Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-28 Thread Brandon Long via mailop 
Alternatively, you can also just use smart hosting to forward your mail
through GSuite's smtp-relay.gmail.com host.

https://support.google.com/a/answer/2956491?hl=en_topic=2921034

Brandon


On Wed, Feb 28, 2018 at 11:31 AM Dave Warren  wrote:

> On 2018-02-27 21:17, Philip Paeps wrote:
> >> You're posting as an alias in a domain from a server that's not
> >> authorized to send mail for that domain and isn't dkim signing for
> >> that domain, and posting to a public group in that domain.  It's kind
> >> of a spammy set of circumstances, but really it's the not great ipv6
> >> address with no auth that does it.
> >
> > When this particular domain moved to GSuites, we talked (at length)
> > about making sure those of us who run our own mailservers could still
> > use it.  Turns out spf and dkim were never actually set up though.
> >
> > I will chase that down.
> >
> > Thanks again for helping debug this.
>
> Don't forget to make sure that the G Suite side is also DKIM signing and
> that you've published these records properly.
>
> (You probably know this, but I've seen so many clients screw it up that
> it is worth repeating... And re-checking that some eager-beaver DNS
> admin doesn't remove your older DKIM records when they add a new one).
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-28 Thread Dave Warren 

On 2018-02-27 21:17, Philip Paeps wrote:
You're posting as an alias in a domain from a server that's not 
authorized to send mail for that domain and isn't dkim signing for 
that domain, and posting to a public group in that domain.  It's kind 
of a spammy set of circumstances, but really it's the not great ipv6 
address with no auth that does it.


When this particular domain moved to GSuites, we talked (at length) 
about making sure those of us who run our own mailservers could still 
use it.  Turns out spf and dkim were never actually set up though.


I will chase that down.

Thanks again for helping debug this.


Don't forget to make sure that the G Suite side is also DKIM signing and 
that you've published these records properly.


(You probably know this, but I've seen so many clients screw it up that 
it is worth repeating... And re-checking that some eager-beaver DNS 
admin doesn't remove your older DKIM records when they add a new one).



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-28 Thread Vick Khera 
On Tue, Feb 27, 2018 at 1:43 AM, Philip Paeps  wrote:

> Of course relays do get compromised from time to time, so peeking at the
> first hop is not a completely crazy thing for GSuites to do. But silently
> dropping the email after accepting feels a little disproportionate. Perhaps
> a 451 would be more appropriate?
>
>
>
A while back Brandon helped me figure out that this was caused by having
set one machine as a known relay in the G Suite configuration. This caused
it to always check the prior hop's IP reputation and more or less ignore
that it came from the relay machine.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Mark Milhollan 
On Tue, 27 Feb 2018, Philip Paeps wrote:

>I have no way of knowing if GSuites is actually looking too closely at my
>first-hop Received: headers but that's the only theory I can come up with for
>my emails not arriving on that GSuites list.

Probably.  I postulate that since they hide the sender's connection so 
would everyone else and thus treat the first real* received as having to 
pass SPF rather than just the peer delivering the message.

* Meaning they will skip over received headers that use loopback or 
  RFC1918 addresses.


/mark

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Brandon Long via mailop 
Agreed, we don't drop silently, it'll go to spam moderation, depending on
the settings.

Looking at our logs, it looks like your server is dual hosted on ipv6 and
ipv4, and the likely message you're talking about went to spam because your
ipv6 netblock isn't that clean and you're posting from an IPv6 address
without any authentication, but the other posts came from the ipv4
address.  I think the Received header was a red-herring.  You're posting as
an alias in a domain from a server that's not authorized to send mail for
that domain and isn't dkim signing for that domain, and posting to a public
group in that domain.  It's kind of a spammy set of circumstances, but
really it's the not great ipv6 address with no auth that does it.

