Re: DMARC report analyzer - Open Source solution

[Roberto Carna]

Dear Kevin, I've implemented dmarcts-report-viewer and now it runs OK,..It
gives me veri relevant information.

My new question is this:

dmarcts-report-viewer is only for DMARC aggregation reports ? What can I do
to get and ser DMARC forensic reports ?

Thanks a lot again !!!

El jue., 26 dic. 2019 a las 17:34, Kevin Miller ()
escribió:

> I just went through this.  Here’s some notes I kept.  Note that we’re
> using Exchange.  I created a mailbox/user called dmarc and pull reports
> from it via IMAP.
>
>
>
> Reports are retrieved from Exchange based on the following
> software/process:
>   http://www.techsneeze.com/how-parse-dmarc-reports-imap/
>   http://www.techsneeze.com/how-parse-dmarc-reports/ (obsolete -
> superseded by the above)
>   Source:
>   https://github.com/techsneeze/dmarcts-report-parser
>
> Reports are viewable via a browser using
>   https://github.com/techsneeze/dmarcts-report-viewer/
>   (view the README.md for details)
>
>
> The IMAP retrieval and import into a database are accomplished via a perl
> script.  It is instantiated in crontab to run nightly:
>   45  5   *   *   *   /usr/local/bin/dmarcts/
> dmarcts-report-parser.pl -i
>
> If run from the CLI, the usage is as follows:
>
>
> ===
>
> Usage:
> ./dmarcts-report-parser.pl [OPTIONS] [PATH]
>
>  This script needs a configuration file called
>  in
>  the current working directory, which defines a database server with
> credentials
>  and (if used) an IMAP server with credentials.
>
>  Additionally, one of the following source options must be provided:
> -i : Read reports from messages on IMAP server as defined in the
>  config file.
> -m : Read reports from mbox file(s) provided in PATH.
> -e : Read reports from MIME email file(s) provided in PATH.
> -x : Read reports from xml file(s) provided in PATH.
>
>  The following optional options are allowed:
> -d : Print debug info.
> -r : Replace existing reports rather than skipping them.
>   --delete : Delete processed message files (the XML is stored in the
>  database for later reference).
> --info : Print out number of XML files or emails processed.
>
> The provided source option requires a PATH.
>
>
> After retrieval, messages are moved to a subfolder called "Processed" if
> the import was successful, or notProcessed if it fails for some reason.
>
> HTH…
>
>
>
> ...Kevin
>
> --
>
> Kevin Miller
>
> Network/email Administrator, CBJ MIS Dept.
>
> 155 South Seward Street
>
> Juneau, Alaska 99801
>
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
>
> *From:* owner-postfix-us...@postfix.org  *On
> Behalf Of *Roberto Carna
> *Sent:* Thursday, December 26, 2019 10:54 AM
> *To:* Postfix 
> *Subject:* DMARC report analyzer - Open Source solution
>
>
>
> EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS
> --
>
> Dear, I'm receiving DMARC reports in one mail account from my domain. All
> the reports coming for Google and Yahoo mainly are attached in ZIP format,
> and they are XML files.
>
>
>
> Is there any open source DMARC report analyzer for a Linux platform ??? I
> prefer Debian or Ubuntu.
>
>
>
> Thanks a lot !!!
>

Re: DMARC report analyzer - Open Source solution

[Julian Kippels]

Hi,

I am using parsedmarc (https://domainaware.github.io/parsedmarc/) for
both aggregate and forensic reports, including sending the results to
our Splunk server with Dashboard.

Julian


Am Mon, 6 Jan 2020 10:46:57 -0300
schrieb Roberto Carna :

