Re: Setting personal mailserver
On Sat 09 Sep 2023, Stuart Longland wrote: > On 9/9/23 01:28, Tassilo Philipp wrote: > > > [...] I didn't bother with DKIM until Google started mandating > > > it for example [...[ > > > > Hm... do you have a reference for that? I don't have that > > experience with gmail servers. Also I don't find info about that > > being mandatory, online. > > https://support.google.com/a/answer/174124?hl=en#hcfe-content > > Sadly, I don't have any log messages to show, because I last had the > problem in May 2021, and my log retention does not go back that far. At least from my experience and from reading Google's documentation, Google does not *require* both DKIM and SPF, but has since late 2022 or early 2023 started to randomly reject e-mails that has *neither*: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [example.com] did not pass with ip: [127.0.0.1]. The sender should visit https://support.google.com/mail/answer/81126#authentication for instructions on setting up authentication. I doubt that DKIM ever hurts though if you have it set up.
Re: Setting personal mailserver
On Thu, 7 Sep 2023, Sagar Acharya wrote: In today's times of mature NLP, you will not be able to differentiate human mail from bot mail or spam. Only in person verification is trustworthy. No. Are you saying that only people who control the network should send mails? Well DNS exactly is for that. If you find I send spams, you can easily easily block mails from my domain humaaraartha.in but it is not wise nor ethical to by default not allow people to mail. Acckshully ... when using centralized DNS root zone, ICANN, they can cancel/spoof domains. And TLS is worse, as the shadowy TLS global cabal decides the list of CAs full trusted. (And browsers do not support CA veto out of the box.) This lets the cabal MITM your TLS connections. DNS was designed to be federated - so you can lessen your dependence on ICANN by running your own root zone, or using a community root zone like https://www.opennic.org That issue lies because hardware is not mapped to people. There is no technological solution for trust hopping between machines. ssh should be discouraged and each machine, denoted by single IP address should be mapped to a human. So humaaraartha.in is run by Sagar Acharya. Yes, see https://github.com/cjdelisle/cjdns and https://github.com/yggdrasil-network/yggdrasil-go both of which create crypto unique authenticated IPv6 addresses. Use the raw IPv6 to send emails and make phone calls. Well, what action should be implemented for sending emails. I don't The scheme I use for fully decentralized opensmtpd and SIP is described at https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ (Older version of opensmptpd for that article.) I even have a few people that will talk to me that way. And no spam. I do get connects from various spiders looking for mail server listening, but so far no spam. It is a hard sell ...
Re: Setting personal mailserver
On 9/9/23 01:28, Tassilo Philipp wrote: [...] I didn't bother with DKIM until Google started mandating it for example [...[ Hm... do you have a reference for that? I don't have that experience with gmail servers. Also I don't find info about that being mandatory, online. https://support.google.com/a/answer/174124?hl=en#hcfe-content Sadly, I don't have any log messages to show, because I last had the problem in May 2021, and my log retention does not go back that far. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: Setting personal mailserver
[...] I didn't bother with DKIM until Google started mandating it for
example [...[
Hm... do you have a reference for that? I don't have that experience
with gmail servers. Also I don't find info about that being mandatory,
online.
On Fri, Sep 08, 2023 at 08:24:38AM +1000, Stuart Longland wrote:
On 7/9/23 20:44, Sagar Acharya wrote:
Let the mail providers have their setups. Is it possible to have a
configuration where I have 2 servers, example.com example2.com where I can send
and receive emails on ports say, 777 on plaintext, starttls optional and port
778 with smtps?
Give me a configuration for such a thing.
humaaraartha.in. TXT "v=spf1 ipv4:{myipv4address} -all"
humaaraartha.in. TXT "resports:777,778"
humaaraartha.in. humaaraartha.in. MX 10 humaaraartha.in.
humaaraartha.in. A {myipv4address}
That is all you have, nothing more for both servers. Can you help me send and recieve mails on ports 777,778 with just above DNS and smtpd? I can add SRV records for detection of ports 777, 778 if you want.
Okay, not quite sure what the "resports" TXT record is achieving (a
quick search on the topic didn't reveal any documentation on how it
was supposed to work or correct syntax). I won't labour the point
about outgoing port 25 traffic since others have covered this already.
You can of course use different ports between servers on an
agreed-upon manner. e.g. say we have a server, bnemx.vk4msl.com,
running OpenSMTPD:
vk4msl-bne# cat /etc/mail/smtpd.conf
# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
#table aliases file:/etc/mail/aliases
table virtualdomains file:/etc/mail/virtualdomains
table virtualusers file:/etc/mail/virtualusers
pki bnemx cert "/etc/ssl/bnemx.vk4msl.com.fullchain.pem"
pki bnemx key "/etc/ssl/private/bnemx.vk4msl.com.key"
pki bnemx dhe auto
listen on socket
listen on all tls pki bnemx
… etc, I won't post the full config.
Those `listen` lines are the key, from smtpd.conf manpage:
listen on interface [family] [options]
Listen on the interface for incoming connections, using the same
syntax as ifconfig(8). The interface parameter may also be an
interface group, an IP address, or a domain name. Listening can
optionally be restricted to a specific address family, which can
be either inet4 or inet6.
In amongst the options:
port [port]
Listen on the given port instead of the default port 25.
