Hi,
I checked it way back, and nearly all the cases were due to configuration
errors on the sender part.
It is not a feature that is actively used in the wild. I don’t know of any
email client that allows you to do that. So someone needs to craft a specific
message and inject it.
Now, when DM
Seems to me the system is may be trying to verify the certificate? It may
be checking the revoking list?
But yes I would try to contact Aruba to get some info, may be someone on
the list has a contact there?
On Mon, Jan 23, 2017 at 11:42 AM, Brandon Long via mailop wrote:
> Note that informatio
...
On Mon, Jan 9, 2017 at 6:48 AM, Graeme Fowler
wrote:
> On 9 Jan 2017, at 14:08, Franck Martin via mailop
> wrote:
>
> Often, it is a problem of finding an acceptable cypher to both parties...
>
>
> ...after...
>
> On Mon, Jan 9, 2017 at 4:21 AM, Robert Mueller wrote:
The negotiation of STARTTLS is done in clear, so a packet capture will tell
you where the problem is... Wireshark usually explains well what options
are in the packets...
Often, it is a problem of finding an acceptable cypher to both parties...
Finally, make sure your firewall is not messing up w
It is also common when people convert their ACL from IPv4 to IPv6 to forget
to add a rule of PTB in their IPv6 ACLs...
I would also suggest to use tracepath(6) for debugging, as it factors the
port you want to reach and will try to detect the pmtu. You may find where
the packet gets dropped this w
I would suggest you sign up for the JMRP, so you know what people are
complaining about...
On Thu, Nov 17, 2016 at 12:46 AM, Angelo Giuffrida <
angelo.giuffr...@gmail.com> wrote:
> Welcome to the fun game of Microsoft & Hotmail blocks. If you do a search
> through the list archives you'll find re
This document can be of use:
https://www.m3aawg.org/documents/en/maawg-vetting-best-common-practices-bcp
Also, you may want to look at e-hawk.net
On Wed, Oct 19, 2016 at 1:27 PM, Vick Khera wrote:
> On Wed, Oct 19, 2016 at 3:35 PM, Brett Schenker
> wrote:
> > We're currently looking to impleme
As Michael says "Microsoft not Hotmail"
On Wed, Sep 21, 2016 at 2:11 PM, Renaud Allard via mailop wrote:
>
>
> On 21/09/16 22:29, Franck Martin via mailop wrote:
>
>>
>> What Microsoft does differently with DMARC, is that instead of rejecting
>> the ema
Gilles,
I think you will get much background document from
https://blogs.msdn.microsoft.com/tzink/2014/12/03/using-dmarc-in-office-365/
What Microsoft does differently with DMARC, is that instead of rejecting
the email it should reject, it accepts them and deliver them to the junk
folder in the h
I do not want to talk for the moderator/list owner but we have
representatives from all the different types of mail systems, small, big
and huge, that are engaged on this list.
Please be careful when you approach a problem you are facing, stick to the
facts, avoid adversarial language.
I think we
IMHO
It is hard to justify: take down this content because I received a bad
email.
You either ask the web content to be taken down because it is bad on its
own merit, or you ask the mail server admins to not send such bad emails.
To link the bad emails to a website needs a bit more work to prove
I think we were talking here about rejecting emails from a domain that do
not have a SPF policy, which is a bit different from rejecting emails from
a domain with a SPF policy "-all" and a fail result.
For IPv6, bad stuff happens to non authenticated emails , as the archive on
this list is chowing
I don't think you should block however:
-IPv4 rate limit if the email is not authenticated (pass SPF or DKIM)
-IPv6 reject email if it is not authenticated (pass SPF or DKIM)
On Wed, Aug 17, 2016 at 12:23 PM, Michelle Sullivan
wrote:
> Brandon Long via mailop wrote:
>
>> If your mail server doe
Thanks,
As with Apple, they used to remember your email address associated with
your credit card, now, likely due to privacy/security concerns, when you
want the receipt to be emailed to you, you need to type your email address
each time. Now, many people do not know their email address especially
https://www.farsightsecurity.com/DNSDB/
On Thu, Jul 28, 2016 at 2:10 AM, Autumn Tyr-Salvia
wrote:
> Hello,
>
> I have recently been dealing with a spammer that likes to use lookalike
> domains and pretend to be other legitimate businesses before doing bad
> things. I want to do more research on
indeed...