> Dear Kevin, I've implemented dmarcts-report-viewer and now it runs
> OK,..It gives me veri relevant information.
> 
> My new question is this:
> 
> dmarcts-report-viewer is only for DMARC aggregation reports ? What
> can I do to get and ser DMARC forensic reports ?
> 
> Thanks a lot again !!!
> 
> El jue., 26 dic. 2019 a las 17:34, Kevin Miller
> () escribió:
> 
> > I just went through this.  Here’s some notes I kept.  Note that
> > we’re using Exchange.  I created a mailbox/user called dmarc and
> > pull reports from it via IMAP.
> >
> >
> >
> > Reports are retrieved from Exchange based on the following
> > software/process:
> >   http://www.techsneeze.com/how-parse-dmarc-reports-imap/
> >   http://www.techsneeze.com/how-parse-dmarc-reports/ (obsolete -
> > superseded by the above)
> >   Source:
> >   https://github.com/techsneeze/dmarcts-report-parser
> >
> > Reports are viewable via a browser using
> >   https://github.com/techsneeze/dmarcts-report-viewer/
> >   (view the README.md for details)
> >
> >
> > The IMAP retrieval and import into a database are accomplished via
> > a perl script.  It is instantiated in crontab to run nightly:
> >   45  5   *   *   *   /usr/local/bin/dmarcts/
> > dmarcts-report-parser.pl -i
> >
> > If run from the CLI, the usage is as follows:
> >
> >
> > ===
> >
> > Usage:
> > ./dmarcts-report-parser.pl [OPTIONS] [PATH]
> >
> >  This script needs a configuration file called
> >  in
> >  the current working directory, which defines a database server with
> > credentials
> >  and (if used) an IMAP server with credentials.
> >
> >  Additionally, one of the following source options must be provided:
> > -i : Read reports from messages on IMAP server as defined
> > in the config file.
> > -m : Read reports from mbox file(s) provided in PATH.
> > -e : Read reports from MIME email file(s) provided in PATH.
> > -x : Read reports from xml file(s) provided in PATH.
> >
> >  The following optional options are allowed:
> > -d : Print debug info.
> > -r : Replace existing reports rather than skipping them.
> >   --delete : Delete processed message files (the XML is stored in
> > the database for later reference).
> > --info : Print out number of XML files or emails processed.
> >
> > The provided source option requires a PATH.
> >
> >
> > After retrieval, messages are moved to a subfolder called
> > "Processed" if the import was successful, or notProcessed if it
> > fails for some reason.
> >
> > HTH…
> >
> >
> >
> > ...Kevin
> >
> > --
> >
> > Kevin Miller
> >
> > Network/email Administrator, CBJ MIS Dept.
> >
> > 155 South Seward Street
> >
> > Juneau, Alaska 99801
> >
> > Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User
> > No: 307357
> >
> >
> >
> > *From:* owner-postfix-us...@postfix.org
> >  *On Behalf Of *Roberto Carna
> > *Sent:* Thursday, December 26, 2019 10:54 AM
> > *To:* Postfix 
> > *Subject:* DMARC report analyzer - Open Source solution
> >
> >
> >
> > EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS
> > --
> >
> > Dear, I'm receiving DMARC reports in one mail account from my
> > domain. All the reports coming for Google and Yahoo mainly are
> > attached in ZIP format, and they are XML files.
> >
> >
> >
> > Is there any open source DMARC report analyzer for a Linux platform
> > ??? I prefer Debian or Ubuntu.
> >
> >
> >
> > Thanks a lot !!!
> >  



-- 
-
| | Julian Kippels
| | M.Sc. Informatik
| |
| | Zentrum für Informations- und Medientechnologie
| | Heinrich-Heine-Universität Düsseldorf
| | Universitätsstr. 1
| | Raum 25.41.O1.32
| | 40225 Düsseldorf / Germany
| |
| | Tel: +49-211-81-14920
| | mail: kipp...@hhu.de
-

Re: DMARC report analyzer - Open Source solution

[patpro]

Hello,

I'm also using Splunk, but I'm not really sure parsedmarc worth the effort. The 
only dashboard screenshot available for parsedmarc is rather unimpressive…

pat

January 6, 2020 3:35 PM, "Julian Kippels"  wrote:

