Re: [GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

| From: Alvin Starr via talk 

| SPF should insure that only your email servers can be used to send mail from
| your domain.

Related:

My Postfix server validates HELO / EHLO records.  These records declare 
the name of the server contacting my server.  Postfix makes sure that the 
declared name resolves to the IP address from which the server was 
contacted.  At least that's what I think it does.

From /etc/postfix/main.cf:

smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname

This catches a lot of SPAM.  But it also blocks a few badly configured 
servers that I want to get messages from.  The ones that I've noticed:

- some parts of Sunnybrook hospital

- rakuten

I have been unable to contact the technical people at these sites to get 
them to fix their problem.


| There was once a guy who insisted on running an open relay and believed that
| anybody blocking open relays were infringing on his rights.
| He was VERY loud about his convictions that open relays were not the problem,
| spammers were.

John Gilmore?  He's generally soft-spoken but has strong convictions.


Hugh Daniel?  Sadly gone.  But he definitely was loud.


BTW, both are/were strong forces for good.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Ron / BCLUG via talk]

ac via talk wrote on 2024-01-08 02:22:


the ~ means if it is not from your servers it is also okay.

the - means ONLY from your severs.


The link I posted earlier (linuxbabe.com) had an interesting take on "~" 
vs "-" and why the former is preferable:


If a multi-host (postfix) site receives your mail (like Google?) and it 
gets relayed between their servers (perhaps main one is down for 
maintenance), and the final server gets the mail from the backup, sees 
"-", it may reject it.


Not sure if this is correct, but did cause pause for thought and am 
considering changing "-" to "~" on my domains.





Your SPF "should" maybe say:

mimosa.com. IN  TXT "v=spf1 +a +mx
+ip4:206.248.139.113 +ip4:98.158.128.23"


If I recall correctly, it's best to put IP addresses earlier in the list 
to save DNS look-ups, saving a tiny bit of time.



> (Your post did not include the "+" BEFORE the mx in the entry...)

True, and I agree it's best to include them to be as specific as 
possible on the author's intentions, however the "+" is the default, 
hence implied.


But, I agree, use them anyway.


rb

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Ron / BCLUG via talk]

D. Hugh Redelmeier via talk wrote on 2024-01-07 19:29:

You probably need to add a google authentication record to your 
domain name to | reduce the chance of your email messages being 
rejected by gmail.


I don't know what that is.

Googling responses suggest you might be talking about a Google 
Worspace thing.  I don't have a Google Workspace.


Yeah, I don't think Google authentication is useful for email:

https://support.google.com/a/answer/183895?hl=en.


Verify your domain with a TXT record

Why do I need to do this?

We don't want someone else to use your domain to sign up for Google 
Workspace. You can help us keep your domain safe by showing us that 
you are the owner.



Have you verified your SPF and DKIM via some online site such as:

https://mxtoolbox.com/dkim.aspx ?


Also, do you have IPv6 on your server?  Is postfix using it?  That'll 
probably fix Gmail spam issues, seems most Gmail is via IPv6.



rb
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Kevin Cozens via talk]

On 2024-01-07 22:29, D. Hugh Redelmeier via talk wrote:

| From: Kevin Cozens via talk 

| You probably need to add a google authentication record to your domain name to
| reduce the chance of your email messages being rejected by gmail.

I don't know what that is.


I had to check the TXT records associated with my domain name to remember 
that it is called google-site-verification. There was some page in a Google 
website that explained how to set it up.


I haven't heard of Google Workspace before seeing your reply. I don't know 
anything about it. I added the site verification record for my domain some 
years ago. Google may have changed things since then.


--
Cheers!

Kevin.

https://www.patreon.com/KevinCozens | "Nerds make the shiny things that
| distract the mouth-breathers, and
Owner of Elecraft K2 #2172  | that's why we're powerful"
#include  | --Chris Hardwick

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

| From: Kevin Cozens via talk 

| You probably need to add a google authentication record to your domain name to
| reduce the chance of your email messages being rejected by gmail.

I don't know what that is.

Googling responses suggest you might be talking about a Google
Worspace thing.  I don't have a Google Workspace.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Kevin Cozens via talk]

On 2024-01-07 12:27, D. Hugh Redelmeier via talk wrote:

Mails from my domain have started to be rejected by gmail.
To placate gmail, I've added an SPF record to my doman:


Some of my email messages were winding up in other peoples spam folders. I 
added SPF, DKIM, and google authentication records. I still have messages 
occasionally winding up in a recipients spam folder for no apparent reason.


You probably need to add a google authentication record to your domain name 
to reduce the chance of your email messages being rejected by gmail.


--
Cheers!

Kevin.

https://www.patreon.com/KevinCozens | "Nerds make the shiny things that
| distract the mouth-breathers, and
Owner of Elecraft K2 #2172  | that's why we're powerful"
#include  | --Chris Hardwick

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Ron / BCLUG via talk]

D. Hugh Redelmeier via talk wrote on 2024-01-07 09:27:


Mails from my domain have started to be rejected by gmail.
To placate gmail, I've added an SPF record to my doman:


Another trick to help with email delivery to Google is to implement IPv6 
in Postfix if it's available.



rb
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[Ron / BCLUG via talk]

D. Hugh Redelmeier via talk wrote on 2024-01-07 10:10:


| You may find that you need DKIM and DMARC as well. If you’re using
| postfix it’s fairly easy to hook opendkim in.

| My biggest hurdle was trying to find clear concise guides.

Links?


https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf



| How to read this:

|   mx:
|   email sent by mimosa.com should only come from its servers
|   declared in MX DNS records

In other words, this test only marks good things.  Then the "~all" says 
anything that isn't good is bad.


More "untrustworthy, use your own judgment" than out-and-out bad (as I 
understand it).


The link above has me reconsidering my choice of -all, I need to review 
my domains and SPF records to ensure I'm using ~all instead of -all.



rb

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

| From: D. Hugh Redelmeier via talk 

| How to read this:

|   mx:
|   email sent by mimosa.com should only come from its servers
|   declared in MX DNS records

More accurately, this means that mail that says it is from mimosa.com is 
OK if it comes from one of the SMTP servers listend in MX records.

In other words, this test only marks good things.  Then the "~all" says 
anything that isn't good is bad.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

| From: John Sellens via talk 

| You may find that you need DKIM and DMARC as well. If you’re using 
| postfix it’s fairly easy to hook opendkim in.

Yeah.

| My biggest hurdle was trying to find clear concise guides. 

Links?---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Re: [GTALUG] lazy jail server admin forced to act

[John Sellens via talk]

You may find that you need DKIM and DMARC as well. If you’re using postfix it’s 
fairly easy to hook opendkim in. 

My biggest hurdle was trying to find clear concise guides. 

John


---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

[GTALUG] lazy jail server admin forced to act

[D. Hugh Redelmeier via talk]

Mails from my domain have started to be rejected by gmail.
To placate gmail, I've added an SPF record to my doman:

mimosa.com. IN  TXT "v=spf1 mx ~all"

How to read this:

v=spf1:
this TXT record is an SPF version 1 record

mx:
email sent by mimosa.com should only come from its servers
declared in MX DNS records

~all:
any other mail from mimosa.com is bogus.
(~ and - are slightly different.)

That seemed pretty painless.  I guess I should have done this a decade 
ago.

I hope this works.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk