Johannes Kraemer
Jerry π¦ππ¦This is really quite fascinating. There is exactly one ISP that is blocking mail from the mail server I run, which is used to deliver mail for infosec.exchange - t-online.de. It annoys me to no end that I see people try to subscribe to infosec.exchange and the confirmation emails are rejected. So, I contacted their postmaster, and to their credit, they got back to me very quickly, but they are basically saying "yeah, you need to use one of the big mail providers if you want to send mail to t-online subscribers".... Ok then. My apologies to any t-online subscribers (who probably can't see this anyhow), but you'll apparently need to use a different email account to register.
and I'd like to say, I'm pretty darn good at running mail servers after 30 years of doing it.
Johannes Ullrich (maybe not a bot)@jerry This is sadly a βtrend,β and I am in the same boat. Running my own mailserver(s) forever and not going to switch to one of the big email monopolies.
Alexander Bochmann@jerry It should be sufficient to put the required contact information into the instance info box on the front page before asking to be unblocked, but I fully understand if you don't want to.
@galaxis I am going to look at doing that.
beirer@jerry @galaxis Alexander is right, their policy is that they need contact information on the webpage of the domain. I (running Mailservers for only 20+ years..) had similar problems after migrating my MX to a different provider. I setup a webpage for them with the info they demanded, they whitelisted my MX, I removed the info..π
@jerry @galaxis They demanded that the first paragraph of chapter 4.1 of thier FAQ is fullfilled: https://postmaster.t-online.de/index.en.html#t4.1
Florian@beirer @jerry @galaxis Yeah, we have to email tosa@ every time customers who host their own mail servers move to different IP space. Itβs completely ridiculous. Even when you are a Telekom customer and have IP space from them. They are however really responsive. They helped me over the Easter weekend once. So they make the best out of a really stupid practice IMHO.
Wendy Nather
SecureWaffleπ§
Jonathan Snyder@jerry I just entered the foray by setting up my first! LOL
Andrea@jerry I think the conclusion to draw here is that t-online are bad at it
Natanael β οΈ
Jake@jerry seems like blacklisting would be a better option than the path they chose. Kind of undermines the openness of the inter tubes to go the opposite path (privileged βwhitelistβ.)
O365 can be a pain too sometimes. We ended up having to use separate relay systems and careful queue tuning to keep mail flowing even to our own O365 accounts. Further, many if our customers use O365 and we still run into issues at times.
But fortunately weβve not run into many issues where mail is blocked from our relays (O365 is an exception) even though by design they are very busy (alerts/alarms/bills) - all have periods of high burst volumes that can appear like spam.
Thorsten Alteholz@jerry strange, I never had any problem to remove an IP address from their blacklist. Maybe the person just had a bad day ....
JohnnyD@jerry Yeh i heard about them doing that on an MTA group I am on, ridiculous
Johannes 
@jerry t-online has the stupidest blunt tools when it comes to email deny listing. You basically canβt do non-big corp e-mail outgoing either unless youβre tech savvy - if you use their modems you need to manually unblock any nonstandard email server you might use in the advanced settingsβ¦
Rory@jerry as am I and I have to say that's a really sh...y policy for a postmaster. Insist on spf, dkim, dmarc, etc, etc, fine. Insist on big Corp mail service? That's a dick move.
Bryson Shepard π±π»@jerry
Better add that note to your sign up page haha.
Better add that note to your sign up page haha.
ConsoleWitch@jerry this makes me v v angry
Dave Troy 
@jerry I very nearly setup my own Postfix server for Mastodon thinking, βI know how to do this and have 30 years experience, it should be simple for this use case.β But my more recent business experience tells me that deliverability has become a massive nightmare. I went with Mailgun at first and it was great, but switched to Sendgrid for business reasons; also fine. Given that a big complaint surface is βnot getting the confirmation email,β I decided to suffer this indignity for $15/mo instead.
John Kristoff@jerry Thanks for trying, but thanks even more for rejecting their suggestion.
Leo Winter@jerry Why am I not surprised that it is the DTAG... π’β
@jerry Wow, gotta love the "we don't use greylisting because it hinders the delivery of legitimate e-mails" right before that
morb
Interpipes π@jerry DTAG are renowned in ISP circles for having a sense of self importance as corporate policy. :|
I get that some people might have no choice to use their broadband but genuinely stunned anyone is using their freebie email accounts in any serious capacity.
