• Email: Flawed, but never bettered
    21 replies, posted
[url]http://www.bbc.co.uk/news/technology-35742210#sa-ns_mchannel=rss&ns_source=PublicRSS20-sa[/url]
that's not what i expected from this article email is flawed in the sense that there's no sender validation in the standard, so anyone can pose as anyone when they send mail, from any source. that's why email is fucking garbage in reality
[QUOTE=Giraffen93;49883610]that's not what i expected from this article email is flawed in the sense that there's no sender validation in the standard, so anyone can pose as anyone when they send mail, from any source. that's why email is fucking garbage in reality[/QUOTE] In the original standard sure, but now there are pretty extensive solutions that all major senders and receivers follow. If you're running a mailserver and you haven't set up SPF, DKIM and DMARC; you're a problem in the mailing community, since your domain [I]can be spoofed[/I] for outgoing mail. [editline]7th March 2016[/editline] Even if you don't do mailing from a domain, you should set up SPF, so that emails can't be spoofed from your domain regardless.
[QUOTE=glitchvid;49883651]In the original standard sure, but now there are pretty extensive solutions that all major senders and receivers follow. If you're running a mailserver and you haven't set up SPF, DKIM and DMARC; you're a problem in the mailing community, since your domain [I]can be spoofed[/I] for outgoing mail.[/QUOTE] i don't think i can tell my isp to put a reverse dns record on my home address, and i don't think my vps provider supports it anyway i still receive spam from fake domains though, as in not from my end
[QUOTE=Giraffen93;49883656]i don't think i can tell my isp to put a reverse dns record on my home address, and i don't think my vps provider supports it anyway i still receive spam from fake domains though, as in not from my end[/QUOTE] That's not how it works, it's a published DNS record, not IP/Reverse DNS. And if you receive spam, you can always tighten filters, stop accepting from 'SPF = FAIL' senders, or those without published DNS records for SPF. At that point you're only going to receive spam from compromised accounts from reputable mailers, which is a small number that is shrinking.
[QUOTE=glitchvid;49883667]That's not how it works, it's a published DNS record, not IP/Reverse DNS. And if you receive spam, you can always tighten filters, stop accepting from 'SPF = FAIL' senders, or those without published DNS records for SPF. At that point you're only going to receive spam from compromised accounts from reputable mailers, which is a small number that is shrinking.[/QUOTE] don't you need a reverse record for it to work though? the guides on how to add them confuse me to no end, so i've never understood how to do it and gmail started a policy recently to disallow mail servers without ptr records, i can't send mail to gmail accounts anymore :v:
[QUOTE=Giraffen93;49883672]don't you need a reverse record for it to work though? the guides on how to add them confuse me to no end, so i've never understood how to do it and gmail started a policy recently to disallow mail servers without ptr records, i can't send mail to gmail accounts anymore :v:[/QUOTE] For SPF, DKIM, and DMARC those are all published DNS records, meaning they're in the same place as where you set up the 'A' record that points to your actual server/webhost/etc. No reverse DNS here, just normal DNS records. the PTR record restriction is something that does involve reverse DNS (Since the IP points to a domain, then the domain confirms it with a PTR). and if you're hosting from a dynamic IP, then you've got bigger problems; Just use a mailer service like Amazon SES, Mailchimp, etc, in those situations. [editline]7th March 2016[/editline] By "Bigger Problems" I mean like being listed in IP blacklists, bad-mailers, project honeypot, etc. To do mail you need clean IPs.