So if I chose to, I could add:
listen on all port 777
and then re-start smtpd, I'd now be listening on port 777.
You could then tell your SMTP server to send to port 777 when sending
to my domain.
But doing so would be useless:
- no one else would bother using port 777/tcp: they would most likely
use port 25
- you wouldn't be able to send to any other server, unless they too,
chose to use port 777/tcp.
If you have a good proposal for how such alternative ports could be
advertised (maybe via DNS TXT record), perhaps you could propose that
as a Request For Comment to the Internet Engineering Task Force… and
maybe if enough people thought it was a good idea, it would be adopted
with its own official RFC number (like RFC-821, later replaced by
RFC-2821 and RFC-5321).
That though, won't mean instant ability to pick your own port number.
The "alternate port number" feature would then need to be added to the
various SMTP servers out there. Then sysadmins would need to install
that version.
This may take years, or even never happen in some cases. (Qmail is
still IPv4-only because the author believes IPv6 is unnecessary.)
Regardless of what you think of spam or how to fight it, the truth is
the small fish don't make the rules in this game. You and I are small
fish. I've been mucking around with mail servers pretty much this
whole century so far.
I started with trialling something over dial-up (ever seen a 56kbps
modem screaming under the strain of an outbound mail queue stuffed
with spam? I have!)… moved to using Sendmail on an old Slackware
server hosted on ADSL with 2GB SCSI disks and a self-signed HTTPS
certificate for webmail in 2001. Been running my own server ever
since.
It's not impossible to do it yourself, and dealing with spam is a
constant cat-and-mouse game. Things have become more complex out of
necessity (I didn't bother with DKIM until Google started mandating it
for example), but even then, not overly difficult.
The minimum standard however has changed over the years as
requirements changed. That includes:
- outbound SMTP unblocked -- pretty much since forever since that's
how TCP/IP works
- static IPv4 -- dynamic IPv4 has not been possible since ~2004 or so
- SPF DNS records -- since ~2010 or so
- DKIM signing and DMARC policies --
Re: Setting personal mailserver
On 08.09.2023 09:42, Stuart Longland wrote: Your options are: 1. set up a server outside your ISPs network that can transmit the message for you (e.g. if Internode decide to block port 25 or withdraw my public IP, I might use my secondary MX as the outbound mail server relay.) 2. use your ISPs mail server as a relay (after adding it to your SPF records along with any DKIM keys needed) 3. move to an ISP that lets you do this stuff I'd suggest (3) is your best option… as trying to circumvent firewall rules will likely get you disconnected for violating their Terms of Service anyway. (I note humaaraartha.in appears to be hosted by MTNL India, but their website is not responding for me at this time.) You can get a virtual server for 5€/m with a static IP and configurable reverse DNS - the same price as getting a mere static IP from my ISP. Good luck Reio
Re: Setting personal mailserver
On 8/9/23 15:51, Sagar Acharya wrote: SRV records would get port, like https://xmpp.org/extensions/xep-0368.html The logic would be like, say there is opensmtpd on the other server too. dig _mail._smtp.humaaraartha.in. SRV get_port_from_SRV() if found_different_port() try_port() else try_25() Sounds okay… but you'd have to get that supported by: - sendmail - postfix - netqmail - opensmtpd - exim - Microsoft Exchange - Google's mail server (whatever they call it) … and umpteen other possible mail servers. It isn't yet as far as I know. Another is for the MX record to support `hostname:port`, although one could argue MX could be readily replaced by SRV. Also, this does not solve your outbound SMTP issue: it'd only advertise to others that "I listen on a different port". It doesn't tell my server to start listening on a different port. Nor does it tell any firewalls in between to suddenly allow this out-of-the-ordinary connection. Caching can also be done for future requests. Yeah well, DNS will do that anyway. That's what the TTL field is for. You and I are small fish. I've been mucking around with mail servers pretty much this whole century so far. OpenBSD and suckless are moving forward and providing solutions. Which mailserver do you use? Postfix on AlpineLinux is my primary MX. Simply out of familiarity, I started with sendmail then later Qmail, but migrated to Postfix some time around 2006 or so. OpenSMTPD (and spamd) on OpenBSD is my secondary MX. I have some custom scripts that then store the email OpenPGP-encrypted for later collection by the primary MX in case there's downtime. The vast majority of my email traffic is direct to the primary MX (probably because of spamd's greylisting). If we can establish that any software be run on any port, then blocking ports won't make sense. Besides, they can block any domains and they already do if they find spam there. SPAM is just an excuse. Moving ports won't solve the problem. Yes it'd be nice to say, "ohh, by the way my SMTP is listening on port 2225", but that won't help you. You're expecting the world to move off 25/tcp for SMTP so you can hit it behind your ISP's firewall. That won't happen. Your options are: 1. set up a server outside your ISPs network that can transmit the message for you (e.g. if Internode decide to block port 25 or withdraw my public IP, I might use my secondary MX as the outbound mail server relay.) 2. use your ISPs mail server as a relay (after adding it to your SPF records along with any DKIM keys needed) 3. move to an ISP that lets you do this stuff I'd suggest (3) is your best option… as trying to circumvent firewall rules will likely get you disconnected for violating their Terms of Service anyway. (I note humaaraartha.in appears to be hosted by MTNL India, but their website is not responding for me at this time.) -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