> Hi,
> 
> I am using parsedmarc (https://domainaware.github.io/parsedmarc) for
> both aggregate and forensic reports, including sending the results to
> our Splunk server with Dashboard.
> 
> Julian
> 
> Am Mon, 6 Jan 2020 10:46:57 -0300
> schrieb Roberto Carna :
> 
>> Dear Kevin, I've implemented dmarcts-report-viewer and now it runs
>> OK,..It gives me veri relevant information.
>> 
>> My new question is this:
>> 
>> dmarcts-report-viewer is only for DMARC aggregation reports ? What
>> can I do to get and ser DMARC forensic reports ?
>> 
>> Thanks a lot again !!!
>> 
>> El jue., 26 dic. 2019 a las 17:34, Kevin Miller
>> () escribió:
>> 
>> I just went through this. Here’s some notes I kept. Note that
>> we’re using Exchange. I created a mailbox/user called dmarc and
>> pull reports from it via IMAP.
>> 
>> Reports are retrieved from Exchange based on the following
>> software/process:
>> http://www.techsneeze.com/how-parse-dmarc-reports-imap
>> http://www.techsneeze.com/how-parse-dmarc-reports (obsolete -
>> superseded by the above)
>> Source:
>> https://github.com/techsneeze/dmarcts-report-parser
>> 
>> Reports are viewable via a browser using
>> https://github.com/techsneeze/dmarcts-report-viewer
>> (view the README.md for details)
>> 
>> The IMAP retrieval and import into a database are accomplished via
>> a perl script. It is instantiated in crontab to run nightly:
>> 45 5 * * * /usr/local/bin/dmarcts/
>> dmarcts-report-parser.pl -i
>> 
>> If run from the CLI, the usage is as follows:
>> 
>> ===
>> 
>> Usage:
>> ./dmarcts-report-parser.pl [OPTIONS] [PATH]
>> 
>> This script needs a configuration file called
>>  in
>> the current working directory, which defines a database server with
>> credentials
>> and (if used) an IMAP server with credentials.
>> 
>> Additionally, one of the following source options must be provided:
>> -i : Read reports from messages on IMAP server as defined
>> in the config file.
>> -m : Read reports from mbox file(s) provided in PATH.
>> -e : Read reports from MIME email file(s) provided in PATH.
>> -x : Read reports from xml file(s) provided in PATH.
>> 
>> The following optional options are allowed:
>> -d : Print debug info.
>> -r : Replace existing reports rather than skipping them.
>> --delete : Delete processed message files (the XML is stored in
>> the database for later reference).
>> --info : Print out number of XML files or emails processed.
>> 
>> The provided source option requires a PATH.
>> 
>> After retrieval, messages are moved to a subfolder called
>> "Processed" if the import was successful, or notProcessed if it
>> fails for some reason.
>> 
>> HTH…
>> 
>> ...Kevin
>> 
>> --
>> 
>> Kevin Miller
>> 
>> Network/email Administrator, CBJ MIS Dept.
>> 
>> 155 South Seward Street
>> 
>> Juneau, Alaska 99801
>> 
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User
>> No: 307357
>> 
>> *From:* owner-postfix-us...@postfix.org
>>  *On Behalf Of *Roberto Carna
>> *Sent:* Thursday, December 26, 2019 10:54 AM
>> *To:* Postfix 
>> *Subject:* DMARC report analyzer - Open Source solution
>> 
>> EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS
>> --
>> 
>> Dear, I'm receiving DMARC reports in one mail account from my
>> domain. All the reports coming for Google and Yahoo mainly are
>> attached in ZIP format, and they are XML files.
>> 
>> Is there any open source DMARC report analyzer for a Linux platform
>> ??? I prefer Debian or Ubuntu.
>> 
>> Thanks a lot !!!
> 
> --
> -
> | | Julian Kippels
> | | M.Sc. Informatik
> | |
> | | Zentrum für Informations- und Medientechnologie
> | | Heinrich-Heine-Universität Düsseldorf
> | | Universitätsstr. 1
> | | Raum 25.41.O1.32
> | | 40225 Düsseldorf / Germany
> | |
> | | Tel: +49-211-81-14920
> | | mail: kipp...@hhu.de
> -

RE: DMARC report analyzer - Open Source solution

[Kevin Miller]

I don’t know.  I haven’t gotten that far…

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: Roberto Carna 
Sent: Monday, January 6, 2020 4:47 AM
To: Kevin Miller 
Cc: Postfix users 
Subject: Re: DMARC report analyzer - Open Source solution

EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS

Dear Kevin, I've implemented dmarcts-report-viewer and now it runs OK,..It 
gives me veri relevant information.

My new question is this:

dmarcts-report-viewer is only for DMARC aggregation reports ? What can I do to 
get and ser DMARC forensic reports ?