I think the null MX makes sense when there is an A or on the same
domain. It stops the mail server to try to deliver and wait 4+ days to
bounce the message.
Other MX that are always fun to use:
MX 10 localhost
;)
On Thu, Jul 14, 2016 at 2:46 PM, Steve Atkins wrote:
>
> > On Ju
I kind of see the null MX as a way to say that this domain does not send
emails. So it is more a test on the receiving side than on the sending side.
On Thu, Jul 14, 2016 at 2:04 PM, Steve Atkins wrote:
>
> > On Jul 14, 2016, at 1:38 PM, Brian Godiksen
> wrote:
> >
> > I noticed inconsistencies
At best, is to put a rule to say not to deliver this email to the spam
folder, but if google wants to reject it, it will be rejected.
There is currently no way to deliver spam to abuse@
The best thing i have found, is to send an ARF with only the email headers
as per the standard, and add an extr
Junping,
I think many people don't know who netease is, at least your contribution
to this list will help.
I think the point people on this list are making is that you need to setup
specific PTR (that do not look like auto-generated) for the IPs that DO
send emails. You need to make sure all your
On Thu, Jun 9, 2016 at 2:59 PM, Laura Atkins
wrote:
>
> > On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt
> wrote:
> >
> > On 09.06.2016 18:20, Laura Atkins wrote:
> >>
> >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt
> wrote:
> >>>
> >>> Header-From and Envelope-From are aligned, the sending do
On Thu, Jun 9, 2016 at 11:48 AM, Michael Peddemors
wrote:
> On 16-06-09 11:26 AM, Franck Martin via mailop wrote:
>
>> As people pointed out, an SPF record is easy to set and fast to solve
>> the issue, DKIM can come later...
>>
>
> Hehehe... 'easy' is a
It is a M3AAWG best practice to not accept unauthenticated emails over
IPv6, Microsoft does it, we do it, Google too...
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf
It is also likely that bad stuff (less visible for the sender) is also
happening
May be they should test their DNS servers using:
https://www.dns-oarc.net/oarc/services/replysizetest
or setup edns udp size to 1400 instead of the default 4096 is they don't
want to allow fragmented packets in:
http://www.zytrax.com/books/dns/ch7/hkpng.html#edns-udp-size
This is also likely to a
The trouble is his spam becomes your spam and you get penalized for that...
Get on the google postmaster tools to have a better idea of what is
happening, but I would not blindly trust someone that relay emails through
my servers...
On Fri, Jun 3, 2016 at 4:30 AM, wrote:
> Hi,
>
> I'm currently
Not new story, people have devised systems to avoid the creation of such
accounts:
http://bits.blogs.nytimes.com/2013/04/05/fake-twitter-followers-becomes-multimillion-dollar-business/?_r=0
You could for instance use data from http://www.e-hawk.net/ (I'm not
endorsing them, just a company that tri
These posts will give you more hindsight:
https://www.facebook.com/notes/protect-the-graph/massive-growth-in-smtp-starttls-deployment/1491049534468526/
https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223
On Thu, May 12, 2016 at 10:47 AM,
If your network people think they can do a better job than your mail
people, then give them the management of your mail servers, otherwise, tell
them to disable cisco fixup (or whatever it is called nowadays).
