[qmailtoaster] Spfbehavior
Hello all, I started getting more spam through though spamdyke has been working great (see below stats for less than 12h). I can see that more often I get e-mails through with no Domainkey, no DKIM, no SPF (none) and SpamAssassin scores 0.4 only. Did any of you guys experimented Spfbehavior value greater than 3? 386 39.06% DENIED_RBL_MATCH --- Breakdown --- 359 100.00% zen.spamhaus.org - 220 22.26% DENIED_RDNS_RESOLVE 203 20.54% DENIED_RDNS_MISSING 656.57% ALLOWED 434.35% DENIED_OTHER 373.74% DENIED_GRAYLISTED 232.32% ERROR 90.91% DENIED_RECIPIENT_BLACKLISTED 20.20% DENIED_SENDER_NO_MX Summary Allowed: 656.57% Timeout:00.00% Errors : 232.32% Denied : 900 91.09% Total : 988 100.00% MAny thanks Alex
[qmailtoaster] Re: Spfbehavior
On 06/20/2012 03:29 AM, postmas...@seawise-chartering.co.uk wrote: Hello all, I started getting more spam through though spamdyke has been working great (see below stats for less than 12h). I can see that more often I get e-mails through with no Domainkey, no DKIM, no SPF (none) and SpamAssassin scores 0.4 only. Did any of you guys experimented Spfbehavior value greater than 3? 386 39.06% DENIED_RBL_MATCH --- Breakdown --- 359 100.00% zen.spamhaus.org - 220 22.26% DENIED_RDNS_RESOLVE 203 20.54% DENIED_RDNS_MISSING 65 6.57% ALLOWED 43 4.35% DENIED_OTHER 37 3.74% DENIED_GRAYLISTED 23 2.32% ERROR 9 0.91% DENIED_RECIPIENT_BLACKLISTED 2 0.20% DENIED_SENDER_NO_MX Summary Allowed: 65 6.57% Timeout: 0 0.00% Errors : 23 2.32% Denied : 900 91.09% Total : 988 100.00% MAny thanks Alex (Please don't hijack threads) I've had problems in the past even with spf 3. I'm using spf 1 presently. I think there's a bug in there somewhere. This is apart from the SA evaluation/scoring of course. I've encouraged Sam in the past to add spf checking to spamdyke, as it's right up that ally (dns lookups and such). A little extra encouragement on the spamdyke list might help to speed that along. (hint) So to answer the question, no. (nice stats btw) -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Issue with qtp-ami-up2date
On 06/19/2012 05:51 PM, Casey James Price wrote: Just to make sure I've got this right, you are saying to change line 56 in qtp-get-pkg-list to what you have listed above, right? I tried this and then ran qtp-ami-up2date again and am still getting an error. Oops. Also delete the line containing: djbdns \ just a little before that. I did that in the script already, but forgot to tell you. If that doesn't do it, try grabbing the script from the qtp site. You can see it at http://qtp.qmailtoaster.com/trac/browser/bin/qtp-get-pkg-list and download it using the Original Format link at the bottom of that page. So, needless to say, I'm hoping to stick with djbdns for a bit at least on some of these boxes. Q2 and my vcluster1 box (yes, the name does in-fact say it all...its built following the guidelines from Jake's QMT ISP Array video series) both run QMT and bind as the resolver if I remember correctly, but my old Solaris boxes and their latest re-incarnations on the Linux side of things are using tinydns to provide DNS for the customers. Anyways, sorry to ramble on...these last two paragraphs or so don't really have much relevance in this whole issue, but I just wanted to explain where I was coming from. Thanks, nice to know. I wouldn't necessarily change from djbdns to something else if it's being used for authoritative dns (ie you have zones coded with it). Then again, I wouldn't put an authoritative DNS server on a QMT host either, but that's just me. I do however recommend using pdns-recursor (powerdns) or caching-nameserver (bind9) on a QMT host. -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: Mail Certificates
