Re: multiple ip addresses for submission -- My Google Fu is lacking
On 14/09/2021 04:29, raf wrote: On Tue, Sep 14, 2021 at 01:20:03PM +1000, raf wrote: But chances are that mail clients just do what any other TCP client would do. That might be why you can't find any discussion on the topic. Remember, the only IP address(es) that the mail client will be concerned with is that of its smarthost. In most cases, that will be an ISP that only has to deal with its own customers, not the whole planet, so there will usually only be one IP address (or one per region). So the mail clients might not have ever needed to put much thought into it. cheers, raf Big assumption based on one example of gmail.com. Try outlook.com: [root@server ~]# dig -t a outlook.com ;; ANSWER SECTION: outlook.com.120 IN A 40.97.128.194 outlook.com.120 IN A 40.97.161.50 outlook.com.120 IN A 40.97.164.146 outlook.com.120 IN A 40.97.148.226 outlook.com.120 IN A 40.97.160.2 outlook.com.120 IN A 40.97.156.114 outlook.com.120 IN A 40.97.153.146 outlook.com.120 IN A 40.97.116.82
Re: [OT] ANN: Postfix policy service geoid-policyd
If my email provider has taken your policy, I will be denied by them since I always was using the VPN to access the internet. Almost every well known VPN (pureVPN, keepsolid etc) has a large range of IPs for their users, and these IPs are in different countries. regards. On Tue, Sep 14, 2021 at 3:24 PM Christian Rößner wrote: > Hi, > > this is my first project written in Go. It is a Postfix policy service > that can help reject compromised sender accounts. Therefor it takes the > sender IP and gets its geo location ISO code. If a sender comes from too > many countries, the request is rejected. A second feature is to count the > number of different IPs and if a certain amount of addresses were seen, the > request gets also rejected. > > There is a whitelist option, where settings can be modified for any sender > account. > > Furthermore this little policy service has also LDAP support. It is > limited to LDAP with or without StartTLS and with simple bind or > SASL/EXTERNAL. PRs are welcome. > > The suggested way to use this service is by running it as a docker > container. A Dockerfile and a sample docker-compose.yml file is included. > > As said before, this is my first project in that language. If you are a Go > pro, feel free to help make it better ;-) > > Hope you enjoy > > https://gitlab.roessner-net.de/croessner/geoip-policyd > > Christian Rößner > -- > Rößner-Network-Solutions > Zertifizierter ITSiBe / CISO > Karl-Bröger-Str. 10, 36304 Alsfeld > Fax: +49 6631 78823409, Mobil: +49 171 9905345 > USt-IdNr.: DE225643613, https://roessner.website > PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 > >
Re: multiple ip addresses for submission -- My Google Fu is lacking
If you are only interested in what mail clients do, and can't find any online explanation, you could either look at the source code to some open source ones (probably the easiest way), to me, this feels rather the most troublesome way :-) or set up a mail smarthost with multiple IP addresses, and send an email through it, recording traffic with tcpdump. I think i'm gonna do that, but i wanted to ensure that i didn't overlooked some blatently obvious www-page somewhere already describing it in details. But chances are that mail clients just do what any other TCP client would do. in my reckoning that would be to use gethostbyname(), and use the first of the ip addresses returned unless some explicit failure occurs during connection setup (as for example connection refused, connection timeout, etc), and only then try the next ip address; and if tcp connection works but remote host returns garbage, just display some error message to the user (so no code to try again with other ip addresses in this case). older code might even not "see" the non-first returned ip address in the hostent structure returned by gethostbyname(). but since the above described is just my guess, i wanted to scrape other people's knowledge as well. best wishes from, max
Re: [OT] ANN: Postfix policy service geoid-policyd
> Am 14.09.2021 um 09:44 schrieb Ken Peng : > > If my email provider has taken your policy, I will be denied by them since I > always was using the VPN to access the internet. > Almost every well known VPN (pureVPN, keepsolid etc) has a large range of IPs > for their users, and these IPs are in different countries. > > regards. The point is that you get not rejected, just because you come from different countries. You get rejected, if you come from too many countries in a defined time slice (default 1 hour). This can also be configured by setting redisTTL lower or larger than 1h. And of course: Everyone can decide by its own, if he has a use case for this service or not. Christian Rößner -- Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Re: multiple ip addresses for submission -- My Google Fu is lacking
> when a user clicks "send", the email client has to make some tcp-connection > to some ip address. > what if the hostname configured at the email client resolves to multiple ip > addresses? There are several hops that could randomize ips: - authoritative dns server - dns resolver at your dialup provider - dns resolver at your home router - dns resolver at your computer Usually there is no need for authoritative dns servers to rotate ips because dns resolvers do. So your email client just gets a list of randomized ips. In my experience the first one is used and if the connect fails it will try the next one. This works at least with Thunderbird, Outlook and Apple Mail. Remember that dns lookups are cached (ttl / time to live), so this particular email client may stick with the same server for some time, but on a global view requests are distributed quite evenly because of resolver behaviour. Over time you will see that your email client uses both mailservers. DNS loadbalancing works very well. Some companies combine that with dedicated loadbalancers to cope with the load or use bgp anycast. Best regards Gerald
[OT] ANN: Postfix policy service geoid-policyd
Hi, this is my first project written in Go. It is a Postfix policy service that can help reject compromised sender accounts. Therefor it takes the sender IP and gets its geo location ISO code. If a sender comes from too many countries, the request is rejected. A second feature is to count the number of different IPs and if a certain amount of addresses were seen, the request gets also rejected. There is a whitelist option, where settings can be modified for any sender account. Furthermore this little policy service has also LDAP support. It is limited to LDAP with or without StartTLS and with simple bind or SASL/EXTERNAL. PRs are welcome. The suggested way to use this service is by running it as a docker container. A Dockerfile and a sample docker-compose.yml file is included. As said before, this is my first project in that language. If you are a Go pro, feel free to help make it better ;-) Hope you enjoy https://gitlab.roessner-net.de/croessner/geoip-policyd Christian Rößner -- Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Re: multiple ip addresses for submission -- My Google Fu is lacking
On Tue, Sep 14, 2021 at 08:24:00AM +0100, Nick Howitt wrote: > On 14/09/2021 04:29, raf wrote: > > > > On Tue, Sep 14, 2021 at 01:20:03PM +1000, raf wrote: > > > > > > > But chances are that mail clients just do what any > > other TCP client would do. That might be why you can't > > find any discussion on the topic. Remember, the only IP > > address(es) that the mail client will be concerned with > > is that of its smarthost. In most cases, that will be > > an ISP that only has to deal with its own customers, > > not the whole planet, so there will usually only be one > > IP address (or one per region). So the mail clients > > might not have ever needed to put much thought into it. > > > > cheers, > > raf > > > Big assumption based on one example of gmail.com. Try outlook.com: > > [root@server ~]# dig -t a outlook.com > > ;; ANSWER SECTION: > outlook.com.120 IN A 40.97.128.194 > outlook.com.120 IN A 40.97.161.50 > outlook.com.120 IN A 40.97.164.146 > outlook.com.120 IN A 40.97.148.226 > outlook.com.120 IN A 40.97.160.2 > outlook.com.120 IN A 40.97.156.114 > outlook.com.120 IN A 40.97.153.146 > outlook.com.120 IN A 40.97.116.82 > Yes, that is a mail service provider that does need to service the whole planet, unlike many ISPs. And perhaps ISP-based email accounts are less common than they used to be. It would make a good target for testing what a mail client does when sending mail if its source code is inaccessible. cheers, raf