Thanks a lot again !!!

El jue., 26 dic. 2019 a las 17:34, Kevin Miller 
(mailto:kevin.mil...@juneau.org>>) escribió:
I just went through this.  Here’s some notes I kept.  Note that we’re using 
Exchange.  I created a mailbox/user called dmarc and pull reports from it via 
IMAP.

Reports are retrieved from Exchange based on the following software/process:
  http://www.techsneeze.com/how-parse-dmarc-reports-imap/
  http://www.techsneeze.com/how-parse-dmarc-reports/ (obsolete - superseded by 
the above)
  Source:
  https://github.com/techsneeze/dmarcts-report-parser

Reports are viewable via a browser using
  https://github.com/techsneeze/dmarcts-report-viewer/
  (view the README.md for details)


The IMAP retrieval and import into a database are accomplished via a perl 
script.  It is instantiated in crontab to run nightly:
  45  5   *   *   *   
/usr/local/bin/dmarcts/dmarcts-report-parser.pl
 -i

If run from the CLI, the usage is as follows:
===
Usage:
./dmarcts-report-parser.pl [OPTIONS] [PATH]

 This script needs a configuration file called  in
 the current working directory, which defines a database server with credentials
 and (if used) an IMAP server with credentials.

 Additionally, one of the following source options must be provided:
-i : Read reports from messages on IMAP server as defined in the
 config file.
-m : Read reports from mbox file(s) provided in PATH.
-e : Read reports from MIME email file(s) provided in PATH.
-x : Read reports from xml file(s) provided in PATH.

 The following optional options are allowed:
-d : Print debug info.
-r : Replace existing reports rather than skipping them.
  --delete : Delete processed message files (the XML is stored in the
 database for later reference).
--info : Print out number of XML files or emails processed.

The provided source option requires a PATH.

After retrieval, messages are moved to a subfolder called "Processed" if the 
import was successful, or notProcessed if it fails for some reason.
HTH…

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: owner-postfix-us...@postfix.org 
mailto:owner-postfix-us...@postfix.org>> On 
Behalf Of Roberto Carna
Sent: Thursday, December 26, 2019 10:54 AM
To: Postfix mailto:postfix-users@postfix.org>>
Subject: DMARC report analyzer - Open Source solution

EXTERNAL E-MAIL: BE CAUTIOUS WHEN OPENING FILES OR FOLLOWING LINKS

Dear, I'm receiving DMARC reports in one mail account from my domain. All the 
reports coming for Google and Yahoo mainly are attached in ZIP format, and they 
are XML files.

Is there any open source DMARC report analyzer for a Linux platform ??? I 
prefer Debian or Ubuntu.

Thanks a lot !!!

Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Roel Wagenaar]

L.S.

Lately I find rejections in my mail log, my mailers all have ntp running,
yet the reject reason is: 5.7.1 HDR9020 Date header is in the distant
future.


Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: connect from
english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: E59C49805:
client=english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:25 mail1 postfix-in/cleanup[19907]: E59C49805: reject: header
Date: Mon, 6 Jan 2020 17:16:46 + from
english-breakfast.cloud9.net[168.100.1.7];
from= to= proto=ESMTP
helo=: 5.7.1 HDR9020 Date header is in the
distant future
Jan  6 18:18:25 mail1 postfix-in/smtpd[19887]: disconnect from
english-breakfast.cloud9.net[168.100.1.7] ehlo=1 mail=1 rcpt=1 data=0/1
quit=1 commands=4/5

Anyone have an idea where I am to look for the problem?

-- 
Roel Wagenaar,

telegram: 0630865765
Linux-User #469851 with the Linux Counter; http://linuxcounter.net/

Antw.: Omdat het de volgorde verstoord waarin mensen tekst lezen.
Vraag: Waarom is top-posting een slechte gewoonte?
Antw.: Top-posting.
Vraag: Wat is het meest ergerlijke in e-mail?

Time is the best teacher; unfortunately it kills all its students!

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Noel Jones]

On 1/6/2020 11:31 AM, Roel Wagenaar wrote:

L.S.

Lately I find rejections in my mail log, my mailers all have ntp running,
yet the reject reason is: 5.7.1 HDR9020 Date header is in the distant
future.


Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: connect from
english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: E59C49805:
client=english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:25 mail1 postfix-in/cleanup[19907]: E59C49805: reject: header
Date: Mon, 6 Jan 2020 17:16:46 + from
english-breakfast.cloud9.net[168.100.1.7];
from= to= proto=ESMTP
helo=: 5.7.1 HDR9020 Date header is in the
distant future
Jan  6 18:18:25 mail1 postfix-in/smtpd[19887]: disconnect from
english-breakfast.cloud9.net[168.100.1.7] ehlo=1 mail=1 rcpt=1 data=0/1
quit=1 commands=4/5

Anyone have an idea where I am to look for the problem?



Your header_checks apparently has a rule to reject mail from 2020, 
or maybe it doesn't like timezone +.  Search your header_checks 
for your rule HDR9020, and remove that rule.





  -- Noel Jones

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Wietse Venema]

Roel Wagenaar:
> L.S.
> 
> Lately I find rejections in my mail log, my mailers all have ntp running,
> yet the reject reason is: 5.7.1 HDR9020 Date header is in the distant
> future.
> Jan  6 18:18:25 mail1 postfix-in/cleanup[19907]: E59C49805: reject: header
> Date: Mon, 6 Jan 2020 17:16:46 + from
> english-breakfast.cloud9.net[168.100.1.7];

That is not a time in the future; "6 Jan 2020 17:16:46 +" (UTC)
is equivalent to "6 Jan 2020 18:16:46 +0100" (Central Europe Time).

Wietse 

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Larry Stone]

On Jan 6, 2020, at 11:52 AM, Noel Jones mailto:njo...@megan.vbhcs.org>> wrote:
> 
> On 1/6/2020 11:31 AM, Roel Wagenaar wrote:
>> L.S.
>> Lately I find rejections in my mail log, my mailers all have ntp running,
>> yet the reject reason is: 5.7.1 HDR9020 Date header is in the distant
>> future.
>> Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: connect from
>> english-breakfast.cloud9.net[168.100.1.7]
>> Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: E59C49805:
>> client=english-breakfast.cloud9.net[168.100.1.7]
>> Jan  6 18:18:25 mail1 postfix-in/cleanup[19907]: E59C49805: reject: header
>> Date: Mon, 6 Jan 2020 17:16:46 + from
>> english-breakfast.cloud9.net[168.100.1.7];
>> from= to= proto=ESMTP
>> helo=: 5.7.1 HDR9020 Date header is in the
>> distant future
>> Jan  6 18:18:25 mail1 postfix-in/smtpd[19887]: disconnect from
>> english-breakfast.cloud9.net[168.100.1.7] ehlo=1 mail=1 rcpt=1 data=0/1
>> quit=1 commands=4/5
>> Anyone have an idea where I am to look for the problem?
> 
> Your header_checks apparently has a rule to reject mail from 2020, or maybe 
> it doesn't like timezone +.  Search your header_checks for your rule 
> HDR9020, and remove that rule.


Yep. Sadly, the mail provider I use for personal email had a spam check to 
consider dates 2020 and later to be “from the future” and rejected mail. It 
took a few hours for them to fix it on 1/1, meanwhile, considerable mail was 
lost. Check your various spam checking processes.

As my mail provider has told me they updated it to 2030, I now have a reminder 
set on my computer for 1-Dec-2029 to remind them to update it (should I still 
be using them 10 years from now).


-- 
Larry Stone
lston...@stonejongleux.com 

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Wietse Venema]

Larry Stone:
> Yep. Sadly, the mail provider I use for personal email had a spam
> check to consider dates 2020 and later to be ?from the future? and
> rejected mail. It took a few hours for them to fix it on 1/1,
> meanwhile, considerable mail was lost. Check your various spam
> checking processes.
>
> As my mail provider has told me they updated it to 2030, I now
> have a reminder set on my computer for 1-Dec-2029 to remind them
> to update it (should I still be using them 10 years from now).

This is a Y.01K (Y-dot-01K? Y1K/100?) problem!

