DevHeads.net

Postings by lists

(OT) BOD 18-01 mandatory DMARC deadline Oct 16

<a href="https://cyber.dhs.gov/bod/18-01/" title="https://cyber.dhs.gov/bod/18-01/">https://cyber.dhs.gov/bod/18-01/</a>

Oct 16 was the deadline for the feds to implement DMARC. Compliance of course is TBD. They are set to reject mail that doest pass SPF or DKIM.

repeated relay attempts

Just checking if I have things set up correctly. I'm returning a 554
code (rejected relay) yet the attempts keep coming.

Spammer rejected, but resends every 10 minutes. Any way to prevent this

I'm getting hit every 10 minutes from this spammer. As you can see I am
rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected?

Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [113.247.6.67];
from=< ... at tradepro dot net> to=< ... at lazygranch dot com> proto=ESMTP
helo=<mail.port25.com>

python-policyd-spf doesn't check mail from my own domain

I've installed the opendmarc milter. I'm not rejecting mail from it at
the moment. I've noticed that if I send myself a message, the
policyd-spf milter isn't run. That in turn causes mail I send myself to
fail in opendmarc. Any ideas?

The various email verifiers do show that my email passes spf.

It is easy enough just to whitelist your own domains from opendmarc,
but that would allow spoofed email to get through.

warning: TLS library problem

routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

Should I be blocking some encryption method? I thought openssl dropped
support for the hackable protocols.

accept email if pass SPF or DKIM

RTFMing, I see that both opendkim and python-policyd-spf have
whitelisting capabilities (especially python-policyd-spf). But for the
most part, my legitimate incoming email passes DKIM or SPF, but often
not both. What I would like to do is accept email that passes either
DKIM or SPF, but the milters are not connected in anyway that I can
see. What I'm trying to avoid is setting up whitelists for each domain
based on which method of identity the sysop decided to implement.

policyd-spf tip

There are many "problem solving pages" on the interwebs that have wrong
information on setting up policyd-spf. The key to make sure you use
consistent names in both main.cf and master.cf.

Requesting certificates

I'm not at the point where I want to verify certs and reject mail,
because the mail must go through! However I would like at least
for postfix to request the cert.

Robot attack testing

<a href="https://robotattack.org" title="https://robotattack.org">https://robotattack.org</a>
These tests appear to be aimed at website testing. Any ideas how to test a mail server for the robot attack?

PSA University of Michigan research IP space

<a href="http://researchscan288.eecs.umich.edu/" title="http://researchscan288.eecs.umich.edu/">http://researchscan288.eecs.umich.edu/</a>
I never could find the research IP space and my email went unanswered.
I just blocked the whole university. Link has the IP space as listed
below:
141.212.121.0/24
141.212.122.0/24

PSA: US government to set DMARC to reject

<a href="https://cyber.dhs.gov" title="https://cyber.dhs.gov">https://cyber.dhs.gov</a>

Binding Operational Directive 18-01 enforces some basic email security, notably with DMARC set to reject. Perhaps this will set a trend. Not necessarily for DMARC settings, but at least more servers will be set up properly not to be rejected.

Letsencrypt tip

<html><head><meta http-equiv="Content-Security-Policy" content="script-src 'self'; img-src * cid: data:;"></head><body contenteditable="false"><div id="response_container_BBPPID" style="outline:none;font-size:initial;font-family:&quot;Calibri&quot;,&quot;Slate Pro&quot;,sans-serif,&quot;sans-serif&quot;" dir="auto"> <div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert.

New mail subdomain versus existing domain issues

I'm setting up a new server with the goal of using letsencrypt ‎versus my self signed cert. (I'm also going to try those SpamAssassin alternatives that require less RAM.) So I will run two VPS for a period as I debug the new server.

That said, is there any way to implement email going to both example.com and mail.example.com. That is I intend the email servers to be different.

Multiple "from" fields

I hope no one minds if I change the subject since SSL was no longer the topic.

Regarding multiple from fields, I found this on serverfault :
http://serverfault.com/questions/554520/smtp-allows-for-multiple-from-addresses-in-the-rfc-was-this-ever-useful-why-do‎

I could almost see this being legitimate if from the same domain. At least the SPF would be valid.

But I think the argument is weak since the clients don't handle the situation well.

Port 587 users question

I hate to bug the list for what is probably a dumb question, but is there any situation where an unauthorized user needs to connect to port 587? I'm wondering if there is some oddball  "edge" case.

