nanog mailing list archives
Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email
From: "Dan Mahoney (Gushi)" <danm () prime gushi org>
Date: Sat, 2 Apr 2022 16:48:31 -0700 (PDT)
On Sun, 3 Apr 2022, Jeroen Massar wrote:
Hi Dan, Hope the rest of the world is treating you decently! There are a lot of bits and bobs that one has to get right for mail to flow, amongst which: - IP -> PTR lookup -> that hostname lookup, and match to IP again (https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS) - SPF - DKIM - DMARC - ARC (for mailinglists) - SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that) - Decent TLS - MTA-STS And that list grows and grows... and grows and grows. It is kinda a test if one has actually bothered to configure a setup, and not just are randomly sending an email by just telneting from a random server. Of course the large spam outfits have this fully automated and configured, so that their spam^Wadvertising comes through. A wee little test tells that there are a few improvements to be made at minimum: https://internet.nl/mail/isc.org/ • Not all authenticity marks against email phishing (DMARC, DKIM and SPF)
We have SPF, DKIM signing, and a DMARC policy that sets p=none.We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time.
We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff.
I don't think this affects our domain's "reputation".
• Failed :Mail server connection not or insufficiently secured (STARTTLS and DANE)
This has little to do with what ciphers we support outbound, and little to do with our reputation.
Unlike HTTPS, the failback to startTLS not working is plain-text. Setting a stricter cipher requirement would result in more mail being delivered in the clear.
This is a somewhat broken test. -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---------------------------
Current thread:
- Re: Gmail (thus Nanog) rejecting ipv6 email, (continued)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 02)
- Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email Dan Mahoney (Gushi) (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Michael Thomas (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email Robert Kisteleki (Apr 04)
- Re: Gmail (thus Nanog) rejecting ipv6 email Owen DeLong via NANOG (Apr 05)
- Re: Gmail (thus Nanog) rejecting ipv6 email Dan Mahoney (Gushi) (Apr 05)
- Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email Dan Mahoney (Gushi) (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email from poorly configured senders John Levine (Apr 02)
- Re: Gmail (thus Nanog) rejecting ipv6 email John Levine (Apr 03)
- Re: Gmail (thus Nanog) rejecting ipv6 email Randy Bush (Apr 03)