Hi, 1) When using the customer's domain name for the incoming/outgoing servers this obviously increases the amount of certs that a provider will end up needing - so do you put this on the customer to provide, or do you go with a wildcard cert, or? If you want to use SSL for your domain then the very first thing I'll make change is to use single domain for both pop3 and smtp. Eg. Mail.xyz.com for both pop3 and smtp instead of pop.xyz.com and smtp.xyz.com. This reduces the cost of SSL as it will require only 1 cert instead of 2. Of course wildcard cert can solve the problem of pop.xyz.com and smtp.xyz.com but again price of wild card cert is equivalent to 6-7 certs and valid only for sub-domain of xyz.com. Yes, there is a solution for covering multiple domains under single cert for any server. That is called a SAN pack. Some details of the same can be found here http://www.geotrust.com/ssl/ssl-certificates-san-uc/ http://www.geotrust.com/ssl/ssl-certificates-san-uc/ Even I'm getting details from my providers for the same. Will update all once I get full idea of the same. 2) Is it possible to have multiple certs installed on a QMT host and have them all share the same IP? Don't know exactly but I don't find any problem in the same. And if any then SAN pack should solve the same. And about new certs, if you have any immediate requirement then we need to process it manually since API is under development. Meanwhile, I'll share a URL by tomorrow from where you can generate request for SSL certificate. Amit Mobile : +91 - 866101 Tel : +91-20-2422-786-1 / 2 / 3 / 4 Extn - 204 http://iknowledgefactory.com/ikf_email/line_r.jpg http://ikf.co.in/ http://iknowledgefactory.com/ikf_email/ikf_logo.jpg http://iknowledgefactory.com/ikf_email/line_r.jpg http://www.facebook.com/IKFPune http://iknowledgefactory.com/ikf_email/facebook.jpg http://www.linkedin.com/company/i-knowledge-factory-pvt.-ltd. http://iknowledgefactory.com/ikf_email/linkedin.jpg From: Casey James Price [mailto:ca...@smileglobal.com] Sent: Wednesday, June 20, 2012 12:59 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Mail Certificates Amit, I'm also going to be in the market for some certs pretty quick here - what is the best way to go about getting a cert through you? Also, on a sidenote - since I'm in the email web hosting business I did have a question regarding implementation of SSL certs with QMT and wanted to find out some best practice recommendations for how a provider should setup there SSL infrastructure? Currently we have several QMT servers each with different roles, but I'd say primarily there are three (3) main Qmail/QMT servers that house the mailboxes and users. So, in the early days when most of the customers were using email addresses from domain names we provided it was simple, they would all have the same incoming and outgoing mail servers i.e.; pop.smileglobal.com, smtp.smileglobal.com However, nowadays we often setup the appropriate names in DNS that map pop.customer.com to pop.smileglobal.com, etc. Now what I'm unsure about is the best way to start utilizing SSL/TLS for these customers - here is where I need some help - 1) When using the customer's domain name for the incoming/outgoing servers this obviously increases the amount of certs that a provider will end up needing - so do you put this on the customer to provide, or do you go with a wildcard cert, or? 2) Is it possible to have multiple certs installed on a QMT host and have them all share the same IP? How do other providers handle this? Thanks guys! Casey James Price Smile Global Technical Support Submit or check trouble tickets http://billing.smileglobal.com www.smileglobal.com Follow us on Twitter https://twitter.com/#%21/SmileInternet Find us on Facebook https://www.facebook.com/smileglobal On 6/19/12 5:09 AM, Ron Pacheco wrote: Amit, I'm going to need a few certs in the coming week, what's the procedure here? Send you the CSR in an email? Or is there an official web site or interface that we should go through? Thanks! Ron On 6/18/2012 1:04 PM, Amit wrote: I accept paypal. With Regards, Amit Dalia _ From: Natalio Gatti nga...