On Fri, May 6, 2016 at 8:15 AM, Steve Atkins wrote:
>
> > On May 6, 2016, at 6:04 AM,
On Fri, May 6, 2016 at 3:22 AM, Tony Finch wrote:
> Franck Martin via mailop wrote:
>
> > This page, provides a way to test EDNS:
> > https://www.dns-oarc.net/oarc/services/replysizetest
>
> That's testing the EDNS large packet feature. A DNS server can support
&g
This page, provides a way to test EDNS:
https://www.dns-oarc.net/oarc/services/replysizetest
Bind acts this way.
Makes an EDNS query of full size, if no answer, makes a DNS query and
request the response to be limited to a 512bytes answer, there it usually
will get an answer, that the result is t
I use this tool because it checks everything DNS (including DNSSEC) and
makes a pretty graph. The two errors are not related to DNSSEC, so seems
you have something to fix ;)
On Wed, May 4, 2016 at 5:03 PM, Michael Wise
wrote:
>
>
> Microsoft officially doesn’t do DNSSEC.
> (or at least not now a
I like to use this tool to tell me everything...
I used it on the first domain, told me there are 2 errors:
http://dnsviz.net/d/alleghenycourts-us.mail.protection.outlook.com/dnssec/
On Wed, May 4, 2016 at 8:45 AM, Rob Heilman wrote:
> Got a fresh batch of DNS failures in the logs. Below is a
I like to use https://dmarcian.com/spf-survey/sigiowa.com for checking SPF
(and DMARC)
On Fri, Apr 29, 2016 at 9:52 AM, Frank Bulk wrote:
> We're helping a customer (sigiowa.com) who's having issues sending emails
> to
> the USDA. Our email server logs this:
> Site usda.gov (2a01:111:f4
For EDNS to work correctly you MUST accept UDP fragmented packets, or
configure your DNS server to advertise a max EDNS packet size of about 1200
bytes.
Otherwise, bind, for instance, goes in a series of fallback and by the time
the result is available the mail server has moved on...
On Thu, Apr
You should have done DKIM on your old IP before moving, so you could have
carried over your domain reputation to the new IP.
On Wed, Apr 27, 2016 at 4:04 PM, Robert Guthrie wrote:
> Hi List,
>
> Just wanted to check in and see if there is anything else I can do to get
> emails to arrive immediat
On Tue, Apr 19, 2016 at 12:05 PM, Michael Peddemors
wrote:
> On 16-04-19 11:53 AM, Michael Wise wrote:
>
>> ... unless it's coming from your localnet.
>> Local clients in the IP space "You Own" should get a bit more slack.
>> IMHO.
>>
>> Aloha,
>> Michael.
>>
>>
> Yeah, only for MTA->MTA traffic,
https://dmarcian.com/dmarc-inspector/chinalovecupid.com
says all is fine
Also note you need some traffic, before an aggregate report is sent to you.
Some receivers will not send a daily report if they have not seen X emails
from your domain.
at https://dmarc.org/resources/deployment-tools/
you
I prefer
example.com TXT "v=spf1 ip:0.0.0.0/0 -all"
or more sneaky
example.com TXT "v=spf1 ip:0.0.0.0/1 ip:128.0.0.0/1 -all"
On Thu, Apr 14, 2016 at 1:22 PM, Brandon Long via mailop
wrote:
> What, you don't want to trust all of Apple's /8?
>
> Anyways, adding spf for an entire cloud provider
Client certificates in emails are not rare, even to the contrary, they are
predominant. The proportion of verifiable client certificates is about the
same proportion of verifiable server certificates.
I think there are a few MTAs that have different config for certificate
presented as a client vs
0 days to fully recover sometimes longer if
> people don't mark your mail as not spam.
> Though, that's only for the domain you're posting from, without details
> not much more I can go on.
>
> Brandon
>
> On Wed, Apr 13, 2016 at 10:48 AM, Franck Martin via mailo
I checked my system, cannot see any report being generated. So may be this
domain name is not in the RFC5322.From ?