Brandon


On Tue, Feb 27, 2018 at 10:33 AM Mike Joseph  wrote:

> It's probably not being dropped silently so much as sent to the spam
> moderation queue for the group.  Can you have an admin for the group take a
> look for you?
>
> -MJ
>
>
> On Feb 27, 2018 4:55 AM, "Philip Paeps"  wrote:
>
>> On 2018-02-27 18:18:49 (+0545), Suresh Ramasubramanian wrote:
>>
>>> That is the apricot conference AS and netblock - used only for the
>>> apricot conference and not random IP space provided by a local ISP in
>>> Kathmandu where you currently are.
>>> Quite clean but it won’t get used at all between conferences.
>>>
>>
>> I wasn't aware APRICOT space went unused between events.  In the RIPE NCC
>> region, the address space temporarily allocated to conferences gets
>> allocated to several events annually and develops quite an interesting
>> aroma as a consequence. :)
>>
>> Thanks for correcting me.
>>
>> But still ... GSuites wasn't happy with the APRICOT network space in the
>> first Received: hop.
>>
>> Philip
>>
>> --
>> Philip Paeps
>> Senior Reality Engineer
>> Ministry of Information
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Mike Joseph 
It's probably not being dropped silently so much as sent to the spam
moderation queue for the group.  Can you have an admin for the group take a
look for you?

-MJ


On Feb 27, 2018 4:55 AM, "Philip Paeps"  wrote:

> On 2018-02-27 18:18:49 (+0545), Suresh Ramasubramanian wrote:
>
>> That is the apricot conference AS and netblock - used only for the
>> apricot conference and not random IP space provided by a local ISP in
>> Kathmandu where you currently are.
>> Quite clean but it won’t get used at all between conferences.
>>
>
> I wasn't aware APRICOT space went unused between events.  In the RIPE NCC
> region, the address space temporarily allocated to conferences gets
> allocated to several events annually and develops quite an interesting
> aroma as a consequence. :)
>
> Thanks for correcting me.
>
> But still ... GSuites wasn't happy with the APRICOT network space in the
> first Received: hop.
>
> Philip
>
> --
> Philip Paeps
> Senior Reality Engineer
> Ministry of Information
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Suresh Ramasubramanian 






Out here there’s just apricot apnic meetings and sanog.



_
From: Philip Paeps <phi...@trouble.is>
Sent: Tuesday, February 27, 2018 4:56 AM
Subject: Re: [mailop] GSuites looking too closely at first-hop Received: 
headers?
To: mailop <mailop@mailop.org>


On 2018-02-27 18:18:49 (+0545), Suresh Ramasubramanian wrote:
> That is the apricot conference AS and netblock - used only for the 
> apricot conference and not random IP space provided by a local ISP in 
> Kathmandu where you currently are.
> Quite clean but it won’t get used at all between conferences.

I wasn't aware APRICOT space went unused between events.  In the RIPE 
NCC region, the address space temporarily allocated to conferences gets 
allocated to several events annually and develops quite an interesting 
aroma as a consequence. :)

Thanks for correcting me.

But still ... GSuites wasn't happy with the APRICOT network space in the 
first Received: hop.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Philip Paeps 

On 2018-02-27 18:18:49 (+0545), Suresh Ramasubramanian wrote:
That is the apricot conference AS and netblock - used only for the 
apricot conference and not random IP space provided by a local ISP in 
Kathmandu where you currently are.

Quite clean but it won’t get used at all between conferences.


I wasn't aware APRICOT space went unused between events.  In the RIPE 
NCC region, the address space temporarily allocated to conferences gets 
allocated to several events annually and develops quite an interesting 
aroma as a consequence. :)


Thanks for correcting me.

But still ... GSuites wasn't happy with the APRICOT network space in the 
first Received: hop.


Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-27 Thread Suresh Ramasubramanian 







That is the apricot conference AS and netblock - used only for 
the apricot conference and not random IP space provided by a local ISP in 
Kathmandu where you currently are.
Quite clean but it won’t get used at all between conferences.









On Mon, Feb 26, 2018 at 10:48 PM -0800, "Philip Paeps"  
wrote:



















I'm at a conference this week, sending email from very untrustworthy IP space.  
Of course I'm relaying through my usual servers.



Sending mail to a GSuites mailing list (or do they call them "groups"?) gets 
250 accepted but does not actually arrive on the list.  I don't get a copy (I'm 
subscribed to the list) and other subscribers confirm out of band that they 
don't see my email either (they looked in their spam folders too).



I did a couple of experiments.