@gmail.com Date: Mon, 18 Jun 2012 12:17:21 -0300 To: qmailtoaster-list@qmailtoaster.com ReplyTo: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] Re: Mail Certificates Amit, which payment methods do you accept? On Mon, Jun 18, 2012 at 12:03 PM, Eric Shubert e...@shubes.net wrote: Personally, I'd pay a little more for a cert from a QMT community member than one from the likes of GD. I'm sure the customer service would be much better! :) Please feel free to update the wiki appropriately with your information. Thanks Amit. -- -Eric 'shubes' On 06/18/2012 07:26 AM, Amit wrote: Hi Everyone, I'm reseller for various SSL service provide like Verisign , GeoTrust, Thwate and Rapid SSL. So if
Re: [qmailtoaster] Re: Spfbehavior
On 20/06/2012 16:17, Eric Shubert wrote: On 06/20/2012 03:29 AM, postmas...@seawise-chartering.co.uk wrote: Hello all, I started getting more spam through though spamdyke has been working great (see below stats for less than 12h). I can see that more often I get e-mails through with no Domainkey, no DKIM, no SPF (none) and SpamAssassin scores 0.4 only. Did any of you guys experimented Spfbehavior value greater than 3? 386 39.06% DENIED_RBL_MATCH --- Breakdown --- 359 100.00% zen.spamhaus.org - 220 22.26% DENIED_RDNS_RESOLVE 203 20.54% DENIED_RDNS_MISSING 65 6.57% ALLOWED 43 4.35% DENIED_OTHER 37 3.74% DENIED_GRAYLISTED 23 2.32% ERROR 9 0.91% DENIED_RECIPIENT_BLACKLISTED 2 0.20% DENIED_SENDER_NO_MX Summary Allowed: 65 6.57% Timeout: 0 0.00% Errors : 23 2.32% Denied : 900 91.09% Total : 988 100.00% MAny thanks Alex (Please don't hijack threads) I've had problems in the past even with spf 3. I'm using spf 1 presently. I think there's a bug in there somewhere. This is apart from the SA evaluation/scoring of course. I've encouraged Sam in the past to add spf checking to spamdyke, as it's right up that ally (dns lookups and such). A little extra encouragement on the spamdyke list might help to speed that along. (hint) So to answer the question, no. (nice stats btw) Did I hijack any threads? :) I have spfbehavior set to 3 and so far so good. I am just not happy with the spam getting through with SPF set to none. What kind problems did you encounter with spf please? I understand that if in an incoming e-mail spf is set to none, spamedyke let an e-mail in (MX record is Ok) and no Domainkey/DKIM, this is down to spamassassin to decide if this is spam or not. Am I correct? Ref stats - I have my e-mail server sometimes literally bombarded with numerous e-mails and this is where fail2ban comes handy. This is shocking that the amount of spam is THAT huge these days. Rgds Alex - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Spfbehavior
On 06/20/2012 01:17 PM, Postmaster wrote: On 20/06/2012 16:17, Eric Shubert wrote: On 06/20/2012 03:29 AM, postmas...@seawise-chartering.co.uk wrote: Hello all, I started getting more spam through though spamdyke has been working great (see below stats for less than 12h). I can see that more often I get e-mails through with no Domainkey, no DKIM, no SPF (none) and SpamAssassin scores 0.4 only. Did any of you guys experimented Spfbehavior value greater than 3? 386 39.06% DENIED_RBL_MATCH --- Breakdown --- 359 100.00% zen.spamhaus.org - 220 22.26% DENIED_RDNS_RESOLVE 203 20.54% DENIED_RDNS_MISSING 65 6.57% ALLOWED 43 4.35% DENIED_OTHER 37 3.74% DENIED_GRAYLISTED 23 2.32% ERROR 9 0.91% DENIED_RECIPIENT_BLACKLISTED 2 0.20% DENIED_SENDER_NO_MX Summary Allowed: 65 6.57% Timeout: 0 0.00% Errors : 23 2.32% Denied : 900 91.09% Total : 988 100.00% MAny thanks Alex (Please don't hijack threads) I've had problems in the past even with spf 3. I'm using spf 1 presently. I think there's a bug in there somewhere. This is apart from the SA evaluation/scoring of course. I've encouraged Sam in the past to add spf checking to spamdyke, as