AURonline π‘@interpipes @jerry As an ISP (and from the consumer side) they are quite good in Germany. I have not had any big interruptions in service whereas friends and colleagues with other ISPs (especially Vodafone) had many outages.
@AUROnline @jerry unfortunately from the perspective of other networks who have content DTAG users want to access, DTAG have the opinion that not only should their customers pay them, but everyone else on the Internet should pay them also and they sandbag other attempts to maintain sufficient capacity to get packets to eyeballs, apparently banking on the fact that DTAG users either have no choice or will blame the content providers who havenβt paid DTAGs toll.
stymaster@jerry That's pretty ignorant of them, provided you have reverse DNS, SPF etc, there's literally no sane reason to do that.
Thomas B. RΓΌcker@jerry That's weird, but goes along with their peering policy and general business behavior.
To their credit, their abuse reaction was near instant when I had to contact them. Someone got owned and their account was spewing spam, got shut down instantly.
To their credit, their abuse reaction was near instant when I had to contact them. Someone got owned and their account was spewing spam, got shut down instantly.
Maximilian@jerry T-Online is a bit stupid. They rules say that you needs an impress (name, postal address, phone-number, name) on the domain or subdomain of your SMTP server (and maybe infosec.exchange).
After that you look "commercial" and they should remove your block.
But i'm with you, this is stupid.
After that you look "commercial" and they should remove your block.
But i'm with you, this is stupid.
Przemek Peron@jerry That's ridiculous. But t-online.de is known to be very strict about accepting mail. As suggested in https://sendgrid.com/blog/how-to-meet-the-new-t-online-de-email-delivery-requirements/ you should make sure that DKIM, SPF and rDNS are set up correctly because it affects the reputation score at t-online.de
silverwizard
fuomag9
Noplexa (now on @
Christian de Larrinaga@jerry The mailops list had a long thread on t-online rejecting email recently. T-online have scored an own goal.
@jerry
> "There must be a domain and website with direct contact information easily deducible from the delivering IP's hostname"
---
infosec\.exchange's mx record points to another hostname and address block
they may not be too keen on that imho
rahlzle dazle (Richard)@jerry Ok I ran email servers for personal domains for 20 years and this just screams out of a lazy mailadmin.
tippenring@jerry ultimately this is a problem that will solve itself as their users will switch to email servers that don't block inbound email from desired sources.
Tom
mutax@jerry that sounds like somebody there misunderstood what you are doing. I got my Mailserver whitelisted there, I think somebody misunderstood non commercial/private as dialup running from home with dynamic IP.
They however usually - at least for Germany
- require some sort of imprint on the website of the domain the MX is running on.
They however usually - at least for Germany
- require some sort of imprint on the website of the domain the MX is running on.
@jerry if you telnet to port 25 from a blocked IP you will see the actual mail address to contact to get whitelisted, something tosa@ iirc
chexum@mutax @jerry I think T.O perfectly understands this is a small operator, but their stance is just "use your provider's (ISP, Hosting company) SMTP infrastructure so that we can complain to someone who cares if you send spam".
They completely ignore the fact that as an individual/small business, I'll need to set my SPF up so that any other clients of my ISP can send mail on my behalf. (If the sender cares about SPF but not DKIM).
(cont'd)
@mutax @jerry generally, if the receiver do not check DKIM, I also have no way of preventing any other of my ISP's customers to NOT send mail via my ISP impersonating my domains.
A stable/unchanging SPF/DKIM setup should mean a reliable sender, IMHO.
A similar issue that many VPS vendors do not allow buying services from users coming via VPNs, or other VPSes(!).
They'd rather see my ephemeral 4G IP than the one VPS exit point I'm using for more than a decade?!? What sense does that make?
@chexum @jerry I am a 'small operator' hosting a handful of domains on two MX and got whitelisted easily with them. I did not mention to them wether I am commercial/non commercial they just wanted to tie the IP address of my VPS at some provider with my postmaster address it seems in their ticket system.
Reboot Kid@jerry that kinda defeats the purpose of the distributed Internet. As someone who runs their own mx, this is infuriating.