On 04/11/16 04:09, lst_ho...@kwsoft.de wrote:
Zitat von jaso...@mail-central.com:
On Sun, Apr 10, 2016, at 07:46 PM, Bill Cole wrote:
On a system where you know enough about all your users to know that
they
don't want to get critical email from clueless sources, you can make
restrictive choices with no trouble. If you don't actually know that,
choosing to require senders to use rigorous security correctly will
often lead to unpleasant surprises.
Ya gotta break a few eggs to make an omelette ;-)
And if you don't want to receive e-mail you should not operate a mail
server or even publish a mail address.
The conversation was about SPF, DKIM, and DMARC (I think). (Drifted
from TLS).
If the sender (or sending ESP) has no clue about what SPF, DKIM, and
DMARC is, then they don't get penalized (or don't get penalized much).
If they publish SPF and/or DKIM records that are wrong, then they get
penalized more, but still not much. If the publish SPF and/or DKIM
records that are wrong and they publish a DMARC record that says "toss
my email if SPF or DKIM doesn't match", then guess what some mail
servers are going to do - including the big ESPs.
The reason DMARC exists is to prevent sender forgery. Expect some of
the big boys to enforce DMARC, meaning that if you publish a DMARC
record that says "toss and increment statistic if SPF or DKIM is wrong",
they will do exactly that. If you don't publish a DMARC record, then
someone could forge as you, but your legitimate mail won't get tossed.
As far as strict TLS - been there, done that - don't recommend it. If
you use ECDSA, then have a long key RSA as a backup. I've had no
trouble AFAIK setting TLS to high though Viktor doesn't recommend it. I
have not yet analyzed logs to see how often this is causing a fallback.
I recently had a problem with mail where an ESP was in three blacklists
plus SPF failed and spamassassin tossed some mail. That ESP is down to
one blacklist now. A sender got to me out-of-band and I dug up the
maillog from a few days earlier and informed them about how good their
ESP was serving them. btw- If I had been using postscreen back then, I
could not have found this in the logs based on sender email.
Curtis
ps - works for google, though dmarc says "accept and report". Google and
Yahoo are allegedly enforcing or will soon be enforcing dmarc (if you
publish a dmarc record).
gmail.com descriptive text "v=spf1 redirect=_spf.google.com"
20120113._domainkey.gmail.com descriptive text "k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0"
"7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/wIDAQAB
_dmarc.gmail.com descriptive text "v=DMARC1; p=none;
rua=mailto:mailauth-repo...@google.com";