A message with the first Received: header as follows does not arrive on a 
GSuites-hosted mailing list (despite being 250 accepted):

Received: from twoflower.trouble.is (254.158.dhcp.conference.apricot.net 
[220.247.158.254])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
(Authenticated sender: philip)
by rincewind.trouble.is (Postfix) with ESMTPSA id 3zr7nV5QjfzttZ
for ; Tue, 27 Feb 2018 06:19:10 + (UTC)




An identical message with the first Received like this does arrive:

Received: from twoflower.trouble.is (localhost [127.0.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
(Authenticated sender: philip)
by rincewind.trouble.is (Postfix) with ESMTPSA id 3zr7xw1W8xztth
for ; Tue, 27 Feb 2018 06:26:28 + (UTC)




The intermediate relays (between my laptop - twoflower.trouble.is) and the 
Google machine reporting 250 are identical.  IPv4 or IPv6 makes no difference.  
Content and other headers also substantially identical (modulo timestamps, 
queue ids and Message-ID).  Domain does SPF and DKIM (but not DMARC).



Simply rewriting the mumble-mumble-dhcp-mumble and the dodgy origin address 
with localhost gets the email delivered.



Note that as far as I can tell this is only true for GSuites (and I've only 
tried one list).  Mail to GMail seems to be working fine.



Of course relays do get compromised from time to time, so peeking at the first 
hop is not a completely crazy thing for GSuites to do.  But silently dropping 
the email after accepting feels a little disproportionate.  Perhaps a 451 would 
be more appropriate?



I have no way of knowing if GSuites is actually looking too closely at my 
first-hop Received: headers but that's the only theory I can come up with for 
my emails not arriving on that GSuites list.



Has anyone else seen this?  Brandon, can you comment if this is something to 
beware of?



Thanks.



Philip



-- 

Philip Paeps

Senior Reality Engineer

Ministry of Information









___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] GSuites looking too closely at first-hop Received: headers?

2018-02-26 Thread Philip Paeps 
I'm at a conference this week, sending email from very untrustworthy IP 
space.  Of course I'm relaying through my usual servers.


Sending mail to a GSuites mailing list (or do they call them "groups"?) 
gets 250 accepted but does not actually arrive on the list.  I don't get 
a copy (I'm subscribed to the list) and other subscribers confirm out of 
band that they don't see my email either (they looked in their spam 
folders too).


I did a couple of experiments.

A message with the first Received: header as follows does not arrive on 
a GSuites-hosted mailing list (despite being 250 accepted):


Received: from twoflower.trouble.is 
(254.158.dhcp.conference.apricot.net [220.247.158.254])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 
bits))

(Client did not present a certificate)
(Authenticated sender: philip)
by rincewind.trouble.is (Postfix) with ESMTPSA id 
3zr7nV5QjfzttZ

for ; Tue, 27 Feb 2018 06:19:10 + (UTC)

An identical message with the first Received like this does arrive:

Received: from twoflower.trouble.is (localhost [127.0.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 
bits))

(Client did not present a certificate)
(Authenticated sender: philip)
by rincewind.trouble.is (Postfix) with ESMTPSA id 
3zr7xw1W8xztth

for ; Tue, 27 Feb 2018 06:26:28 + (UTC)

The intermediate relays (between my laptop - twoflower.trouble.is) and 
the Google machine reporting 250 are identical.  IPv4 or IPv6 makes no 
difference.  Content and other headers also substantially identical 
(modulo timestamps, queue ids and Message-ID).  Domain does SPF and DKIM 
(but not DMARC).


Simply rewriting the `mumble-mumble-dhcp-mumble` and the dodgy origin 
address with localhost gets the email delivered.


Note that as far as I can tell this is only true for GSuites (and I've 
only tried one list).  Mail to GMail seems to be working fine.


Of course relays do get compromised from time to time, so peeking at the 
first hop is not a completely crazy thing for GSuites to do.  But 
silently dropping the email after accepting feels a little 
disproportionate.  Perhaps a 451 would be more appropriate?


I have no way of knowing if GSuites is actually looking too closely at 
my first-hop Received: headers but that's the only theory I can come up 
with for my emails not arriving on that GSuites list.


Has anyone else seen this?  Brandon, can you comment if this is 
something to beware of?


Thanks.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop