>> servers with IPs that have not previously sent mail to T-Online MXs. In >>> these cases I e-mailed >>> the listed address and T-Online staff manually cleared the addresses. Thus, >>> my guess is that >>> some T-Online blocking mechanism is currently out of whack. >> The address quoted, and the string "(BL)" does suggest that a blocking >> mechanism has wandered off into the weeds. >> >> mdr > > > ___ > mailop mailing list mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Contact for optonline/optimum.net
Hello, We are moving into new address space and it seems to be blocked by optimum.net. The usual contact point does not work. 550 5.1.1 Invalid recipient postmas...@optimum.net Your message cannot be delivered to the following recipients: Recipient address: supp...@optimum.net Reason: Over quota The new space is not in any block lists and all of the bits are configured correctly, swip, forward/reverse, SPF, etc. They accept mail from our old space just fine. John Capo Tuffmail.com ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] aspmx.l.google.com
On Mon, April 22, 2019 11:31, John Leslie wrote: > I got a surprise trying to confirm a dental appointment > > > status=SOFTBOUNCE (host alt2.aspmx.l.google.com[172.217.192.26] said: > 550-5.7.1 This message does > not have authentication information or fails to pass 550-5.7.1 authentication > checks. To best > protect our users from spam, the 550-5.7.1 message has been blocked. I see dozens of these daily for mail my customers send to Google but with 4XX codes. host alt1.gmail-smtp-in.l.google.com[74.125.141.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0 authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0 https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. v124si3378595vka.79 - gsmtp (in reply to end of DATA command) Google must be starting to enforce DKIM/SPF/DMARC. I've been telling customers that 5XX would be coming and to configure DKIM/SPF but ... > > Obviously, I have reverted to telephonic reply... > > > But this seems like something worth understanding; and this list seems > an excellent place to find someone who understands what google is doing. > > Anyone volunteer to give me a pointer? > > > -- > John Leslie > > > ___ > mailop mailing list mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] anyone from virginmedia.com around?
On Wed, March 6, 2019 12:22, Brian Kowalewicz wrote: > Anyone from virginmedia.com around? If so, could you reach out off list? > Having some delivery > issues. Busted Greylising perhaps? > > Thanks, > > > Brian Kowalewicz > Postmaster, Hostopia.com > bkowalew...@hostopia.com > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