On Thu, Apr 14, 2016 at 8:05 AM, Michael Wise
wrote:
> DMARC is not something I'm well-versed in, but was trying to do what tests
> I could. Would be interesting to see what would
DMARC looks ok:
https://dmarcian.com/dmarc-inspector/chinalovecupid.com
Sometimes it takes more than 24 hours, also make sure the mail system does
not flag the report as spam (because containing bad IPs)...
On Wed, Apr 13, 2016 at 6:22 PM, Michael Wise
wrote:
>
>
> I see it slightly differently
Have a look at
https://tools.ietf.org/html/draft-martin-authentication-results-tls-03 may
be jump to the example...
I did not pursue, but many MTA clients are sending the certificates, meant
for receiving email to the server they are connecting too.
You can verify that the certificate is trusted
I take the rule of thumb that hotmail/outlook.com does not like more than
20% volume changes day over day and week over week. Subscribe to the SNDS,
and if you see your IPs in the yellow, stop ramping up. All the other
mailbox providers follow same rules more or less, but this gives you a fair
cont
And it is not only to Google, many other mail receivers requires SPF or
DKIM over IPv6.
And if you set up a mail receiver with IPv6, do these requirements too, it
is an industry best practice (cf M3AAWG.org).
On Wed, Apr 13, 2016 at 2:59 AM, Tony Finch wrote:
> Thomas Wilhelm wrote:
> >
> > Do
On Sat, Apr 2, 2016 at 10:40 AM, Carl Byington wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Sat, 2016-04-02 at 11:42 -0500, frnk...@iname.com wrote:
> > Anyone aware of email servers that take the approach that CloudFlare
> > has, which is not allow the lowest common denomina
RC4 is a conundrum, it is about the only cypher you can negotiate with old
MS-Exchange, so if you disable it, then the email will go in clear text.
Which one is better? Clear text or RC4? Or too bad for old mail servers?
PFS or Elliptic ciphers are asymmetric in implementation, so you need to
chec
MDN are ugly and look like garbage to the receiver ;) How many times I had
to fight back the urge of people to send back a real email instead of a
reject code...
Also on postfix the RFC5322.From: set in the templates does not contain an
email address with a domain name, which you need to fix, when
I wanted to add, make sure you have compatible ciphers, you may have
enabled STARTTLS but if you cannot negotiate a cypher, then the point is
moot ;)
A packet capture when STARTTLS is initiated will tell you what ciphers are
offered and which one is negotiated.
On Thu, Mar 31, 2016 at 12:03 PM, F
I guess, once they have positive data on your domain, they should update
the icon:
https://www.google.com/transparencyreport/saferemail/#search=eastlink.ca
On Thu, Mar 31, 2016 at 9:38 AM, Kirk MacDonald <
kirk.macdon...@corp.eastlink.ca> wrote:
> With thanks to Google for pushing the cause, I im
DKIM is relatively easy to do, just get on with the program...
It seems very unlikely that for 50 messages a day, Yahoo would spend some
resources to help you not to have to spend some resources to enable DKIM.
On Mon, Mar 28, 2016 at 3:08 PM, Carl Byington wrote:
> -BEGIN PGP SIGNED MESSAG
SMTP AUTH With or without OAUTH (aka Submission) is the same functionally.
The difference is with OAUTH2 you don't have to share your password with
the ESP.
On Thu, Mar 24, 2016 at 7:09 AM, Suresh Ramasubramanian wrote:
> If you are confident that all your customers doing this are low volume an
In fact, these providers offer OAUTH2 to allow you to send as using their
infrastructure, and if you have bigger needs, many domains are going cheap
at the moment...
Not ideal, but some options...
On Wed, Mar 23, 2016 at 3:45 PM, Steve Atkins wrote:
>
> > On Mar 23, 2016, at 3:16 PM, Joel Beckh
The outage is listed at https://ianix.com/pub/dnssec-outages.html
On Tue, Mar 8, 2016 at 6:21 AM, Vick Khera wrote:
>
> On Mon, Mar 7, 2016 at 6:00 PM, Carl Byington
> wrote:
>
>> Yes, arin.net
>>
>> failed to renew the dnssec signatures on 65.in-addr.arpa.