My thought is to use my ipfw table of known trouble makers to block 587. 

hacker or server problem

Is this a hack or a server problem.

bits of encryption

This comes under the notion that if you don't ask, you don't learn.

I did some dovecot2 updates, so naturally I decided to test the mail
system. When I mail a message to myself, this is the TLS notification:
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))

However I do receive mail with higher levels of encryption. For example:
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

But in both cases, isn't my certificate the one being used for
encryption?

TLS details not in header as viewed from email client (claws)

I no longer see TLS details in the header.

freeBSD update boost-libs and postfix

Hopefully this isn't a duplicate message. I've been repairing the mail
system.

Just a FYI that if you update
boost-libs
with pkg under freeBSD, it loads postfix for some reason.
All my .db files were unreadable. I had to postmap and postalias them
to make them readable again.

(Semi OT) RBL shakedown

If you use the uceprotect RBL, note that they are involved in a
shakedown to solicit money to be removed from their list. Much like
spamrl, I'd suggest not using them since they have an obvious false
positive problem.

<a href="http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198" title="http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198">http://www.uceprotect.net/en/rblcheck.php?ipr=107.170.248.198</a>
Their own system shows my domain is not the same as the spammers domain.

Plenty of good RBLs out there. No uses feeding the criminals
(uceprotect) or the incompetent (spamrl).

TLD blocking revisited

The last time TLD blocking came up, the consensus of the hive was not
to block based on TLD. (You may recall .xyz being used by
Alphabet.) However lately I'm getting a ridiculous number of .stream
SPAM coming through. The RBLs are getting about half.

<a href="https://www.spamhaus.org/statistics/tlds/" title="https://www.spamhaus.org/statistics/tlds/">https://www.spamhaus.org/statistics/tlds/</a>

I have a hard time believing I will ever get legit mail from a .stream
or a .download.

FWIW, many of the .stream pass SPF, which is perhaps why the RBLs are
not being as aggressive.

Concurrency limit for port 25

Not wanting to hijack the thread from Alan Coates, but I noticed the concurrency limit of three, which I assume was on port 25. Is there some science behind how to set this limit?‎

(ot) beware libressl on Freebsd

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div><span>Freebsd 10.3</span></div><div><span><br></span></div><div><span>I ran freebsd "pkg" ‎and didn't see any of the mail suite or openssl in the list of files to update, so I figured it was safe to run. (I've been burnt by pkg messing up dovecot or postfix, so I always use the ports).&nbsp;</span></div><div><span>

Postfix update on Freebsd

‎I'm running Postfix 3.1.1 on Freebsd 10.2. After running portsnap, I see there is an update. Well sort of. Checking the postfix website, there is no update, and as you can see, the output from 
pkg version -v | grep postfix

postfix-3.1.1,1 < needs updating (index has 3.1.1_2,1)

the rev hasn't changed. 

Any ideas what is going on here?

postfix 3.1.1 upgrade from 3.1.0

During the upgrade from postfix 3.1.0 to 3.1.1, the installation script
issued the following:

Note: the following files or directories still exist but are
no longer part of Postfix:

/usr/local/etc/postfix/virtual
Do I still need to do the following when adding new users?
I did a few test emails and nothing se

Spamrl.com RBL problem

I will start this over to get rid of the HTML mail crap. This is the bounce reply with some sanitizing to keep this message off of the Google bot:
------------------------ 

‎This is the mail system at host <a href="http://www.mydomain.com" title="www.mydomain.com">www.mydomain.com</a>

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report.

RBL claims I'm doing a dictionary search

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div>I've got this ‎RBL</div><div>https://spamrl.com/&nbsp;</div><div>that claims my server is doing a dictionary search. I see nothing in the maillog. I have checked for an open relay using an online website.

SPF option in Postfix 3

I noticed I was running postfix 3.1.0.

Policyd-spf and RBL white listing

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div><span>From what I can tell, if you whitelist a domain, the policyd-spf check is skipped. Now I white listed domains to stop the RBL from blocking them, but it would be nice to see if SPF passes.&nbsp;</span></div><div><span><br></span></div><div><span>Am I right about the SPF being skipped?&nbsp;</span></div><div><span>

Special method required for Gmail dkim/spf verification

Google sent me a "fail" on my DMARC.  Everyone else seems happy. It turns out much like Google not accepting robots.txt for some search engines controls, they expect special fields in their DNS.

https://support.google.com/mail/answer/6227174‎

Why? Because we're Google and we can.