[QUOTE=glitchvid;49883694]For SPF, DKIM, and DMARC those are all published DNS records, meaning they're in the same place as where you set up the 'A' record that points to your actual server/webhost/etc. No reverse DNS here, just normal DNS records. the PTR record restriction is something that does involve reverse DNS (Since the IP points to a domain, then the domain confirms it with a PTR). and if you're hosting from a dynamic IP, then you've got bigger problems; Just use a mailer service like Amazon SES, Mailchimp, etc, in those situations. [editline]7th March 2016[/editline] By "Bigger Problems" I mean like being listed in IP blacklists, bad-mailers, project honeypot, etc. To do mail you need clean IPs.[/QUOTE] i know about basic dns stuff, sure. it's a static ip i have at home, but as i said, times when i've been interested in adding spf etc stuff, it's just a confusing mess and i don't understand anything i'd rather use my own services, paying for something my stuff's on like that? naaah
[QUOTE=Giraffen93;49883706]i know about basic dns stuff, sure. it's a static ip i have at home, but as i said, times when i've been interested in adding spf etc stuff, it's just a confusing mess and i don't understand anything i'd rather use my own services, paying for something my stuff's on like that? naaah[/QUOTE] Static local IP, or do you pay your ISP for a dedicated IPv4 address? I know at least in the US, effectively no ISP will give you one without being a business provider and paying for an IP address. If you're a 'business' customer with a static IP, call in and ask them to set the reverse DNS, it's a common request. As for figuring it all out, my friend wrote a couple blog posts about it, maybe they can help: [url]http://colind.me/ramblings?id=14[/url] [url]http://colind.me/ramblings?id=15[/url]
[QUOTE=glitchvid;49883729]Static local IP, or do you pay your ISP for a dedicated IPv4 address? I know at least in the US, effectively no ISP will give you one without being a business provider and paying for an IP address. If you're a 'business' customer with a static IP, call in and ask them to set the reverse DNS, it's a common request. As for figuring it all out, my friend wrote a couple blog posts about it, maybe they can help: [url]http://colind.me/ramblings?id=14[/url] [url]http://colind.me/ramblings?id=15[/url][/QUOTE] i have it set on dynamic ip, but i've had the same ip for 3 years so it's probably pre-allocated or something by layer2 it's in a residential apartment complex though, i don't think i can convince them that :v:
[QUOTE=Giraffen93;49883784]i have it set on dynamic ip, but i've had the same ip for 3 years so it's probably pre-allocated or something by layer2 it's in a residential apartment complex though, i don't think i can convince them that :v:[/QUOTE] You mean layer3? Layer2 doesn't know about IP addresses. An SPF record is just a TXT record. Nothing fancy there. It just specifies what can send email. So like the following SPF record: [code] v=spf1 a mx ptr ip:12.34.56.78 -all [/code] Means that receivers of your email should only receive it if it comes from a valid A record, a valid MX record, a valid PTR record, or the IP 12.34.56.78. Exclusively. Meaning ANYTHING ELSE is denied entirely. THIS is the only type of SPF you ever need to know about. You can even specify specific a records, mx records, or ptr records if you wish, but the one above is all you ever need.
[QUOTE=mastersrp;49894525]You mean layer3? Layer2 doesn't know about IP addresses. An SPF record is just a TXT record. Nothing fancy there. It just specifies what can send email. So like the following SPF record: [code] v=spf1 a mx ptr ip:12.34.56.78 -all [/code] Means that receivers of your email should only receive it if it comes from a valid A record, a valid MX record, a valid PTR record, or the IP 12.34.56.78. Exclusively. Meaning ANYTHING ELSE is denied entirely. THIS is the only type of SPF you ever need to know about. You can even specify specific a records, mx records, or ptr records if you wish, but the one above is all you ever need.[/QUOTE] ok i added it but does this mean for sent emails to other services, or will i still recieve spoofed emails from [email]admin123@mydomain.com[/email]?
[QUOTE=Giraffen93;49898953]ok i added it but does this mean for sent emails to other services, or will i still recieve spoofed emails from [email]admin123@mydomain.com[/email]?[/QUOTE] It only protects and aids other services. Some service might reject your email if your domain doesn't have SPF information. You need to make sure your email provider or email server is properly configured to make use of this. If you're not hosting your own email, contact your email provider and ensure they protect you with this. They should.
