Re: [swinog] [EMAIL PROTECTED] - anyone from bluewin in here?
Can anyone please delete them and block the sender's address [EMAIL PROTECTED] Done: [EMAIL PROTECTED] is now blacklisted on mail.bluewin.ch and i'm about to clean our queue. Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: AW: [swinog] Mail Server suggestions
Hi, The only thing coming close to it in scalability is Critical Path. Does the windows version of Critical Path still exist? ;-) After all it's a good/stable product. (Well: i dislike the CP-smtpd .. it works unless you try to do anything funky .. but replacing it with postfix/qmail isn't a problem) Both Yahoo Mail and Google Mail (Gmail) started off the qmail-ldap code base. gmail used the qmail codebase? Do you have any reports/documentation about this? AFAIK they wrote the smtpd from scratch. Porting qmail to googles non-posix GoogleFileSystem doesn't sound like fun and in the early days it had a few bad quirks.. (like: sending long strings crashed googles smtpd) Regards, Adrian -- My Wii-Code: 8617 9203 7763 4567 A. Top posters Q. What's the most annoying thing on Usenet? ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] to SPF or not to SPF
And why not using the existing authentication protocol on outgoing smtp server ? So the sender can use the smtp server of the provider of its email address from any network and SPF can work without any problem. How would this solve the forwarding problem? And how are you going to teach everybody to stop doing something that has been working fine for years? Just have a look at http://old.openspf.org/srspng.html Yieks! ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] to SPF or not to SPF
So I would suggest offering SMTP (AUTH) support on ports 25 and 26, just to be sure. No no no. RFC: 2476: | 3. Message Submission | 3.1. Submission Identification | | Port 587 is reserved for email message submission as specified in | this document. Messages received on this port are defined to be | submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with | additional restrictions as specified here. | | While most email clients and servers can be configured to use port | 587 instead of 25, there are cases where this is not possible or | convenient. A site MAY choose to use port 25 for message submission, | by designating some hosts to be MSAs and others to be MTAs. Port 587 has been widely deployed: $ telnet smtpauth.bluewin.ch 587 $ telnet mail.gmx.net 587 $ telnet smtp.gmail.com 587 Inventing new ports 1024 is just plain wrong. -- RFC 1925: (11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] to SPF or not to SPF
would they not then block official port 587 as well as port 25? That was the position I heard the 'customer service rep' take the last time I tried to solve such a problem through appeal to bureaucratic sensibility. There isn't really a (valid) reason to block port 587: Blocking outgoing connections to port 25 may be done in order to block some zombie-networks (but IMO this is just silly.. will they also block port 80 soon to stop this blog-spamming? .. anyway ..) ..but you cannot spam using port 587 (unless you've been hijacking a valid account): An smtpd running on port 587 must not accept mails from unauthenticated clients for any recipients: Connected to smtpauth.bluewin.ch. 220 tr12.bluewin.ch ESMTP Service (Bluewin 7.3.121) ready helo bla 250 tr12.bluewin.ch mail from: 530 authentication required for mail submission ..only MUA/MSAs are supposed to use port 587. Regards, Adrian (Did anyone ever see/know an ISP blocking 587 ?) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Re: blocking ports?
Seems to me that the benefit of cutting down on Spam would be worth the trouble of using port 587... Blocking port 25 is just a quick-n-dirty 'fix'. What will happen when virus-writers are going to spam using 587 (The credentials are stored on the users PC anyway..)? What would people do to stop blog-spamming? Blocking port 80 sounds like fun. Spam will be there as long as you can make money with it. -- RFC 1925: (11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Exchange Servers having problems with SMTP 4xx temporary failures?