Wietse

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Jos Chrispijn]

Best check your header_checks configuration. It should look like this:

/^Date: .* [0-1][0-9][0-9][0-9]/    REJECT Your email has a date 
from the past. Fix your system clock and try again.
/^Date: .* 200[0-9]/    REJECT Your email has a date 
from the past. Fix your system clock and try again.
/^Date: .* 201[0-9]/    REJECT Your email has a date 
from the past. Fix your system clock and try again.

/^Date: .* 2020/    DUNNO
/^Date: .* 20[2-9][1-9]/    REJECT Your email has a date in 
the future. Fix your system clock and try again.
/^Date: .* 2[1-9][0-9][0-9]/    REJECT Your email has a date in 
the future. Fix your system clock and try again.
/^Date: .* [3-9][0-9][0-9][0-9]/    REJECT Your email has a date in 
the future. Fix your system clock and try again.


Hope this helps!

Best, Jos

On 6-1-20 18:31, Roel Wagenaar wrote:

L.S.

Lately I find rejections in my mail log, my mailers all have ntp running,
yet the reject reason is: 5.7.1 HDR9020 Date header is in the distant
future.


Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: connect from
english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:24 mail1 postfix-in/smtpd[19887]: E59C49805:
client=english-breakfast.cloud9.net[168.100.1.7]
Jan  6 18:18:25 mail1 postfix-in/cleanup[19907]: E59C49805: reject: header
Date: Mon, 6 Jan 2020 17:16:46 + from
english-breakfast.cloud9.net[168.100.1.7];
from= to= proto=ESMTP
helo=: 5.7.1 HDR9020 Date header is in the
distant future
Jan  6 18:18:25 mail1 postfix-in/smtpd[19887]: disconnect from
english-breakfast.cloud9.net[168.100.1.7] ehlo=1 mail=1 rcpt=1 data=0/1
quit=1 commands=4/5

Anyone have an idea where I am to look for the problem?


-- With both feet on the ground you can't make any step forward

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Viktor Dukhovni]

On Mon, Jan 06, 2020 at 09:47:24PM +0100, Jos Chrispijn wrote:

> Best check your header_checks configuration. It should look like this:
> 
> /^Date: .* [0-1][0-9][0-9][0-9]/    REJECT Your email has a date from the 
> past. Fix your system clock and try again.
> /^Date: .* 200[0-9]/    REJECT Your email has a date from the 
> past. Fix your system clock and try again.
> /^Date: .* 201[0-9]/    REJECT Your email has a date from the 
> past. Fix your system clock and try again.
> /^Date: .* 2020/    DUNNO
> /^Date: .* 20[2-9][1-9]/    REJECT Your email has a date in the 
> future. Fix your system clock and try again.
> /^Date: .* 2[1-9][0-9][0-9]/    REJECT Your email has a date in the 
> future. Fix your system clock and try again.
> /^Date: .* [3-9][0-9][0-9][0-9]/    REJECT Your email has a date in the 
> future. Fix your system clock and try again.
> 
> Hope this helps!

Best to not use regular expressions for this at all.  If you must
perform this sort of check, do it in a pre-queue proxy filter or milter,
using a proper date parser and by comparing to the current time.

For a another take on misuse of regular expressions, see:


https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454

-- 
Viktor.

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Wietse Venema]

Regexps that accept exactly one the year in the Date: field will
bounce some email around the end of the year, because year changes
don't happen globally at the same time, and email may be in transit
for up to a few days.

By the end of 2019 the patterns should be:

/^Date: .* 2019/DUNNO
/^Date: .* 2020/DUNNO
/^Date: .* [0-9][0-9][0-9][0-9]/REJECT bad year in date

And by the end of 2020:

/^Date: .* 2020/DUNNO
/^Date: .* 2021/DUNNO
/^Date: .* [0-9][0-9][0-9][0-9]/REJECT bad year in date

This could be automated by a cronjob.

Wietse

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Larry Stone]

> On Jan 6, 2020, at 2:18 PM, Wietse Venema  wrote:
> 
> Larry Stone:
>> Yep. Sadly, the mail provider I use for personal email had a spam
>> check to consider dates 2020 and later to be ?from the future? and
>> rejected mail. It took a few hours for them to fix it on 1/1,
>> meanwhile, considerable mail was lost. Check your various spam
>> checking processes.
>> 
>> As my mail provider has told me they updated it to 2030, I now
>> have a reminder set on my computer for 1-Dec-2029 to remind them
>> to update it (should I still be using them 10 years from now).
> 
> This is a Y.01K (Y-dot-01K? Y1K/100?) problem!