[QUOTE=mastersrp;49900961]It only protects and aids other services. Some service might reject your email if your domain doesn't have SPF information. You need to make sure your email provider or email server is properly configured to make use of this. If you're not hosting your own email, contact your email provider and ensure they protect you with this. They should.[/QUOTE] nah i'm hosting my own i just use the thunderbird spam filter
[QUOTE=Giraffen93;49901002]nah i'm hosting my own i just use the thunderbird spam filter[/QUOTE] Assuming you're using the only sane mail server, Postfix, it would be a no brainer to make sure that it follows SPF policies: [CODE]sudo apt-get install postfix-policyd-spf-perl[/CODE] Add the following to your postfix master.cf: [code] policy-spf_time_limit = 3600s smtpd_recipient_restrictions = ... permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy-spf ... [/code] Postfix main.cf: [code] policy-spf unix - n n - - spawn user=nobody argv=/usr/sbin/postfix-policyd-spf-perl [/code] Then [CODE] sudo service postfix restart [/CODE] And you're golden.
[QUOTE=mastersrp;49908195]Assuming you're using the only sane mail server, Postfix, it would be a no brainer to make sure that it follows SPF policies: [CODE]sudo apt-get install postfix-policyd-spf-perl[/CODE] Add the following to your postfix master.cf: [code] policy-spf_time_limit = 3600s smtpd_recipient_restrictions = ... permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy-spf ... [/code] Postfix main.cf: [code] policy-spf unix - n n - - spawn user=nobody argv=/usr/sbin/postfix-policyd-spf-perl [/code] Then [CODE] sudo service postfix restart [/CODE] And you're golden.[/QUOTE] Noice. Would it be totally safe doing that though? I don't want to miss any legit mail
[QUOTE=Giraffen93;49910338]Noice. Would it be totally safe doing that though? I don't want to miss any legit mail[/QUOTE] That's always the thing though. Someone out there is going to be sending legit email without any security, and without their domain even having an MX record. If you don't want to miss being able to receive any legit email, then you have to drop all your security, because someone out there doesn't know about it, or doesn't care. But that doesn't help anything.
[QUOTE=mastersrp;49910590]That's always the thing though. Someone out there is going to be sending legit email without any security, and without their domain even having an MX record. If you don't want to miss being able to receive any legit email, then you have to drop all your security, because someone out there doesn't know about it, or doesn't care. But that doesn't help anything.[/QUOTE] yeah but can't i have them add the "***SPAM***" thing a bunch of providers do instead of just denying it?
[QUOTE=Giraffen93;49910863]yeah but can't i have them add the "***SPAM***" thing a bunch of providers do instead of just denying it?[/QUOTE] Probably. I mean setting up webmin + virtualmin gpl is one thing I like to do with web + mail servers I set up, because it makes a lot of shit quick and easy to set up, especially if you're only gonna do it once, or for a single server. Spamassassin can probably do what you want as well.
[QUOTE=mastersrp;49912298]Probably. I mean setting up webmin + virtualmin gpl is one thing I like to do with web + mail servers I set up, because it makes a lot of shit quick and easy to set up, especially if you're only gonna do it once, or for a single server. Spamassassin can probably do what you want as well.[/QUOTE] yeah i've wanted to incorporate spamassassin for a while now, but that's also something that's way above my head :v: i'd like to think i'm good at editing config files and compiling source code, but i'm really not
[QUOTE=Giraffen93;49912307]yeah i've wanted to incorporate spamassassin for a while now, but that's also something that's way above my head :v: i'd like to think i'm good at editing config files and compiling source code, but i'm really not[/QUOTE] With Virtualmin it isn't above your head. Here's how: Install a fresh Ubuntu VPS. Log in. [code] wget http://software.virtualmin.com/gpl/scripts/install.sh; chmod +x install.sh; ./install.sh [/code] Now you have Apache, Postfix, Dovecot, Bind9, Spamassassin, ClamAV, and a bunch of good configuration utilities all ready to go and preconfgured.
[QUOTE=mastersrp;49912821]With Virtualmin it isn't above your head. Here's how: Install a fresh Ubuntu VPS. Log in. [code] wget http://software.virtualmin.com/gpl/scripts/install.sh; chmod +x install.sh; ./install.sh [/code] Now you have Apache, Postfix, Dovecot, Bind9, Spamassassin, ClamAV, and a bunch of good configuration utilities all ready to go and preconfgured.[/QUOTE] well i already have a debian box with postfix + dovecot etc, i don't really want to reinstall it :v: but thanks for the effort anyway
Sorry, you need to Log In to post a reply to this thread.