Hello Benoit, Have other seen this behaviour of exchange servers Yes. One of our MX servers somehow managed to loose the connection to the ldap server (didn't dare to re-establish it) and only returned (valid) tempfail messages. Sending mails from Exchange (internal messaging system) to this MX server produced the same strage error messages. Using snoop i could verify that the MX server did NEVER send a 550 error to the exchange server. and know how to prevent it? No idea. The strage thing is this only seams happens occasionaly. In my case it happened always. Regards, Adrian ___ swinog mailing list [EMAIL PROTECTED] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] spamhaus.org
Is there someone left who uses them to reject mails on smtp level? Yes, we are still using Spamhaus.org on our MX servers, but we are using the rsync feed and we are able to whitelist IPs within a few seconds. Anyway: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55483 is still there but the SBL entry itself has vanished: $ grep 192.174.68.0 sbl #192.174.68.0/32 $055483 (- http://www.spamhaus.org/organization/statement.lasso?ref=7) any opinions on the game [1] that spamhaus.org is playing? Blocking nic.at was not nice but refusing to delete domains just used for phising is also not very clever... Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] SMS alerting solution
It's a little expensive if you have many SMS'es - does anyone know who to contact (e.g. at Swisscom) to get a package-deal with a direct TCP interface? You are looking for an 'SMSC Large Account' http://www.swisscom-mobile.ch/scm/gek_sms_large_account-de.aspx You'll get your own 'short id' and will be able to send and receive messages from / to mobile phones using UCP/EMI. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] bluewin mail servers load balancers don't like AAAA - breaks email
Hi Jeroen ;; -HEADER- opcode: QUERY, status: REFUSED, id: 22394 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 We are aware that ns.bwlbmsg1zhh.bluewin.ch. doesn't play well with IPv6 (and we also know that some lb-vendors are not able to fix such simple bugs). And tada, my sweet postfix/bind/powerdns combo will give up on it as there is clearly no answer to be gotten for that hostlabel. [EMAIL PROTECTED]:~$ dnsmx bluewin.ch 10 mxbw.bluewin.ch-- ns.bwlbmsg1zh[hb].bluewin.ch 42 mxzhh.bluewin.ch -- dns[1234].bluewin.ch 42 mxzhb.bluewin.ch -- dns[1234].bluewin.ch 66 mx49.bluewin.ch-- dns[1234].bluewin.ch Why doesn't your postfix/bind/powerdns combo use mxzhb/mxzhh ? Regards, Adrian -- RFC 1925: (11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: AW: [swinog] dns1.bluewin.ch not replicating
ok, but why is there no answer? Does 194.42.48.120 work correctly? Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: AW: [swinog] Problems reaching large Websites
dell.com works, but try any other host that is being contacted while loading www.dell.com and is hosted by akamai, such as i.dell.com No problem via Bluewin-DSL: $ telnet i.dell.com 80 Trying 212.243.223.139... Connected to i.dell.com (212.243.223.139). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.0 400 Bad Request Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 187 Expires: Mon, 28 Jan 2008 17:05:56 GMT Date: Mon, 28 Jan 2008 17:05:56 GMT Connection: close (Bad Request ? WTF?) ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Has Bluewin a DNS Problem
Hi, Bluewin does a reverse DNS lookup on your IP (195.141.232.78), ..yes Bluewin does a normal forward DNS lookup, using the result from the above query. we don't. The resolver implementation of our MTA software appears to have a problem with truncated UDP responses. (Btw: Why do you have such a lenghty PTR record for 195.141.232.78 ?) I'm about to implement a workaround for this issue. Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Bluewin SMTP Policy
Hi Roger, Now we found out that bluewin doesn't allow authenticated smtp-relay from users outside their ip-range, so all our customers with bluewin-mailadresses would have no smtp-server available. That's not entirely correct: smtpauth.bluewin.ch will relay mails from non-bluewin-ip-ranges IF the mailaccount belongs to a non-free Bluewin/Swisscom 'Abo'. +---+ | Pay account (= Mailaccount| - Can use mail.bluewin.ch from bluewin-range | | is 'attached' to an ADSL abo | - Can use smtpauth.bluewin.ch from EVERYWHERE | +---+---+ | Free account | - Can use mail.bluewin.ch from bluewin-range (of course..)| | | - Can use smtpauth.bluewin.ch from bluewin-range | | | - Can NOT use smtpauth.bluewin.ch from non-bluewin IPs| +---+---+ Otherwise spammers would open 100th's of free accounts and use them to send spam from non-bluewin IPs :-/ Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Bluewin SMTP Policy
