alpha1betaA major new spam campaign has been launched by Linode servers using 3rd and 4th tier subdomains of throwaway domains, mostly .us and .cl all with
Return-Path: <[email protected]>
Jonathan Kamens 86 47I have an enforcing #DMARC policy set up on my personal email domain. I use #DMARCAnalyzer for processing aggregate reports from servers that send them. Every week I log in and check to make sure everything's fine, i.e., (a) there isn't a significant uptick of people forging emails from my domain that I should look into (unlikely), and (b) I haven't broken something stupid in my infrastructure and caused my own outbound emails to violate my policy.
#SMTP #emailAdmin #sysAdmin (1/2)
#SMTP #emailAdmin #sysAdmin (1/2)
tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
#infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance
#infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance
farhadRunning our own mail servers comes with challenges, but using third-party services like SES or SendGrid means trusting their processes for delisting. Either way, dealing with blocklists is part of the game, and it’s not fun. Sigh. #EmailAdmin #selfhosted
ari :autism: CORRECTION!
I made a post about OPENPGPKEY DNS records, and turns out I misread the content relating to it. It is the hash as bytes that is truncated, not the digest itself.
I have corrected my DNS records, the script at https://gist.github.com/TruncatedDinoSour/a0874bf1e90647a9a49985e531d9d15f and the blog post at https://blog.ari.lt/b/openpgpkey-records-are-cool/ - It was an honest mistake!
Regardless, all good now and I have put in efforts to retract the wrong version ASAP 😭 The RFC by “octets” means a byte in the actual hash of sha-256 output, not the hex digest.
Anyway, you should still set OPENPGPKEY stuff up :p Ofc now hearing with CORRECT information :D
Hello #MailServer maintainers! If you are using rbl.realtimeblacklist.com, you should be aware that as of around 4am US/Eastern this morning their domain has been parked and is returning bogus #DNSBL results. I suspect that the registration lapsed and a domain resale stalker snapped it up, though I can't say for certain. Perhaps it's a temporary blip that will be resolved, but you should stop using it in the meantime.
#SysAdmin #SMTP #EmailAdmin
#SysAdmin #SMTP #EmailAdmin
David Nelson"Why are you rejecting our emails?”
“Your SPF doesn’t include the servers your mail comes from.”
“What’s SPF?”
“A thing that says which servers can send mail for your domain.”
“Why do I need to do that? I don’t have problems writing to anyone else.”
“You will, and you really should fix it. Just let your mail admin know.”
“OK fine, but I’m the mail admin… so how do I fix it?”
“You just have to update a DNS record.”
“What’s DNS?”
💀 💀 💀
Received a bunch of phishing messages from random senders at the domain of a large, prestigious university. They passed SPF checks, so out of curiosity I looked up their record. It includes two entire /16 networks. And to top it off their DMARC policy is set to “none”. 😭 #SysAdmin #EmailAdmin
If anyone is following along, I came up with a solution to my Gmail gateway.
It’s bash because is there any other way?
It scrapes Google’s list of networks from DNS and collects them in a temp file.
If a network isn’t already allowed in iptables, a rule gets added.
It diffs against my production list. If the files don’t match it updates the production one and restarts Postfix.
The file is assigned to mynetworks in Postfix:
mynetworks = /etc/postfix/mynetworks.cidr
Our students are on Gmail. Staff are on-prem for now.
Staff see “external sender” warnings on student mail (added by Barracuda). I’d like to skip that via an outbound gateway in Google. <https://support.google.com/a/answer/178333>
I can programmatically get Google netblocks from _spf.google.com
What's the best approach to keeping them up-to-date in Postfix or Sendmail as permitted relay hosts?
I can kludge something together but wondering if anyone already did it and has recommendations.