Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
Il 16/05/20 21:02, Alessio Cecchi via mailop ha scritto: Hi, we are an Email Hosting Provider based in Italy. One of our customer has transferred her domain from a registrar to another. After this transfer the domain is unable to receive emails from wetransfer.com and facebookmail.com, but works fine from all others sender. I suspect that during the transfer there was some issue with name server of the domain because on the day of the transfer no email was received by the domain, but after one week any DNS issue/cache should be fixed. Hello guys, WeTransfer support replied me: === Hi Alessio, Thanks for contacting us! Our transfer email could not be delivered to the recipient because their email address was on the bounce list of our email delivery service. That explains why they didn't receive the confirmation emails. I have now removed the recipient's email address from our bounce list and they should technically be able to receive our emails again. === so the problem ha stared, probably, during the change of DNS provider where the domain was without or have wrong MX records. Probably is the same also for Facebook. Thanks to all for help me :-) -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
On Sun, 17 May 2020 at 12:04, Adam D. Barratt via mailop wrote: > On Sun, 2020-05-17 at 12:30 +0200, ml+mailop--- via mailop wrote: > > On Sun, May 17, 2020, Alessio Cecchi via mailop wrote: > > > > > the domain name is stefanoboschi.it and after the transfer from one > > > > dig stefanoboschi.it. mx > > stefanoboschi.it. 3500IN MX 10 mx01.cbsolt.net. > > stefanoboschi.it. 3500IN MX 20 mx02.cbsolt.net. > > > > connecting to mx01.cbsolt.net > > ... > > RCPT TO: > > 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) > > > > Looks like the MX record is wrong or the server is misconfigured. > > It works fine without the trailing dot, which is what I'd expect: > > adam@kotick:~$ telnet mx01.cbsolt.net 25 > Trying 185.97.217.85... > Connected to mx01.cbsolt.net. > Escape character is '^]'. > ma220 mail02.cbsolt.net ESMTP > mail from:<> > 250 ok > rcpt to: > 250 ok > rcpt to: > 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) > > Hi Alessio, I agree with Ken's comments about confirming DNS is OK. I did my own checks from a couple of servers and my home connection, and they seem to reliably report the correct MXes, but WeTransfer and Facebook *might* be caching stale records. Try making a trivial update (a dummy TXT record) to increment the SOA's serial, then check the response through public resolvers after it's propagated. If that all looks OK, I'd suspect your MTA. Is it just the one customer affected, or all served by that MX? I've seen this kind of problem with selective refusal of mail when cipher suites have been incompatible or supported TLS versions are too strict. To make sure you're not just erroneously blocking subnets, here's a sample from earlier of hosts delivering for Facebook and WeTransfer from my logs o3.email.wetransfer.com[192.254.123.42]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) o6.email.wetransfer.com[167.89.35.32]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) o5.email.wetransfer.com[167.89.35.243]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 69-171-232-142.mail-mail.facebook.com[69.171.232.142]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 69-171-232-140.mail-mail.facebook.com[69.171.232.140]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 66-220-144-144.mail-mail.facebook.com[66.220.144.144]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Enable verbose logging to check for cipher negotiation problems and handshake failure during receipt. Testing to mx01/02.cbsolt.net, testssl.sh was only able to negotiate AES128-GCM-SHA256 to your server, you should be aiming for something like DHE-RSA-AES256-SHA256 via TLSv1.2. Your MXes appear to accept >=SSLv3, so I suspect cipher mismatch. - testssl.sh (https://testssl.sh) indicates your MXes offer almost no ciphers supporting Forward Secrecy, and are nearly all SHA1 (and so is possibly vulnerable to the ROBOT attack). - Your server offers RC4 ciphers, not good. The only other offered ciphers are all TLS_RSA_* SHA-1, except a couple of stronger ciphers (but still not great) via TLSv1.2. - With TLS_RSA ciphers, your servers cannot negotiate Forward Secrecy and that may be preventing delivery. - The _SHA ciphers are all SHA-1, no certs have been issued as SHA-1 for years. It's inadvisable to offer them without some more modern DHE/ECDHE, RSA/ECDSA ciphers. + You absolutely do not need to offer RC4 any more, but you do absolutely need to offer DHE and ECDHE. - After last year's CBC padding oracles exploits, consider all CBC ciphers potentially vulnerable ( https://www.tripwire.com/state-of-security/vert/tls-cbc-padding-oracles/). - I still offer CBC ciphers as I still see incoming connections trying to negotiate a CBC cipher. I suggest you update your cipher suites. Always offer a handful of fallback ciphers (despite known issues with CBC), but primarily offer DHE and ECDHE ciphers. Elliptical Curve Diffie Hellman Ephemeral encryption (ECDHE) is more efficient than DHE, but both will offer Forward Secrecy. Anything is better than TLS_RSA. Note that Facebook and WeTransfer both negotiate an ECDHE cipher. I only offer TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_128_CBC_SHA as fallbacks for badly configured senders; the rest of my ciphers are mostly ECDHE and DHE, SHA256 or SHA384. For incoming encrypted negotiation to my servers I unfortunately still need to permit SSLv3 and up. Some senders still insist on using SSLv3 or TLSv1 and nothing more recent. Realistically, so many senders are still using obsolete settings we cannot restrict to only TLSv1.2 or 1.3 and ECDHE. Even some of the big senders are using poor TLS configurations, but likewise some have already dropped support for old ciphers. Hopefully updating your settings will fix delivery problems. The cipher suite below will enable 2048 bit key pair DHE, 128/256 bit encryption, and