If only every 10 years. It bit them 1/1/16 as well (just a month after I 
switched to them once I reached the conclusion that having a reasonably priced 
high bandwidth connection meant moving to my cable provider’s “no servers” 
residential offering so farewell to running a full functional Postfix server at 
home - I still run Postfix but only for sending out mail originating from 
daemons and cron jobs I run to monitor our systems). Back then, they told me 
they took steps to make sure it didn’t happen again. Oops.

The lesson for all of us is that spam checks that require periodic updating to 
prevent false positives need a good support network in place to make sure 
they’re not forgotten (either inadvertently or due to personnel changes).

The mail provider I use is basically a small “mom and pop” (by their own 
description) operation. The pro is when there is a problem, I don’t have to 
waste time with first level support who usually don’t know as much as I do and 
are primarily there to deal with clueless users and that at a small operation, 
it’s much easier to get the problem to the person who can quickly fix it. The 
con is that there usually isn’t 24x7 support (I got lucky that my support 
request via a web form did get to someone right away but as befits the “mom and 
pop” description, the person who called me back was clearly also a mom who at 
the same time was trying to feed the kids - you just don’t get that 
entertainment on a support call to a mega-corp). Anyway, that’s probably enough 
digression from true Postfix issues (although FWIW, I can tell that my mail 
provider also uses Postfix).

-- 
Larry Stone
lston...@stonejongleux.com

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[Noel Jones]

On 1/6/2020 3:16 PM, Wietse Venema wrote:

Regexps that accept exactly one the year in the Date: field will
bounce some email around the end of the year, because year changes
don't happen globally at the same time, and email may be in transit
for up to a few days.

By the end of 2019 the patterns should be:

/^Date: .* 2019/DUNNO
/^Date: .* 2020/DUNNO
/^Date: .* [0-9][0-9][0-9][0-9]/REJECT bad year in date

And by the end of 2020:

/^Date: .* 2020/DUNNO
/^Date: .* 2021/DUNNO
/^Date: .* [0-9][0-9][0-9][0-9]/REJECT bad year in date

This could be automated by a cronjob.

Wietse




Or even easier, just delete all the Date: header based 
header_checks. I've found them to be false-positive prone and not 
very effective against spam. Then you don't have to set reminders to 
edit it every year, or hope your cronjob works.


Back when I used these, it mostly rejected mail from real people 
with a bad date on their PCs, and very little spam that wasn't 
caught by other rules.


I still use spamassassin to do date checks, but there it's scoring 
rather than pass/fail.



  -- Noel Jones

anyone familiar with 1and1's email setting?

[William C]

Hallo,

I tried to add SPF on 1and1 domain, got the help page:

https://www.ionos.com/help/domains/configuring-mail-servers-and-other-related-records/using-an-spf-record-to-prevent-spam/

It doesn't state clearly what are their official SPF records, but give 
an example:


v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de ~all

Do you know what's their exact SPF records? and how to setup DKIM on 
their hosting DNS?


Thanks & happy new year

regards.

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

[@lbutlr]

On 06 Jan 2020, at 13:18, Wietse Venema  wrote:
>> As my mail provider has told me they updated it to 2030, 

This is ridiculous.

It is trivial to automate this by generating a header check dynamically based 
on the current UTC date, so doing this “by hand” and setting something up that 
allows an email 9 years into the future but 8 years into the future next year… 
well, that’s bordering on flagrant incompetence.

And the date check should be a lot more stringent that a year, much less a 
decade. Try a few hours.

SpamAssassin score DATE_IN_FUTURE_06_12 (hours) at 1.3, a rather hefty score. 
It doesn’t hit very often for my server.

I think what your ISP is fdoing is not just a complete waste of time, but also 
just designed to cause needless problems.


-- 
I don't want to sell anything, buy anything, or process anything as a
career. I don't want to sell anything bought or processed, or buy
anything sold or processed, or process anything sold, bought, or
processed, or repair anything sold, bought, or processed. You
know, as a career, I don't want to do that.