it's right up that ally (dns lookups and such). A little extra encouragement on the spamdyke list might help to speed that along. (hint) So to answer the question, no. (nice stats btw) Did I hijack any threads? :) Well, yes. When you select 'reply' then change the subject, that's hijacking, and results in multiple threads being commingled when you use threaded display. You need to click 'new' to create a new thread. Don't fret, as there are a lot of folks who don't realize this. BL, don't be changing the subject. ;) I have spfbehavior set to 3 and so far so good. I am just not happy with the spam getting through with SPF set to none. What kind problems did you encounter with spf please? Wasn't all that long ago as it turns out. http://article.gmane.org/gmane.mail.qmail.toaster/34532 I understand that if in an incoming e-mail spf is set to none, spamedyke let an e-mail in (MX record is Ok) and no Domainkey/DKIM, this is down to spamassassin to decide if this is spam or not. Am I correct? Essentially, that's correct. Technically, chkuser does the mx check as things are presently configured, but spamdyke can do this as well (although I think there's still a rare bug in spamdyke's mx check rule - I'm working with Sam to fix it). Ref stats - I have my e-mail server sometimes literally bombarded with numerous e-mails and this is where fail2ban comes handy. This is shocking that the amount of spam is THAT huge these days. It's certainly on the high side. I'd like at some point to develop some scripts that send stats to a central QMT statistics processor, which would show numbers of hosts, domains, emails, and spam statistics via web pages. This would be anonymous data, but might be interesting for people to compare their domains' numbers with averages from other QMT users. If anyone's interested in something like this, hop on over to the devel list and let's discuss it. :) -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Issue with qtp-ami-up2date
On 6/20/12 7:35 AM, Eric Shubert wrote: On 06/19/2012 05:51 PM, Casey James Price wrote: Just to make sure I've got this right, you are saying to change line 56 in qtp-get-pkg-list to what you have listed above, right? I tried this and then ran qtp-ami-up2date again and am still getting an error. Oops. Also delete the line containing: djbdns \ just a little before that. I did that in the script already, but forgot to tell you. If that doesn't do it, try grabbing the script from the qtp site. You can see it at http://qtp.qmailtoaster.com/trac/browser/bin/qtp-get-pkg-list and download it using the Original Format link at the bottom of that page. So, needless to say, I'm hoping to stick with djbdns for a bit at least on some of these boxes. Q2 and my vcluster1 box (yes, the name does in-fact say it all...its built following the guidelines from Jake's QMT ISP Array video series) both run QMT and bind as the resolver if I remember correctly, but my old Solaris boxes and their latest re-incarnations on the Linux side of things are using tinydns to provide DNS for the customers. Anyways, sorry to ramble on...these last two paragraphs or so don't really have much relevance in this whole issue, but I just wanted to explain where I was coming from. Thanks, nice to know. I wouldn't necessarily change from djbdns to something else if it's being used for authoritative dns (ie you have zones coded with it). Then again, I wouldn't put an authoritative DNS server on a QMT host either, but that's just me. I do however recommend using pdns-recursor (powerdns) or caching-nameserver (bind9) on a QMT host. Thanks Eric. That did the trick. Casey James Price Smile Global Technical Support Submit or check trouble tickets http://billing.smileglobal.com www.smileglobal.com http://www.smileglobal.com Follow us on Twitter https://twitter.com/#%21/SmileInternet Find us on Facebook https://www.facebook.com/smileglobal