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
On Sun, 2020-05-17 at 12:09 +0200, Alessio Cecchi via mailop wrote: > I think that during the transfer of the domain some happened with > name server but I can't understand what. There are many things that can go wrong with NS servers and the networks they live on that can interfere with answering queries correctly and/or consistently. However, you can only diagnose these issues if you are the DNS provider. So, In the case that a) none of your other MX hosting domains are experiencing this problem, b) the only thing that changed with stefanoboschi.it was the DNS zone hosting, and c) you are certain that you are not rejecting the emails or packets at your end, then I think a reasonable course of action would be talk to the DNS provider to see what's happening at the query end. If the new DNS provider is not cooperative then you could think about temporarily moving the DNS to another provider (e.g. Amazon) to see if the problem disappears. It could of course be something else, but it would be good to at least rule out DNS. Ken. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
On Sun, 2020-05-17 at 12:30 +0200, ml+mailop--- via mailop wrote: > On Sun, May 17, 2020, Alessio Cecchi via mailop wrote: > > > the domain name is stefanoboschi.it and after the transfer from one > > dig stefanoboschi.it. mx > stefanoboschi.it. 3500IN MX 10 mx01.cbsolt.net. > stefanoboschi.it. 3500IN MX 20 mx02.cbsolt.net. > > connecting to mx01.cbsolt.net > ... > RCPT TO: > 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) > > Looks like the MX record is wrong or the server is misconfigured. It works fine without the trailing dot, which is what I'd expect: adam@kotick:~$ telnet mx01.cbsolt.net 25 Trying 185.97.217.85... Connected to mx01.cbsolt.net. Escape character is '^]'. ma220 mail02.cbsolt.net ESMTP mail from:<> 250 ok rcpt to: 250 ok rcpt to: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
Works fine if you don't include the final period: mail from: <> 250 ok rcpt to: 250 ok quit 221 mail04.cbsolt.net So that's not it. -Original Message- From: mailop On Behalf Of ml+mailop--- via mailop Sent: Sunday, 17 May 2020 10:31 pm To: mailop@mailop.org Subject: Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain) On Sun, May 17, 2020, Alessio Cecchi via mailop wrote: > the domain name is stefanoboschi.it and after the transfer from one dig stefanoboschi.it. mx stefanoboschi.it. 3500IN MX 10 mx01.cbsolt.net. stefanoboschi.it. 3500IN MX 20 mx02.cbsolt.net. connecting to mx01.cbsolt.net ... RCPT TO: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Looks like the MX record is wrong or the server is misconfigured. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
On Sun, May 17, 2020, Alessio Cecchi via mailop wrote: > the domain name is stefanoboschi.it and after the transfer from one dig stefanoboschi.it. mx stefanoboschi.it. 3500IN MX 10 mx01.cbsolt.net. stefanoboschi.it. 3500IN MX 20 mx02.cbsolt.net. connecting to mx01.cbsolt.net ... RCPT TO: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Looks like the MX record is wrong or the server is misconfigured. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
Il 17/05/20 01:03, John Levine via mailop ha scritto: In article you write: What can I investigate? If you want our help, you need to give us enough info that we can help. Without knowing the domain name, we can only guess and we'll probably guess wrong. Yes, I'm sorry the domain name is stefanoboschi.it and after the transfer from one registrar to another, but we have always been the provider of the email before and after, is unable to receive email from - notificat...@facebookmail.com - nore...@wetransfer.com and probably others since the domain's owner said that before the transfer receive about 30-40 email per day and after only 10-20 (and I can confirm from the log). If I try to send a file from We Transfer to an address of the domain, We Transfer reply that is unable to delivery the email but without any details. Email from gmail.com and outlook.com arrive regularly All others domains managed by us, with the same MX records, can receive email without problem. I think that during the transfer of the domain some happened with name server but I can't understand what. Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
On Sat, 16 May 2020 21:02:31 +0200, Alessio Cecchi via mailop wrote: >we are an Email Hosting Provider based in Italy. [snip] >What can I investigate? Based on all the data you have provided us, the answer would be equivalent to the answer to "What sort of stuff should I saw when building a dwelling?" "Go ahead and investigate all the stuff you should investigate." mdr -- Sometimes half-ass is exactly the right amount of ass. -- Wonderella ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
In article you write: >What can I investigate? If you want our help, you need to give us enough info that we can help. Without knowing the domain name, we can only guess and we'll probably guess wrong. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Unable to receive email from WeTransfer and Facebook (only for a specific domain)
Hi, we are an Email Hosting Provider based in Italy. One of our customer has transferred her domain from a registrar to another. After this transfer the domain is unable to receive emails from wetransfer.com and facebookmail.com, but works fine from all others sender. I suspect that during the transfer there was some issue with name server of the domain because on the day of the transfer no email was received by the domain, but after one week any DNS issue/cache should be fixed. What can I investigate? Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop