Well, finally, email notifications on hear-me.social are working again. They seemingly broke with the last upgrade and fortunately were also broken on my test instance so I could play around without disrupting services here.

The cause was bizarre, and it took a while to find it.

I have my own email server for a hundred reasons, and it's hosted on Digital Ocean. I host this Mastodon server, (and others) on Digital Ocean. But, around the time I did the Mastodon upgrade, the Mastodon servers could no longer send email.

The cause...

Digital Ocean has a policy to restrict IPV6 access to an SMTP server hosted on Digital Ocean. Mastodon was attempting to connect to my mail server using IPV6 and was blocked. Oddly, I can connect via IPV6 from my home computer, which is against their policy and from other DO servers. Maybe not for long?

I found reference to this Digital Ocean policy in a post from 2014, but other hosters probably have the same policy.

"The main reason behind why we have chosen to block these ports by default is due to how blacklists handle IPv6 addresses, in the event of a spam report. Rather than listing only one address, blacklists will list the full /64 subnet of addresses that the spam report came from, which impacts a whole range of customers and droplets unaffiliated with the incriminating droplet/user. When a whole range is affected, even newly created droplets can be affected if they are assigned an IP for a blacklisted subnet."

Had I known this, I would have set up the mail server to only use IPV4, but it's a bit late to change it. My workaround was to use the IPV4 address for the SMTP server in the Mastodon configuration file instead of using the domain name.

Anyway, anyone on hear-me.social who runs into issues with email from this point on, please let me know.

#SelfHosting #SMTP #Email #DigitalOcean #HearMeSocial

Sempre più arduo…
Illo tempore - ma nemmeno troppi eoni fa - ti installavi postfix o dovecot facevi, due o tre aggiustamenti1 e ti facevi il tuo server di posta (SMTP). Oggi gestirsi il proprio server SMTP è diventato assai arduo!

Ora al grido "per colpa di qualcun o non si fa più credito a nessuno", con l'abuso da parte di chi ti riempie la casella di spazzatura siamo arrivati all'estremo oppo
https://monodes.com/predaelli/2025/05/10/sempre-piu-arduo/
#Ethics #Microsoft #smtp

Gmail Sunsets 3DES Triple Data Encryption: Security Upgrade Impacts Email Senders May 30

#Gmail #3DES #Encryption #CyberSecurity #EmailSecurity #Google #TechNews #SMTP #TLS #Alphabet #BigTech

https://winbuzzer.com/2025/05/08/gmail-sunsets-3des-triple-data-encryption-security-upgrade-impacts-email-senders-may-30-xcxwbn/

Gmail will soon stop support for the 3DES encryption cipher for incoming SMTP

https://workspaceupdates.googleblog.com/2025/05/update-for-gmail-support-for-the-3des-encryption-cipher-for-incoming-smtp-connections.html

#HackerNews #Gmail #3DES #encryption #SMTP #update #cybersecurity #email #security

𝐇𝐨𝐰 𝐭𝐨 𝐭𝐮𝐫𝐧 𝐨𝐧 𝐢𝐧𝐛𝐨𝐮𝐧𝐝 𝐒𝐌𝐓𝐏 𝐃𝐀𝐍𝐄 𝐢𝐧 𝐎𝐟𝐟𝐢𝐜𝐞 365

Inbound SMTP DANE (DNS-Based Authentication of Named Entities) is a security protocol designed to secure email communication by ensuring the authenticity of the receiving mail server's encryption certificates when emails are delivered via the Simple Mail Transfer Protocol (SMTP).

By default, SMTP doesn't guarantee encryption, which makes it vulnerable to man-in-the-middle attacks. To secure email communication, SMTP can use STARTTLS, which upgrades a plain text connection to an encrypted one. However, STARTTLS by itself doesn't verify the authenticity of the receiving mail server's certificate, leaving it vulnerable to attacks where a malicious entity might impersonate the server.

DANE addresses this issue by enabling domain owners to publish their mail server’s encryption certificates in DNS records, which are protected by DNSSEC (Domain Name System Security Extensions). This allows sending mail servers to verify the authenticity of the receiving mail server's certificate before establishing an encrypted connection.

When an email is received, the receiving mail server uses DANE to publish its certificate in the DNS, allowing the sending server to check the certificate's validity before establishing a secure TLS connection. This ensures that emails are delivered over an encrypted connection and that the encryption certificate is trustworthy and has not been tampered with.

📺 Watch my YouTube video bellow on how to run on inbound SMTP DANE in Office 365 👇 👇
https://youtu.be/UEAlyU3CTHk

#cswrld #videotutorial #smtp #inbound #dane #office365