Hi, Thank you for clearing this up. So we have to give bluewin-users with free bluewin mail-accounts an smtp-account on our servers I think. Well, they could call our helpdesk and ask them to disable the 'Restricted IP-Range' feature for a specific mailaccount. Our helpdesk will disable it as long as: #1: The user asks us to do it ;-) #2: His postal-address or telephone-number has been verified I see the problem, but perhaps something like a captcha would also be sufficient to prevent this. It wouldn't prevent it, it just makes it harder. (Some spammers don't even use bots to create accounts. Using real people appears to be cheaper sometimes..) Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Netclean - news
Filtering locally simply means stopping end users to access illegal sites. Ok, but the sites are still there and everybody else will still have access ! Yes, but i'm sure that the 'local' netclean box can log IPs of people who attempted to access such illegal sites (such as Wikipedia) So whenever your goverment goes into get_some_good_press(pretend_to_protect_kids()); mode, punishing people will be much easier than before. Just because some ISPs will filter-out those sites will not reduce the amount of kids being abused. I agree. They should punish people who: - Produce such content - Pay for such content ...but starting to block random sites is just silly: It didn't work when they started to use DNS and it won't work this time either... Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] SwiNOG-BE69 - Beer Event 69 - 5th of Janu ary 2009 @ Le Dézaley / ZH
Registration deadline:31.12.2008 23:59:59 klugscheiss 2008 is a 'leap-second-year' [1] and ends at 23:59:60, *NOT* at 23:59:59 :-p /klugscheiss Regards, Adrian 1: http://en.wikipedia.org/wiki/Leap_second ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] SwiNOG-BE69 - Beer Event 69 - 5th of Janu ary 2009 @ Le Dézaley / ZH
Sorry for getting off-topic .. but... 23:59:60 is the same (if wold exist) like 00:00:00 and this is the New year... No: 23:59:60 is not the same as 00:00:00 http://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.dat So 31.12.2008 will be 86401 seconds long instead of 86400 seconds. But anyway.. your good old wall-clock (or ntp server ;-) ) doesn't care :) Regards, Adrian ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Re: Swiss Domain Security Report Q3 2022
Hi Daniel, > Your nameserver breaks https://www.rfc-editor.org/rfc/rfc8020 I'd rather say 'does not implement' instead of 'break': As RFC 8020 points out, the (almost 30 years older) RFC 1034 is very unspecific about the details on how a nameserver should behave in such a situation. (And opinions seem to have changed over time, see https://groups.google.com/g/comp.protocols.dns.std/c/j0ddY0jZhog/m/yHN9ew5Q5GkJ) Therefore, there *are* existing implementations which do seem to return NXDOMAIN in such cases - probably because their implementation predates RFC8020, one of them being AWS / Route53: Example: $ dig txt mv2jefm7mwexbuk5zvfgdg5yzcylqkwc._domainkey.just-eat.ch Returns the expected data while $ dig txt _domainkey.just-eat.ch returns NXDOMAIN. Note that i don't want to argue whether or not everyone should implement RFC8020: All i'm saying is that there are servers in the wild which do return NXDOMAIN and hence it is almost impossible to say whether or not a domain has DKIM enabled. Regards, Adrian ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: Swiss Domain Security Report Q3 2022
> I'm pretty surprised that of the 1.7M domains with an MX record, only 57% > have DKIM I don't see how one could reliability gather this data from DNS: DKIM allows you to specify a selector in the header of the mail: This mail for example will use 'sx1' as the selector (check out the header ;-) ): > $ dig +short txt sx1._domainkey.blinkenlights.ch > "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC[] But without ever receiving a mail from me: how would you know? You could try to send a query for '_domainkey.blinkenlights.ch' and you MAY receive a NOERROR reply - but that's not guaranteed: My DNS will just return an NXDOMAIN: > $ dig txt _domainkey.blinkenlights.ch|grep status: >;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10153 Regards, Adrian ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
