On 2017-07-25 at 22:10 -0400, Eric Tykwinski wrote:
> Sorry, probably straying from the topic, but does anyone know any good SMTP
> tests for DANE.
> I’m using https://dane.sys4.de/ currently and it works, but I would like
> something with some more details if possible.
Self-pimping:
https://
On 2018-04-11 at 14:41 -0700, Carl Byington wrote:
> So we could (do what they want) interpret mx:mail.example.com as if it
> were a:mail.example.com
FWIW, both RFC 4408 from 2006 and RFC 7208 from 2014 explicitly
"MUST NOT" this behavior.
Section 5.4 in each.
> What does your code do when it se
While double-checking logs after an MTA update, I saw something from
Gmail which is ... bemusing. I'm wondering if there's any consensus on
how this should be handled in a manner which scales, given that Gmail
don't publish DANE records?
2018-04-16 01:14:55 [95041] 1f7sjN-000Oiu-7W
=> @gmail.c
On 2018-04-16 at 05:28 +, Brandon Long via mailop wrote:
> I always thought of SNI has the equivalent of the Host HTTP header, so it
> should be the hostname you're connecting to.
>
> That's my reading of rfc 6066 at least, and what Gmail expects.
In the HTTP Host header case, the hostname us
On 2018-04-16 at 11:45 -0700, Ned Freed wrote:
> AFAIK this does not happen in MTA-STS, that is, at no time is the MX hostname
> obtained from the DNS checked against the "mx" list from the MTA-STS policy.
> Rather, the DNS-ID of the certificate returned by the server is checked
> against
> the "m
On 2018-04-16 at 13:04 -0400, Phil Pennock wrote:
> What's confusing to me, the next morning, is that included in the Gmail
> overrides is a force-enabling of validation (yes, using the CA system,
> but selective for remote domains where I choose to trust they're not
> goin
On 2018-04-17 at 16:47 +, Brandon Long via mailop wrote:
> So, according to our tls folks, that cert is only served to TLS 1.3 clients
> that don't send SNI,
> so they wonder if you're using a pre-release version of OpenSSL without any
> changes.
Yes, Exim supports TLS 1.3 if GnuTLS or OpenSSL
On 2018-04-17 at 14:28 -0400, Phil Pennock wrote:
> and for the DANE case, Exim
> always sends SNI.
I'm going prematurely senile. I could have sworn this was true but I
can find no evidence of it. Since RFCs 7671 and 7672 mandates SNI of
Folks, mail-providers especially, a heads-up:
I've committed a change for the next release of Exim (not imminent)
which is a "default configuration file" change to the suggested
configuration for talking to mail smarthosts.
The changes are all around TLS. The new Exim suggested smarthost
configu
On 2018-04-27 at 14:58 -0700, SM wrote:
> There is some information in RFC 6125.
Hi, and thanks.
It covers in appendix B.4 two previous pieces of guidance, one of which
helps a little.
The first is a vague "probably" which fails to help; I think the text
(from 2002) predated most people involved
On 2018-05-22 at 14:58 -0400, Eric Tykwinski wrote:
> MTA-STS will probably hit more on the valid certificate deal, but it's on the
> mta-sts record to get the policy.
> DANE just says this certificate is good, could be expired, self-signed, et al
> as long as it passes the hash.
DANE has two mo
On 2018-09-13 at 16:30 +0300, Vladimir Dubrovin via mailop wrote:
> For opportunistic TLS, there is no difference between certificate signed
> by CA and self-signed certificate (or even unsigned), because
> cerificatate is usually not validated. Certificate validation is useless
> here, because opp
On 2015-06-23 at 16:35 +0200, Johann Klasek wrote:
> On Sat, Jun 20, 2015 at 11:33:00AM -0500, Frank Bulk wrote:
> > http://www.circleid.com/posts/20150620_logjam_openssl_and_email_deliverabili
> > ty/
> >
> > FYI, just a heads up.
>
> OpenSSL now rejects handshakes using DH parameters shorter th
On 2015-06-24 at 14:06 -0700, Carl Byington wrote:
> Does Exim (immediately or delayed) retry that connection and
> (temporarily or permanently) ignore the offer of STARTTLS?
Depends upon the configuration. Assuming defaults, "yes".
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-enc
Hey,
Old story, shadow IT setup, email for a domain being handled by pobox,
person who set it up has left, no authentication information stored in
company password manager system. I'm trying to get back access so we
can pay pobox money and get things running again.
(Which is, understandably, som
On 2015-09-14 at 17:42 +, Phil Pennock wrote:
> If there's
> anyone from pobox reading, could you please reply off-list to me?
The problem has now been resolved, we have access back.
Th
On 2017-01-21 at 17:57 -0800, Carl Byington wrote:
> About 10% of the mail from invista.com is failing validation. That mail
> has two signatures from from invista.com and kochind.onmicrosoft.com.
> Either both signatures validate, or they both fail. It seems there is
> something in the pphosted ma
On 2017-02-02 at 08:45 -0700, Rob Nagler wrote:
> I don't understand how Google determines when to put a red lock on the
> compose. When I send to f...@bivio.com it gets a red lock, but to
> f...@bivio.biz does not. They have different MXes. The MTAs are configured
> identically except for that mta
On 2017-02-14 at 16:28 +0100, Sebastian Wiesinger wrote:
> I'm not sure if I'm special if I would like my mails to get delivered
> when my server is not doing anything wrong?
Rent on a storefront in a well-policed clean part of town is higher than
rent on a back-alley where the streets are being r
On 2017-02-15 at 00:24 -0500, valdis.kletni...@vt.edu wrote:
> So your post un-wordraps into:
> DATA
> 354 Go ahead d7si5125389wjc.145 - gsmtp
> Testing. .
> 550-5.7.1 [2001:4830:11aa:106:c23f:d5ff:fe67:5ce1 11] Our system has 550-5.7.1
> detected that this message is not RFC 5322 compliant. To
On 2017-02-15 at 22:40 -, John Levine wrote:
> I like DO for web hosting and their provisioning is great, but I
> wouldn't try to send mail from DO.
DO block port 25 outbound on IPv6. So I wouldn't, either.
(I was going to put a monitoring box on a new DO VPS, away from my
regular colo, but
On 2019-04-29 at 19:51 +0100, Andrew C Aitchison via mailop wrote:
> I'm trying to alert the exim developers to the suggestions that people
> have made in this thread; but it would be easier to ask them to subscribe to
> mailop if the archive didn't have an expired certificate.
I'm on mailop, I ju
On 2019-08-28 at 18:42 +0100, Tim Bray via mailop wrote:
> Probably mainly for Debian users.
>
> libgnutls30 3.6.7-4(Debian Buster)
>
> exim4-daemon-heavy 4.89-2+deb9u5 (Debian Stretch)
>
> Run these together and it tries to use TLS1.3 when sending email. And
> google seems to close the co
On 2019-09-25 at 21:18 +1200, Simon Lyall via mailop wrote:
> Just had a bunch of people at a domain get unsubscribed from this list.
> Appears to be some weird Google rule (which probably made sense with they
> were not the MX for 30% of all active domains)
>
> Any chance of them fixing it (or fa
On 2019-10-14 at 15:07 +0200, Thomas Walter via mailop wrote:
> Even more interesting: In Germany, this can be seen as not delivering an
> email to the recipient which is against the law. The user might be using
> POP3 or is not subscribed to the IMAP folder and therefore does not see
> the SPAM fo
On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote:
> Does anyone know if there is any alternative to Outlook to access
> Exchange Online mailboxes that require modern authentication?
>
> The IT department of the organization that is pushing thins says that
> modern authentication and
On 2020-07-10 at 17:59 -0700, Brandon Long via mailop wrote:
> Anyways, ecc has been added to DKIM, but I'm not sure how widely deployed
> verifying it is.
> https://tools.ietf.org/html/rfc8463
Exim has implemented a=ed25519-sha256 for some time, and verifies it.
By mail volume that's not a lot, b
On 2020-07-15 at 11:54 -0400, John Levine wrote:
> In article <20200713214707.ga26...@fullerene.field.pennock-tech.net> you
> write:
> >Exim has implemented a=ed25519-sha256 for some time, and verifies it.
> >By mail volume that's not a lot, but by independent installs it counts a
> >bit more. Su
On 2020-07-24 at 09:54 +0100, Klaus Ethgen via mailop wrote:
> As my mails are always plain text, signed by PGP and coming from a mail
> server that I can assure is never sending spam or even high amount of
> mails, that is not in any blacklist, I wonder, what makes it google to
> believe that my m
On 2020-07-24 at 15:40 -0400, Phil Pennock via mailop wrote:
[ snip lots ]
I was asked by someone with a link to a mailing-list archive entry to
turn this into a blog-post which could be cited, so I've done so; there
are some additions of RFC and website cross-references which might ma
On 2020-07-24 at 15:29 -0700, Luis E. Muñoz wrote:
> I would push DANE a bit up in the list. DNSSEC can be a drag to some, but it
> is really the way to go in terms of decentralization of encryption. It is
> also a good practice.
Absolutely, but the context here was sending to Gmail, who don't (as
Folks,
The zsh.org project had to move hosting, including email, on a shorter
final timescale than ideal for things like IP warming, so had to go live
abruptly on its new addresses. I'm helping out but not driving the
effort. Some providers are blocking, so if you have manual allow-list
stuff, w
Folks,
One of the sources of mail for a domain I need to care about (nats.io)
per DMARC reports is office.com; eg:
cwlgbr01ft010.eop-gbr01.prod.protection.office.com.
5.188.213.206 5.188.213.198
Do Microsoft do domain verification before allowing a sender domain to
be used?
I'm trying to
On 2020-11-20 at 10:18 +, Tim Bray via mailop wrote:
> On 20/11/2020 08:01, Andrew C Aitchison via mailop wrote:
> > The developers would like to use a "standard" schema;
> > does anyone use or know of a JSON schema for mail servers logs ?
>
> Tricky - a streaming file format is not going to b
On 2020-11-21 at 14:31 +, Stuart Henderson via mailop wrote:
> On 2020/11/21 13:59, Thomas Walter via mailop wrote:
> > On 21.11.20 12:54, Jaroslaw Rafa via mailop wrote:
> > > You can configure your MTA to disable IPv6 only for delivery to Google -
> > > at
> > > least with Postfix it should
On 2020-12-08 at 16:13 +0200, Mary via mailop wrote:
> So in postfix you'd do something like this? (under header_checks)
>
> /^From:.*<(.*)>/ REPLACE From: $1
>
> I wrote that in my email client, so I don't expect my regex to work. I guess
> it would be fun to see how much damage I can do with s
On 2020-12-16 at 12:10 -0500, Dave Shevett via mailop wrote:
> Wer're actually running on a linode now that's pretty much dedicated
> to running mailman. The issue is there's still a lot of yak-shaving
> to make it all work, in particular understanding how to get dkim
> signatures to work when mai
On 2021-01-06 at 14:23 +0100, Dan Malm via mailop wrote:
> This might have some implications for anyone running a mail server on
> Ubuntu as smtp delivery to recipients with a "legacy" SSL configuration
> will break with SSL errors like for example: "SSL
> routines:tls_process_ske_dhe:dh key too sm
38 matches
Mail list logo