>> They have expired, and anyone behi
On Wed, Mar 2, 2016 at 5:29 PM, Brandon Long wrote:
> I thought that POODLE required a specific type of fallback that tended to
> be browser specific (ie, prevent a tls connection, forcing the browser to
> fall back to a ssl3 connection), do any smtp servers actually do that?
>
Re-negotiation is
Disable SSLv3 too, because of Poodle.
We will need to get rid of RC4, unfortunately this is the only cypher some
old exchange machines understand. Also falling back to clear text from
STARTTLS is more and more frowned upon.
On Wed, Mar 2, 2016 at 1:45 PM, Matthew Huff wrote:
> If your mail serv
On Sat, Feb 27, 2016 at 7:23 PM, Mark Jeftovic wrote:
>
> On 2016-02-27 9:59 PM, Suresh Ramasubramanian wrote:
> > A domain with a null mx may well originate email but will absolutely not
> receive email - so mail gets trashed at your end as well without staying
> endlessly on your mall queues
>
If a domain is telling me it does not accept emails, why should I accept
mail from such domain if I cannot reply back to it?
On Sat, Feb 27, 2016 at 6:59 PM, Suresh Ramasubramanian wrote:
> A domain with a null mx may well originate email but will absolutely not
> receive email - so mail gets tr
Well,
This is not a friendly welcome...
Please you have an opportunity to engage and get things fixed, so don't
throw a ton of bricks on the first email.
Thanks.
On Thu, Feb 25, 2016 at 4:25 AM, Rich Kulawiec wrote:
> On Thu, Feb 25, 2016 at 07:17:56PM +0800, ?? wrote:
> > I am a postmast
I suspect with ARC coming up, leaving traces of broken DKIM headers will be
useful.
On Mon, Feb 22, 2016 at 1:35 PM, Al Iverson
wrote:
> On Mon, Feb 22, 2016 at 2:48 PM, Jim Popovitch wrote:
> > On Mon, Feb 22, 2016 at 1:46 PM, John Levine wrote:
> IMHO, Mailman should strip the existing
You may want to add to the public suffix list your domain. This will
indicate to many people where the delimitation on administration of domains
lies.
https://publicsuffix.org/
Check entries for blogspot, azure, to have an idea what you need to submit.
On Fri, Feb 19, 2016 at 4:41 AM, Jayme wro
Read the archives and
https://social.technet.microsoft.com/Forums/en-US/c0b76505-8737-4b6e-bcee-62cb1ea5ef96/dkim-automatic-forwarding-to-gmail-dkim-neutral
On Fri, Feb 12, 2016 at 12:14 AM, Renaud Allard via mailop <
mailop@mailop.org> wrote:
>
>
> On 02/11/2016 08:37 PM, Fr
Email forwarded within Office365 may have DKIM breakage, Microsoft has been
addressing the issue, I believe.
Mimecast is a known to me to break DKIM when forwarding.
On Thu, Feb 11, 2016 at 3:53 AM, Chris Burton wrote:
> Hi,
>
> > Did anyone notice DKIM issues (mails failing signature verificat
On Wed, Feb 10, 2016 at 8:10 AM, Michael Peddemors
wrote:
> That rule has triggered more and more false positives of late BTW..
>
> If you would like to disable this check in the future, you can do so by
> editing /etc/clamav/clamd.conf and setting the following value to false:
>
> Phishi
Awesome, many thanks.
(and let's see if it works)
On Tue, Feb 9, 2016 at 12:41 AM, Simon Lyall wrote:
>
> I was away last week [1] so just caught up on the DMARC discussion.
>
> As an experiment I've changed the mailman settings[2] for DMARC'd emails
> to "Munge From"[3] which should change the
64 matches
Mail list logo
